[Previous] [Next] [Index]
[Thread]
Re: Credit Card Security
On Fri, 21 Apr 1995, Paul Rarey wrote:
> So now you trust some 800 # eh?
>
> The model that still works best for me is http:/www.fv.com/tech
Reading the fine print proves interesting, however:
(from http://fv.com/info/terms.htm)
3.YOU agree that the buyer's price is inclusive of all fees imposed by
FV. YOU agree that FV will deduct all such
fees from the selling price before making payment to YOU. YOU agree
you bear all risk of currency fluctuation
between the time of sale and settlement. FV agrees that the fee it
imposes at settlement time is no more than:
2 percent of the sale amount plus $0.29 times the number of
transactions plus $1.00
--
This is fine if your transactions are of a reasonably large amount (say
over $30.00), and you've priced with the above in mind. If the
transactions are in the "pittance" range, however, this becomes
unworkable. Its too expensive.
I do like the idea, however. But there's still the problem of
"multiple accounts".
As I see, the current problem is that most users have one "account",
which they use to send/receive email, authenticate for dialup IP or a
Unix shell, etc. The fact that these actually may be services
distributed among a number of different hosts is irrelevant to the user,
who uses a single username/password authentication pair to prove their
identity. If their ISP has things set up nicely, they will probably only
have to respond to the password challenge once, and authentication is
handled automatically beyond this point.
If a user wants to enter the world of electronic commerce, they are
faced with the position of, currently, having to establish separate
"accounts" with each vendor, providing credit-card and other info for
each person they wish to purchase services/bits/stuff from. This is
suboptimal, as the user will have to manage potentially many
username/password pairs, which will differ, and they will probably write
them down on a piece of paper and lose them.
So, First Virtual comes along and says "Hah, we'll put ourselves in the
position to theoretically mediate ALL transactions!" But they're
expensive, and someone may come along and do it cheaper. So I establish
a First Virtual account, and then a Second Virtual account (the
competitor who has just set up shop on the other side of the router), and
I've even got an account with the VCU (Virtual Credit Union). Pretty
soon I've got a dozen username/password pairs to manage again, and I'm
back in the same situation I was before, except that I've spent $20.00 on
setting up accounts with each of the transaction mediators.
Seems to me that a Digital Certificate model is the only really
acceptable solution. The user then manages their own authentication
challenge/response pair, which is then signed by a trusted party or
parties. Maybe the certificate model could be incorporated with the
FV-style transaction mediators, with the user presenting the same
certificate to each mediator. But this begs the question "How do
generic users obtain signed certificates?" Seems like a great business
opportunity for someone if agreement can be made as to what information
the certificates should contain. While it will be difficult to map out
the chains of trust between corporate, network, and governmental
entities, it should be less difficult to establish a set of standards by
which trust is granted to certificates signed by parties which agree to
follow those standards. This would be something like a Notary Public.
Am I in the right ballpark with this?
-brian
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Brian W. Spolarich briansp@umich.edu
U-M ITD/US WWW Services Coordinator http://www.itd.umich.edu/
Despite the high cost of living, it remains popular, survey says...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Follow-Ups:
References: