Re: quick note ref credit cards

[David Farber <dave () farber net>]

Begin forwarded message:

From: mark seiden <mis () yahoo-inc com>
Date: September 13, 2009 3:18:17 PM EDT
To: dave () farber net
Cc: "ip" <ip () v2 listbox com>
Subject: Re: [IP] Re: quick note ref credit cards

is hysteria among otherwise sensible people something that happens  
around 9/11 silly season?

how about some risk management thinking applied to this situation?

1. among all of the exposures of IP readers' credit cards at retail  
establishments and online, the number
that will appear on national news programs is IN THE NOISE compared  
with the risks of skimming,
breaches at e-merchants, the malware on your desktop machine logging  
all credit card information used,
and maybe even the risks that your house cleaners or kid's friends  
will copy your card number for the
cards you leave around the house (all of these including the cvv2 or  
cvc2, the secondary authenticator
usually only visible by looking at the back of the card).

2. without the billing zipcode, the card cannot be used even to buy gas.
3. without the billing address, the card cannot be used for many  
transactions.
4. without the cvv2, the card cannot be used for most high value  
transactions.

5. a single detected misuse of the card will cause you to cancel the  
card number.  it doesn't matter how many times it's
shown on tv.

6. you have no liability for almost any card you hold for fraud.

7. with cards with complete billing information going online for  
single digits dollars, anyone who wants to do this will use
the convenient channel.

a bigger problem many people have (where, on the contrary, there is  
less uniform protection than with credit cards)
involves choosing to reuse a single password at more than one web site  
(and having no alternative than using passwords
in most places).

a single web site compromise leads (or can be made to lead) to  
cascading compromise of their identity at all of the other
sites at which that password is used,  which can include multiple  
credit card, banking and brokerage sites, as well as
using their email to successfully impersonate them and create a  
pretext to extract money on an emergency basis from
their friends and family.  ("i'm in london on a business trip and have  
been robbed").

random unique passwords are best but many people find them hard to  
manage (despite software aids).

i would suggest, instead, making up a memorable encoding (formula,  
algorithm, recipe) for unique passwords at all the
web sites you use.  common encoding devices present in the home  
include telephone keypads, rotations or permutations,
or prefixes, suffixes, or infixes composed of a piece of the web site  
name, or pieces of the phonetic alphabet (alpha, bravo...)
to add some random salt to the passwords you use.

(an example: instead of using the weak password, for example, a  
dictionary word "axolotl", first
strengthen it against brute force attack by making some letters upper  
case, and substitute some numbers  instead of letters, e.g.
0 and 1 instead of o, i, and l.  thus resulting in  aX01otL.   then  
insert some (say, 2) letters from the web site name in the middle
to make this already stronger password unique for each web site.

so you might use  "aXya01otL" for yahoo, "aXeb01otL" for ebay, etc.     
it's still memorable (vaguely).

it's still true that malware, key loggers and the like on your desktop  
will record all of your strong and random passwords.
but at least at that point you can be more sure that's what killed  
you, rather than a single site compromise at some social
networking site that you don't even remember registering for.


On Sep 13, 2009, at 5:53 AM, David Farber wrote:

> Begin forwarded message:
>
> From: Ted Nelson <tandm () xanadu net>
> Date: September 13, 2009 12:49:37 AM EDT
> To: dave () farber net
> Cc: Ted Nelson <tandm () xanadu net>
> Subject: Re: [IP] quick note ref credit cards
> Reply-To: tandm () xanadu net
>
> Exposed for "too long"?
>  What about freeze frame?
>  If the bad guys have Tivos or recorders on,
>  "too long" means Any.
>
> T
>
>
> On Sat, Sep 12, 2009 at 12:32 PM, Dave Farber <dave () farber net> wrote:
>
>
>
>
> Begin forwarded message:
>
> > From: Richard Forno <rforno () infowarrior org>
> > Date: September 12, 2009 12:02:35 EDT
> > To: Dave Farber <dave () farber net>
> > Cc: Infowarrior List <infowarrior () attrition org>
> > Subject: quick note ref credit cards
> >
> >
> > A warning to fellow Netizens --
> >
> > I just saw an economic news segment on MSNBC Saturday where the  
> > camera zoomed in and one could clearly read the  entire front of a  
> > shopper's AMEX Platinum Card.
> >
> > As more and more news programs are doing stories on consumer  
> > spending and shopping and their focus (rightly or wrongly) begins  
> > turning towards 'recovery' these stories frequently show folks  
> > making purchases with credit cards at cash registers in retail  
> > stores.
> >
> > It may sound conspiratorial, but folks may want to be aware of this  
> > potential risk and take steps to reduce the chances that their  
> > credit card number, expiration date, and name on the card are  
> > compromised through the lens of a TV news camera by ensuring their  
> > credit cards are not 'exposed' for too long a time when paying for  
> > stuff in stores.
> >
> > Just a friendly thought.
> >
> > -rf
> Archives        
>
>
>
> --
> Theodor Holm Nelson
>  Home page, hyperland.com
>  Founder, Project Xanadu
>  Visiting Fellow, Oxford Internet Institute
>  Visiting Professor, University of Southampton
>
>
> Archives        





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com