Safer Way to Use Your Credit Card

Hi,

With the proliferation of "spyware", which includes "keyloggers" (logs
your keystrokes as you type), why would anyone want to type their credit card
number on a computer's keyboard? Is there really a "secure" site? No wonder
identity theft is epidemic.

A programmer friend of mine told me about his awesome idea for a safer way
to order merchandize on the Internet. Web sites should present an option
after you fill out an order form. If the credit card number slot is blank,
you are presented with the option. If you accept (incase you forgot to type
your credit card number), you receive an order number which you write down.
Off line, you dial direct (no interception), a special toll free number and
enter that order number. Next, you are prompted to enter the credit card
number on your touch tone telephone. Note: This is automatic, no human
contact. Also, your order is canceled if you fail to give your credit card
number within a certain period of time.

Brad

Brad

On Thu, 30 Dec 2004 13:32:24 GMT, (Brad) wrote:

>Hi,
>
> With the proliferation of "spyware", which includes "keyloggers" (logs
>your keystrokes as you type), why would anyone want to type their credit card
>number on a computer's keyboard? Is there really a "secure" site? No wonder
>identity theft is epidemic.
>
> A programmer friend of mine told me about his awesome idea for a safer way
>to order merchandize on the Internet. Web sites should present an option
>after you fill out an order form. If the credit card number slot is blank,
>you are presented with the option. If you accept (incase you forgot to type
>your credit card number), you receive an order number which you write down.
>Off line, you dial direct (no interception), a special toll free number and
>enter that order number. Next, you are prompted to enter the credit card
>number on your touch tone telephone. Note: This is automatic, no human
>contact. Also, your order is canceled if you fail to give your credit card
>number within a certain period of time.
>
> Brad

1. It introduces un-necessary complication and scope for error

2. Its 'US centric' in its thinking in relation to using toll free
numbers

3. Systems are set up to do online card validation and charging


--
Jim Watt
http://www.gibnet.com

Jim Watt

on 12/30/2004 03:32 PM Brad wrote:

> Hi,
>
> With the proliferation of "spyware", which includes "keyloggers" (logs
> your keystrokes as you type), why would anyone want to type their credit card
> number on a computer's keyboard? Is there really a "secure" site? No wonder
> identity theft is epidemic.

Visa has this "Verified by Visa" which makes sure the user is actually
who he claims to be. This feature first requires approval from the card
owner, approval is fast and totally free. After this, the user can buy
securely and without fear of "any" abuse what there otherwise could be.
More about this on Visa homepage. Of course, nothing's secure and this
doesn't prevent keylogger from stealing getting your card number.

--
Teemu Valimaki <>

"They who would give up an essential liberty for temporary security,
deserve neither liberty or security" - Benjamin Franklin

DailyCritical.com - News around the world

Teemu Valimaki

(Brad) writes:

>Hi,

> With the proliferation of "spyware", which includes "keyloggers" (logs
>your keystrokes as you type), why would anyone want to type their credit card
>number on a computer's keyboard? Is there really a "secure" site? No wonder
>identity theft is epidemic.

> A programmer friend of mine told me about his awesome idea for a safer way
>to order merchandize on the Internet. Web sites should present an option
>after you fill out an order form. If the credit card number slot is blank,
>you are presented with the option. If you accept (incase you forgot to type
>your credit card number), you receive an order number which you write down.
>Off line, you dial direct (no interception), a special toll free number and
>enter that order number. Next, you are prompted to enter the credit card
>number on your touch tone telephone. Note: This is automatic, no human
>contact. Also, your order is canceled if you fail to give your credit card
>number within a certain period of time.


At which point the system stores the number on a database at the computer
That computer is a far far higher usefulness to a identity thief--
thousands of cards ratehr than one. Which computer would you target?

Bill Unruh

In article <>, Brad wrote:

> With the proliferation of "spyware", which includes "keyloggers" (logs
>your keystrokes as you type), why would anyone want to type their credit
>card number on a computer's keyboard?

Why are you installing the spyware? Or do you blindly click the block that
says
OK
Install whatever you want - I don't care

or even worse, have configured your browser to automatically install
anything without asking, because it's to hard to click on 'OK' or 'Cancel'?
Spyware/trojans/viruses can not install themselves without the user making
some effort - either approving the install, or setting your browser to do
it for you.

>Is there really a "secure" site?

Yes, plenty of them.

>No wonder identity theft is epidemic.

-------------------
Do not attribute to malice that which can be explained by blatant stupidity.
-------------------
"Sufficiently advanced incompetence is indistinguishable from malice."`
-------------------

>A programmer friend of mine told me about his awesome idea for a safer way
>to order merchandize on the Internet. Web sites should present an option
>after you fill out an order form. If the credit card number slot is blank,
>you are presented with the option. If you accept (incase you forgot to type
>your credit card number), you receive an order number which you write down.

