The difference is one of scale.  When you give someone a CC number
over the telephone, there is one person at the other end with your CC
number.  Perhaps one or two others at that end may also view it.

When you send an non-encrypted CC number over the net, you still have
the couple of people at the other end of your transaction potentially
viewing your CC number, *plus* how ever many other thousands of people
are sitting on the net with sniffers, looking for CC numbers shooting
around all over the place.

It's equivalent to giving out your CC number over a phone line that
you suspect may be tapped by thousands of different people.

--
Lloyd Zusman            01234567 <-- The world famous Indent-o-Meter.
l...@panix.com           ^            I indent thee.
   To get my PGP public key automatically mailed to you, please
   send me email with the following string as the subject or on a
   line by itself in the message (leave off the quotation marks):
                    "mail-request public-key"

In article <3e21bo$...@desiree.teleport.com>, phil9...@teleport.com (Jim

[various forms of usage etc...
Jim,
If you think that the kid at Radio Shack hasn't looked at your gold card
and thought about that trip to Aruba, you are living in a very comfortable
'reality distortion field'. Or how 'bout the guys at that car dealership
in Jersey who took social security numbers, accessed the customers credit
reports, took the numbers of the report and rang up zillions in fraud.

The problem is that as hackers we know how we could get in and steal the
numbers off the net, what we forget is that there are ways in 'real' world
too, and people do it all the time.

Solutions? A more sophisticated pin number system (i mean realy, 4 digits
;-), maybe built on a digital signature system. Basically if the law was
structured to leave the liablity for security breaks soley in the hands of
the credit card companies you have nothing to worry about. And that my
friends is the real issue.

Oh, have a great 1995 folks.

--------------------------------------------------------------------------- ---
Ranbir Chawla                           "Peace on Earth is Good
President                                Powder on Earth is Better!.."
Virtual Solutions, Inc.                
Littleton, CO                                    i...@vsinet.com                                --------------------------------------------------------------------------- ---

In article <3e21bo$...@desiree.teleport.com>, phil9...@teleport.com (Jim Phillips) says:

Or you could just collect the garbage from the back of any store and pick
up thousands of the things... whihc is apparently the way most thieves do
it anyway... The simple solution is to only send goods to the mailing
address registered with the card provider..

Steve

It's not necessary to electronically sniff the backbone.  Any machine
on the net can be configured as a packet sniffer to capture any
and all packets flowing through the segment of the net that the
particular machine resides on.

I'm running on a SunOS 4.1.3 system, and there is a utility called
'etherfind' which does just this.  You have to have 'root' privileges
to run this program, but all that means is that an unscrupulous sysop
or a hacker who has gained 'root' access can monitor packet traffic on
the net segment that the machine resides on.

Once the packets are being captured, it's relatively easy to search
through them for text that looks like CC numbers.

People who are able to get through the security at well-trafficked net
sites (such as netcom, to name one which has had recent security
difficulties) would be able to view lots of packets, and if people
were routinely sending CC numbers over the Web, many of these CC
numbers could potentially be "captured".

--
Lloyd Zusman            01234567 <-- The world famous Indent-o-Meter.
l...@panix.com           ^            I indent thee.
   To get my PGP public key automatically mailed to you, please
   send me email with the following string as the subject or on a
   line by itself in the message (leave off the quotation marks):
                    "mail-request public-key"

 I think Lloyd was referring to a software sniffer, not a hardware tap.  
 Ethernet sniffers are very easy to come by -- there's one in the alt.2600
 FAQ.  It sits in the background and watches any info that passes through.

--
 James H.G. Redekop
 t...@publix.empath.on.ca
 t...@csd.uwo.ca
 http://www.csd.uwo.ca/~tzoq/  <-- It's here!  Check out The Residents.

t...@csd.uwo.ca (James HG Redekop) writes:

