I also know someone in the US who lost her credit card number over a connection. She did a non-SSL transactions (with a business that didn't have a cert) on a university network.
I'd be interested in establishing that - this is the first time I've ever heard anyone claim that an actual case of a credit card being lost over a connection.
Well, now you have heard one. What do you want me to do to prove it, give you the person's name, e-mail and and phone number, the name of the university ? I do have that info, but I don't believe she would want me to share it.
Also, I have seen legitimate (but security-ignorant) businesses that ask for credit card numbers by insecure e-mail. And very likely many security-ignorant customers will just volunteer the information over insecure e-mail.
I don't need to tell you how vulnerable that is to snooping by all the ISPs and relays, or any thief in between. I don't have any stats on it, but I bet it's a significant cause of fraud.
And, I've been looking for the last decade or so...
Where ? What was your research based on ?
Did you ask the banks for their statistics on credit card fraud ?
Try asking the US credit card processors why they charge a higher rate for online transactions than for retail transactions. I don't think they are just greedy (though they certainly are), but online fraud is a significant problem to them and they compensate for it by higher rate. However, it may be difficult to establish in many cases how exactly the credit card numbers were compromised since there are so many different ways. And the thieves probably don't go and brag about the most popular methods.
More secure technology would reduce the processing rates and benefit both merchants and consumers. The rate on smartcard transactions in Europe is much lower than the rate for VISA/Mastercard, even retail. Most businesses in Germany stopped accepting VISA/Mastercard because they didn't want to pay the high processing rates. The foreigners have to pay cash, and nationals all have smartcards. That way German business doesn't pay the 2-3% that get you "free" frequent flyer miles. They either pocket the difference in profit, or have lower prices.
Is there any documentation on this? Is there any indication that the card was in fact lost over the network, rather than being hacked from the business's computer? Any correlation between the thief and the victim? Or was the card maybe lifted form the dorm room?
I don't know the answers to those questions. I only know what she told me about 4 years ago when she was in school - that someone stole her credit card number after she made an insecure transaction on the university network, and a bunch of transactions that weren't hers appearing on her statement soon after. She knew this for a fact because it had happened to other people as well and word had gotten out that there were people snooping on the university network (but they had not been caught yet). I couldn't help but give her a little lecture on security, as she was doing an internship in the Netscape/iPlanet web server, where I was working on security. I haven't been in touch with her since.
I think the only ones you would be able to check the story with are those with whom she shared it personally, such as me, or the bank, which obviously had to be notified of the fraud to reverse the charges, but wouldn't necessarily know the exact cause of the card compromise. After they reversed the charges, they canceled the old card account number, opened a new one with a new number, and sent her the new card very securely ... via US postal mail. I believe this to be very common. And this is one of the key risks SSL tries to protect against.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
