Re: Credit Card privacy

• To: Nathaniel Borenstein <nsb@nsb.fv.com>
• Subject: Re: Credit Card privacy
• From: Amir Herzberg <amir@watson.ibm.com>
• Date: Mon, 15 May 1995 15:28:55 -0400
• Cc: tju@akira.corp.sgi.com, www-security@ns2.rutgers.edu, hopmann@holonet.net
• In-Reply-To: Your message of "Mon, 15 May 1995 11:14:19 EDT." <0jhqz=T0Eyt5Qp41g0@nsb.fv.com>

> > >As far as I can tell, they aren't using any security whatsoever to get their
> > >credit card numbers.  Is this common, or am I missing something here?
> > >
> > I think its common and becoming more common.

> Yes, this is true, but the credit card companies' problems will
> eventually become everyone's problems if we let it.

I agree, it is everyone's problem; when the banks and merchants lose, the
customers pay more prices. I don't believe credit card use over the net would
be prohibited, but it may be more expensive than necessary. It is all a
question
of risk and commissions, at least for the banks and cc companies.

> Unfortunately, schemes based on encrypting credit cards in transit to
> the merchant (using SSL, SHTTP, PGP, or whatever) only solve a very tiny
> portion of this problem.  If the merchant decrypts the credit card, his
> machine becomes an attractive target for criminals.

Correct.

> The name of the game, then, is protecting the banks while keeping things
> super-easy for the customer.  These are the two primary motivations
> behind First Virtual's system, which accomplishes both quite nicely.

Well, except that its security is limited (essentially to call-back security
to authenticate the user), it's cost is pretty high (look at FV's rates and
they claim that these respresent their costs as a reason why there won't be
more `second and third virtual' - this also makes sense as it's an expensive
infrastructure).

These goals are also the goals of our iKP protocol, which we propose to extend
into an open, license-free standard. We got very favorable responses from
important banks and credit card companies, in particular Master Card, who
announced they consider iKP a good basis for network payments, are now
negotiating with Visa on agreeing on a joint standard. We also got positive
responses from other technology providers e.g. NetScape and OpenMarkets.

In our discussions with credit card companies and banks it is clear that
payment using iKP would be one of the _least_ expensive ways to buy with
a credit card. Quite the contrary of an extra pay of FV solution (not that
it's their fault - they did the right thing by providing some relief
immediately).

Payment protocols, in particular iKP, are discussed on the list
e-payment@cc.bellcore.com.

To subscribe, send a message to
majordomo@cc.bellcore.com with the body of the message
subscribe e-payment

The iKP paper is in:
> http://www.zurich.ibm.ch/Technology/Security/extern/ecommerce/

You can get the iKP paper also via anonymous ftp, directly:

   ftp ftp.zurich.ibm.ch
            (OR ftp.zurich.ibm.com)
   cd /pub/sti/g-kk/shadow/publications/1995
   get ikp.ps
OR
   get ikp.ps.gz


> If
> you haven't already checked us out, you can learn how it works at
> http://www.fv.com.  We've been fully operational (real money) since
> October 15, 1994.  For over four months now, our user base & transaction
> volume have been growing at a steady 15% per WEEK (although recent signs
> are that the rate of growth is now INCREASING even from that level).  We
> now have two Fortune 500 companies selling with First Virtual

That's great. I do sincerely hope FV would be successful with their
business and Mall. However their security solution cannot be competitive
for the long run. Let's focus on refining and getting to a good standard soon.

Best, Amir

• Re: Credit Card privacy
• From: Nathaniel Borenstein <nsb@nsb.fv.com>

• Previous: Re: correcting URL of HP e-commerce protocol
• Next: list
• Index(es):
  • Index
  • Thread