On Mon, Jul 11, 2005 at 09:37:36PM +0000, Jason Holt wrote:
> I remember the first time a site asked for the number on the back of my 
> credit card.  It was a Walmart or Amazon purchase, and with no warning they 
> redirected me to some site with a questionable domain. I thought for sure 
> my session was being hijacked, and my bank had given me no idea what the 
> number was for or whether it was something I was supposed to give out.

The 3-digit code is stupid. It protects against one thing and one
thing only - someone getting an imprint of the card without copying
down the 3-digit number. But only if you never give it out.

According to at least several credit card companies, it's supposed to
be okay for you to give this code out to vendors when you make a

> To me, this is closely related to the discussions we have here about web 
> browser security semantics.  With a very good understanding of the 
> underlying PKI, we can usually sort out "secure" from "suspicious" site 
> behaviors with some discussion, but how is the average user (or even the 
> average engineer) supposed to cope?  Is there a standard or even just a 
> document somewhere that defines best practices for both server and user 
> behavior with respect to SSL web sites and credit card transactions?  Or 
> are we leaving them to forward emails to each other warning them not to 
> give out their 3-digit codes over the phone, and that they had better make 
> sure their Dell doesn't have a DHS keylogger installed...

But it's so much worse than that. Not only is there no standard
behavior, the credit companies themselves have seemingly gone out of
their way to make it impossible for there to be any potential for a

                                - Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog............... [ http://www.aquick.org/blog ]
Links.............. [ http://del.icio.us/fields ]
Photos............. [ http://www.flickr.com/photos/fields ]
Experience......... [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to