Assuming he was, don't you think that the backbone sites are a little more
secure than that (well, all except Netcom ;)); secure enough that somebody
couldn't hack root on them and install a packet sniffer?
--
Ed - ethom...@uiuc.edu - http://ux1.cso.uiuc.edu/~ethomson/home.html

|> In article <3e81p1$...@nic.scruz.net>, c...@webcom.com (Chris Schefler) writes:
|> > It would take quite a feat of engineering to break into an Internet
|> > backbone on the phone network and sniff out credit cards.  Anybody
|> > with that kind of technical ability can earn hundreds of thousands
|> > of dollars a year in the industry; why would they need to pilfer
|> > from credit cards?
|>
|> It's not necessary to electronically sniff the backbone.  Any machine
|> on the net can be configured as a packet sniffer to capture any
|> and all packets flowing through the segment of the net that the
|> particular machine resides on.
|>
|> I'm running on a SunOS 4.1.3 system, and there is a utility called
|> 'etherfind' which does just this.  You have to have 'root' privileges
|> to run this program, but all that means is that an unscrupulous sysop
|> or a hacker who has gained 'root' access can monitor packet traffic on
|> the net segment that the machine resides on.
|>
|> Once the packets are being captured, it's relatively easy to search
|> through them for text that looks like CC numbers.
|>
|> People who are able to get through the security at well-trafficked net
|> sites (such as netcom, to name one which has had recent security
|> difficulties) would be able to view lots of packets, and if people
|> were routinely sending CC numbers over the Web, many of these CC
|> numbers could potentially be "captured".
|>
|> --
|> Lloyd Zusman      01234567 <-- The world famous Indent-o-Meter.

        Actually, Lloyd, etherfind only works on your local physical
ethernet. Assuming that routers and gateways are appropriately configured
(which they are for the bulk of the time), the bulk of IP traffic will
never be sent your way. If there is a chance of CC pilferage, it would
most likely come from within either of the two transaction endpoints, i.e.
someone on your net, or someone on the vendor's net. This is completely
analogous to having your roommate snitch your CC#, or someone on the
other end of the Home Shopping Club being careless.

---
+-------------------------------------------------------------------------- --+
| Derick R. Gonzalez                                              | ________ |
| Department of High Engery Physics                               | \      / |
| California State University                                     |  \    /  |
| d...@interramp.com                                              |   \  /   |
| 1247 N. Sweetzer Ave #2, W. Hollywood CA 90069                  |29c \/    |
+-------------------------------------------------------------------------- --+
|  It is better to be hated for what one is, than loved for what one is not. |
|                                  (A. Gide)                                 |
+-------------------------------------------------------------------------- --+

Guess you haven't kept up with advances in crypto systems over the past 15
years or so. The technology being used is public-key, and doesn't depend on a
secret key shared by the sender and receiver. They aren't repeating the
mistakes of the cable industry here.

(Many cable systems - at least in the past - use encryptation where each box
uses the SAME encryptation key. When the system is compromised, either the
system is permanently broken, or in newer systems, they send out a code card
to everybody. The stupidy of the cable industry never ceases to amaze me...)

________________________
 A new picture of San Diego Bay every half hour:
 <A HREF ="http://www.cts.com/~jtara/baycam.html">San Diego BayCam</A>
  jt...@cts.com

In article <3e9jqt$...@vixen.cso.uiuc.edu>,

 I *hope* that they are, but I don't count on it.  I've followed some hacker-
 hunting my SO has done, and one comes across some rather alarming security
 holes at times.

 Besides, it doesn't have to be on a backbone.  Set up a sniffer on an internet
 mail-order company's machine, and you'll have access to *lots* of CC
 numbers if they aren't encrypted.

--
 James H.G. Redekop
 t...@publix.empath.on.ca
 t...@csd.uwo.ca
 http://www.csd.uwo.ca/~tzoq/  <-- It's here!  Check out The Residents.

: Guess you haven't kept up with advances in crypto systems over the past 15
: years or so. The technology being used is public-key, and doesn't depend on a
: secret key shared by the sender and receiver. They aren't repeating the
: mistakes of the cable industry here.

: (Many cable systems - at least in the past - use encryptation where each box
: uses the SAME encryptation key. When the system is compromised, either the
: system is permanently broken, or in newer systems, they send out a code card
: to everybody. The stupidy of the cable industry never ceases to amaze me...)

Public-key systems are notoriously _s_l_o_w_.  So slow, in fact, that
they generally rely on using the public key to transmit a randomly
chosen key for a single-key system, which is then used to encrypt the
rest of the message.  That key is used for only one message, then
discarded.

Suppose you encrypt the bulk of the program material with a single
key, then encypt that key with each subscriber's public key.  You
change the key frequently enough to discourage pilferers' transmitting
the key.

Plug in some numbers.  Say a million subscribers.  Change the key
hourly.  Have you the bandwidth to re-encrypt and transmit the key?

And this ignores the possibility of a consipracy of users who will
choose a key-pair solely for the purpose of pilfering programs.
They will be willing to share that private key among themselves.
Public-key systems presume the holder of the private key is
motivated to keep it private -- program pilferers have quite the
contrary motivation.

