On Mon, Jul 11, 2005 at 09:37:36PM +0000, Jason Holt wrote: > I remember the first time a site asked for the number on the back of my > credit card. It was a Walmart or Amazon purchase, and with no warning they > redirected me to some site with a questionable domain. I thought for sure > my session was being hijacked, and my bank had given me no idea what the > number was for or whether it was something I was supposed to give out.
The 3-digit code is stupid. It protects against one thing and one thing only - someone getting an imprint of the card without copying down the 3-digit number. But only if you never give it out. According to at least several credit card companies, it's supposed to be okay for you to give this code out to vendors when you make a purchase. > To me, this is closely related to the discussions we have here about web > browser security semantics. With a very good understanding of the > underlying PKI, we can usually sort out "secure" from "suspicious" site > behaviors with some discussion, but how is the average user (or even the > average engineer) supposed to cope? Is there a standard or even just a > document somewhere that defines best practices for both server and user > behavior with respect to SSL web sites and credit card transactions? Or > are we leaving them to forward emails to each other warning them not to > give out their 3-digit codes over the phone, and that they had better make > sure their Dell doesn't have a DHS keylogger installed... But it's so much worse than that. Not only is there no standard behavior, the credit companies themselves have seemingly gone out of their way to make it impossible for there to be any potential for a standard. -- - Adam ** I can fix your database problems: http://www.everylastounce.com/mysql.html ** Blog............... [ http://www.aquick.org/blog ] Links.............. [ http://del.icio.us/fields ] Photos............. [ http://www.flickr.com/photos/fields ] Experience......... [ http://www.adamfields.com/resume.html ] Product Reviews: .. [ http://www.buyadam.com/blog ] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]