On Mon, 7 Feb 2005, Greg London wrote: > I'll buy pizza for a perlmonger meeting if I can get a > definite yes/no answer on these questions. > > Greg London said: > > So, if a buyer goes to a website, puts in his email address > > and fills out his order information (product, CC#, shipping address) > > > > could the site give him a tracking number / one-time password > > so he could check the status of his order and report a problem?
Yes. > > Would it be possible to do this in a secure manner? Yes. Implementation dependant of course. > > Would it be a secure transaction? The issuing yes. The use thereof, would depend on the possibility of interception and misuse. > > Would it be any less secure than having the user > > set up an account and their own password? That depends. Secure from what ? It is not secure against identity impersonation, i.e. if someone gets hold of your one-time password they can be you. Arguably the same thing applies to u/p combinations but it is possibly more likely to be left on a post-it because they've had no opporutnity to pick a memorable password ? Is the implementation secure against brute-forcing ? > > I checked out the compusa site. They let you order without > > registering, but you have to register to check order status. > > The POD company doesn't have phone support, so that isn't > > an option. The only way it will work is if users can somehow > > track their order online and report problems online. The problem you have is that the company is requiring too much information during the registration process. Why not ask them to strip it down to the bare essentials ? What you're suggesting *is* registering them, just automatically. What you seem to be asking is how to keep the information away from the scammy company. Well you can't. You have to give it to them for them to ship you the product. From there they are misusing it and that is where your problem really lies. S. _______________________________________________ Boston-pm mailing list [email protected] http://mail.pm.org/mailman/listinfo/boston-pm