-- gil

... or one of your 30,000 "roomates" at netcom watching all the
traffic going in and out of that site, which is quite doable with
'root' privileges and 'etherfind'.  I still think that this is an
issue of scale.  Even on a single Internet provider's site there are
lots more opportunities for CC capture than among a person's
housemates and the people he or she does business with.

--
Lloyd Zusman            01234567 <-- The world famous Indent-o-Meter.
l...@panix.com           ^            I indent thee.
   To get my PGP public key automatically mailed to you, please
   send me email with the following string as the subject or on a
   line by itself in the message (leave off the quotation marks):
                    "mail-request public-key"

: Encryption is the only way to make the card semi-theftproof.  The problem
: is that encryptions can be broken, stolen, or sold by their creators.  Who

Well after about 20 years, RSA has yet to be broken.

: would sell encryption decoding?  How about the guy who didn't get the raise,

Hmmm, well, I can decrypt anything I have a key for with PGP...  But
until someone breaks RSA (which probably will never happen, except for
brute force, which would require an enormous ammount of horsepower) there
is NO way to break it unless you have the person's private key.

: bonus or promotion he was promised?  There's just too many loopholes right

With proper security measures, noone ever has to have access to the key
except root on that system.  You should be more worried about the cashier
at your local grocery store writing down numbers for extra
cash.            

: now for me to trust the net for sensitive information.

Suit yourself, but don't go around spreading misinformation.

--
--------------------------------------------------------------------------
David Kammeyer                                    kamme...@interaccess.com
"The general public is a      |This sig has 1,000,000 viewers per month -
 pretty stupid person" - Me   |*YOU* should be advertising here!
--------------------------------------------------------------------------

Correction:  After about 20 years, RSA is not KNOWN to be broken.  Big difference.
If I had broken a major encryption scheme and were to use it, I sure wouldn't
advertise that I had broken it.  I'd save it up and use it for maximum profit.

Enigma (WWII, Germany) was break-proof, too.  As far as enormous amounts of
horsepower, you can now buy a cheap Pentium or PowerPC for under $2,000.
Get a hundred of these, network them together, and program them to work
on the problem together.  Of course this is not a trivial matter, and chances
are won't be done to get credit card information.  However, it is possible
to do, given the current technology.

While at school, I was told a story of how a company advertised that they
had created a encryption that was impossible to break.  I was also told
that when a computer expert found out about it, he networked all his company
computers to work on the problem, and had it figured out in less than a month.
I don't know if this story was based on fact or not;  I'd like to get the
details if someone has them.

Why should root have to access the key?  Granted, the people with root access
(probably) make more money and would have more to lose than than a grocery
clerk, but why give them the chance?  As long as people are involved, there's
always the risk.

Please point to the misinformation in my post.

box >: uses the SAME encryptation key. When the system is compromised, either
the >: system is permanently broken, or in newer systems, they send out a code
card >: to everybody. The stupidy of the cable industry never ceases to amaze
me...)

Yes, this is generally how it is used. Irrelevent.

Of course, program material is not encrypted - the processing power to do that
has not been available until just recently.  What *is* (or should be)
encrypted are commands to decoder boxes. These are addressed individually
already, so the overhead to encrypt these commands is minimal.

Most cable-box spoofs involve sending "fake" commands to the box. The
pirate adds a circuit board that generates signals that the box thinks it
is receiving from the cable company. This wouldn't be possible if public-key
with digital signatures were used.

See above. Program material isn't encrypted.

________________________
 A new picture of San Diego Bay every half hour:
 <A HREF ="http://www.cts.com/~jtara/baycam.html">San Diego BayCam</A>
  jt...@cts.com

: kammeyer@interaccess (David Kammeyer) wrote:
: >Jim Phillips (phil9...@teleport.com) wrote:
....and others wrote too....

Right! All I hear is: If someone has the criminal energy *and* the I.Q.
*and* the equipment *then* he can make alot of money.

Well, most people that have the machienery (or access to it) and the I.Q.
don't have to be criminals to make a good living.
OTOH, somebody with the criminal energy but neither I.Q. or high tech can
just use a .45 to convince most people to give 'em all they have.

This thread has become rather idiotic. Sure it *can* be done, but what is
the probability that *I* will be a victim?

You guys better don't use airplanes. They are so 'unsafe'!
Better stay at home at the 13th...

Did anybody think about where the liability lies when fraud is being
commited with your credit card number? It's done all the time, and if
you are not a complete retard, then your issuer will eat the loss.

I think, the chance that you will be out of a job by the end of the
month is much more 'real'. Do you have a plan 'B' for that?

Ignoring problems does not solve them, but blowing 'em out of proportion
only makes for boring conversation.

Besides, the half truths and superstitions I saw here just make the mind
boggle. Why don't you talk about something you understand?

My apologies to the two people who new what they were talking about!

And before I get sh!t about the misconfigured news reader:

my e-mail is re...@emc.rvt.com at EMC.

A happy new year to all of you.

Remco

And yes, I feel better now ;-)

In article <3eaovt$...@desiree.teleport.com> Jim Phillips,

Before wildly speculating any more, you should all go read:

http://home.mcom.com/info/SSL.html

If I could afford 100 * PowerMacs, I would set up a render farm.

Jeremy

It's quite probable, really.  Most people with the IQ and the equipment
*will* do it, just for the sake of doing it.  You must not understand
computer scientists very well.  Most computer scientists will do anything,
just to see if it can be done.  There are probably a few that would sell
it (I probably would).  And like everything else, it would fall into the
wrong hands and the criminals would end up with it.  Then you're a victim.

Eventually, a better encryption algorithm comes along, and the process
starts over.

--
Ed - ethom...@uiuc.edu - http://ux1.cso.uiuc.edu/~ethomson/home.html

: Brett Kappenman <br...@halcyon.com> wrote:
: >People already order stuff through the mail with a CC number.  You
: >order stuff on television with a CC number via the telephone.  Seems
: >to me there isn't that much difference between that and sending it
: >electronically.

: You're right, there isn't that much difference between calling in your
: credit card number to a company and sending it over the internet in email.
: The problem is, with this small difference, you can lose your number.

You can on a cordless phone or tabbing on lines.

: Someone could wiretap the phone of the company you're calling in to, and
: the person could get your card number.  It's possible.  However, it's not
: very likely, since the person would have to listen to all the phone
: conversations to get a lot of numbers.

Yes.  How about if they just listen to the companies taking orders?
What about the CC validation lines?

: Someone on the net, with the properly placed router and/or sniffer, could
: gather a lot more if they 'tapped' the input into a company that accepted
: card numbers through the net.

That is most likely in the phone company.  Long distance carriers
provide the T1-T3 lines that make up the back bone.  It is the same
type of lines the backbone of the 800 number use.

I don't think you can just hook a PC up to it and sniff.

: It would be a lot easier on the person
: trying to get the numbers too, because they wouldn't have to look at each
: individual message manually.  All it would have to do is search the messages
: with a program (if they're smart enough to 'tap' into the net this way,
: they're more than smart enough to make this type of sifting program).

You smart enouph to break into the database of the phone ordering system.

They could also if they record the calls.  Of course the could just
break into the computer ordering system.  Or just tape into the
validation company and convert that.

The law are the same in this case and just as hard to tap into.

: Encryption is the only way to make the card semi-theftproof.  The problem
: is that encryptions can be broken, stolen, or sold by their creators.  Who
: would sell encryption decoding?  How about the guy who didn't get the raise,
: bonus or promotion he was promised?  There's just too many loopholes right
: now for me to trust the net for sensitive information.

I could also pay off a phone employee to breaking to the phone system.
There's just too many loopholes.  The phone system is a majority of the
computer network.  There is usually 2 ends your and theirs that are
susceptible.  Do you trust your end?  There end is no different than the
phone calls.

Do you know how the validation of CC are done?  Many are over phone
lines.  Are there encrypted?

Neal

FWIW, the person you're flaming has, literally, yet to grow up. He's still in
high school and works part time for NCSA. This may explain any apparent lack
of insight into the psyche of computer scientists. At least he hasn't resorted
to childish personal insults. I'll bet he knows how to spell "scruples", to
boot.

Now, what's your excuse?
________________________
 A new picture of San Diego Bay every half hour:
 <A HREF ="http://www.cts.com/~jtara/baycam.html">San Diego BayCam</A>
  jt...@cts.com

: In article <3e1pqm$...@news.halcyon.com>, Brett Kappenman <br...@halcyon.com> writes:

: It's equivalent to giving out your CC number over a phone line that
: you suspect may be tapped by thousands of different people.

THOUSANDS!! Hardly!  Maybe a dozen at any given time and most of those
are key people.  It isn't likely that those folks are going to be snatching
CC.  It is still possible but I think the risk is really over blown!
It isn't anywhere near as risky as given out our CC on a cell phone.

I do agree that we need a secure way to transmit CC over the net, but
I am not going to lose any sleep over sending mine over the net until
a secure means is found.
--
Darryl Wagoner          dar...@sai.com   http://www.sai.com/
Office: 603.672.0736            Fax: 603-672-4846

: In article <3e81p1$...@nic.scruz.net>, c...@webcom.com (Chris Schefler) writes:

: It's not necessary to electronically sniff the backbone.  Any machine
: on the net can be configured as a packet sniffer to capture any
: and all packets flowing through the segment of the net that the
: particular machine resides on.

Yes it necessary!!!!!!!!!  Sure you can sniffer on your own ethernet
segment.  Big deal!  For a sniffer to catch CC then you would have to
filter on many possible internet malls to catch a very few cards.  Not
worth while.  You would make more money working at Burger King.  
The only segment that it would be effective is on the mall's segment.
The rest isn't ethernet and a Unix based sniffer is useless.  
--
Darryl Wagoner          dar...@sai.com   http://www.sai.com/
Office: 603.672.0736            Fax: 603-672-4846

: re...@myhost.subdomain.domain (Remco Treffkorn) writes:
: >This thread has become rather idiotic. Sure it *can* be done, but what is
: >the probability that *I* will be a victim?

: It's quite probable, really.  Most people with the IQ and the equipment
: *will* do it, just for the sake of doing it.  You must not understand
: computer scientists very well.  Most computer scientists will do anything,
: just to see if it can be done.  There are probably a few that would sell
: it (I probably would).  And like everything else, it would fall into the
: wrong hands and the criminals would end up with it.  Then you're a victim.

With all due respect sir, you are an idiot. Since I am a computer sientist,
does that mean that I do not know myself very well, and that I should seek
treatment? You are very amusing.

In the last twenty years I learned alot about security holes that could
be used to make a fast buck, but I did not do that. Why? I like my job.
I like my freedom. I don't like beeing only with cell mates.

In short: I have something to loose, and lack the criminal energy to
do something. OTOH, if an opportunity came along so that I could be
sure that I would not get caught and the amount is big enuff, I *might*
be tempted. But I probably would not do anything anyway. Maybe I am just
naive to assume that most educated people are inherently honest.

The best preventer of crime is people with scrouples. If you are so smart
to find a sure fire way to cheat some people out of their money, why sell
the idea? Why not doing it yourself? Scared of going to jail?

The guy you sell the idea to must be even stupider than you are, else he
would not take the risk. Since he is so stupid, he will get caught. He will
spill his guts to the DA, just to get is sentence reduced. You will
occupy the cell next to his.

Grow up and get a life!

Remco

re...@emc.rvt.com

 So you break into a mall's machine, set up a sniffer, and watch orders come
 in.  It's not hard.  Y'get a few numbers, there you go.  I'd be surprised if
 it hasn't been done.  It certainly happens enough with passwords and other
 information.  An email-order site would be a *perfect* place to set up.  Not
 only would the CC density in the traffic be higher than on the backbone, but
 a lot of these "Let's make money fast on this Internet thing" sites probably
 don't really worry too much about security.  If people at major computing
 centers can't get their stuff secure, why expect small services to?

--
 James H.G. Redekop
 t...@publix.empath.on.ca
 t...@csd.uwo.ca
 http://www.csd.uwo.ca/~tzoq/  <-- It's here!  Check out The Residents.

I have a question about all this concern regarding Credit Card security.

Each time you make a purchase of any kind with your credit card, your
card number, complete with expirey date, is recorded on a little
slip of paper and shoved into a cash register.  At the end of the day
someone counts all these slips and sends them onto the companies
accouning dept.

Someone in the accounting dept. rechecks these slips, and then sends
them off to the bank. At the bank someone counts these again and then
sends them off to the credit card company for processing, etc.

Anywhere along this line any store clerk, accounting clerk, bank clerk,
or courier, can easily jot down as many credit card numbers and expiry
dates they may want and presto: they can do what they need to do with
whatever services accept credit card numbers over the phone.

So I ask myself:  Why is everyone suddenly so concerned about credit
card security over the internet?  As if no has ever laid hands on their
credit card numbers before?

Am I alone in my bafflement?

Doug.