Nothing wrong with that - it's been around since the 1960s, before there
was an Internet (1969), never mind the web (1995).

>Off line, you dial direct (no interception), a special toll free number

1. Who pays for the call? "Toll free" isn't free to the callee. How do
they recover the cost of the call? Do you have any idea how much the call
would cost? How do they recover the cost of the telephone system that
accepts these calls, and makes the association between order number and
seller/buyer?

2. What number do you dial? Is it one presented on the web site? Is it
a single world wide telephone number that somehow figures out who the
selling party is, and makes the connection between buyer and seller? Is
it a number you saw on google, or looked up in the local phone book (which
is only issued once a year)?

3. How does your credit number get billed by the seller's bank - how is the
information securely transferred from this computer that answers the phone to
the seller's ordering computer, and then to the bank?

>and enter that order number. Next, you are prompted to enter the credit
>card number on your touch tone telephone. Note: This is automatic, no
>human contact.

4. How do you handle fumble-fingered typos?

>Also, your order is canceled if you fail to give your credit card
>number within a certain period of time.

And who pays the cost of the order cancellation?

Your programmer friend has absolutely no concept of how business operates
and how things are costed out. Hope he's a better programmer than business
consultant or security analyst.

Old guy

Moe Trin

On Thu, 30 Dec 2004 17:52:05 +0200, Teemu Valimaki
<> wrote:

>Visa has this "Verified by Visa" which makes sure the user is actually
>who he claims to be. This feature first requires approval from the card
>owner, approval is fast and totally free. After this, the user can buy
>securely and without fear of "any" abuse what there otherwise could be.
>More about this on Visa homepage. Of course, nothing's secure and this
>doesn't prevent keylogger from stealing getting your card number.

At least it adds another element of security, and much to my suprise
it is available in some the civilised world

Andorra
Austria
Belgium
Gibraltar
Greece
Israel
Italy
Norway
Portugal
Spain
Switzerland
Turkey
UK
RBS Group - available
Barclays Bank (coming soon)

Opps tough on the Irish, French and Germans etc
mind you I don't see .fi there either, and the Gibraltar
entry is in respect of Jyske Bank who only issue Visa
branded debit cards, which are impractical.

In the UK Barclays have the bulk of the Visa business for
hstorical reasons, they started first. Natwest (part of RBS)
mention a similar scheme for Mastercard.

Looking at the terms and conditions I see "You understand that you are
financially responsible for all uses of NatWest Secure."

aha do I detect a game of pass the parcel ?

Not today thanks.

Of course in the future you would just need to insert your
hand in the reader and the implanted ID chip could validate
your identity.

But wait thats just a bad dream, Blunkett has gone.


--
Jim Watt
http://www.gibnet.com

Jim Watt

On Thu, 30 Dec 2004 13:32:24 GMT, (Brad) wrote:

>Hi,
>
> With the proliferation of "spyware", which includes "keyloggers" (logs
>your keystrokes as you type), why would anyone want to type their credit card
>number on a computer's keyboard? Is there really a "secure" site? No wonder
>identity theft is epidemic.
>
> A programmer friend of mine told me about his awesome idea for a safer way
>to order merchandize on the Internet. Web sites should present an option
>after you fill out an order form. If the credit card number slot is blank,
>you are presented with the option. If you accept (incase you forgot to type
>your credit card number), you receive an order number which you write down.
>Off line, you dial direct (no interception), a special toll free number and
>enter that order number. Next, you are prompted to enter the credit card
>number on your touch tone telephone. Note: This is automatic, no human
>contact. Also, your order is canceled if you fail to give your credit card
>number within a certain period of time.
>
> Brad
##########################
There is no reason for any of that. Some credit card companies offer
one time numbers for internet purchases, so it's doesn't matter who
gets the number because it's not good anymore anyway. What do you
think of that?
donnie.

donnie

"Brad" <> wrote in message
news:...
> Hi,
>
> With the proliferation of "spyware", which includes "keyloggers"
> (logs
> your keystrokes as you type), why would anyone want to type their
> credit card
> number on a computer's keyboard? Is there really a "secure" site?
> No wonder
> identity theft is epidemic.
>
> A programmer friend of mine told me about his awesome idea for a
> safer way
> to order merchandize on the Internet. Web sites should present an
> option
> after you fill out an order form. If the credit card number slot is
> blank,
> you are presented with the option. If you accept (incase you forgot
> to type
> your credit card number), you receive an order number which you write
> down.
> Off line, you dial direct (no interception), a special toll free
> number and
> enter that order number. Next, you are prompted to enter the credit
> card
> number on your touch tone telephone. Note: This is automatic, no
> human
> contact. Also, your order is canceled if you fail to give your credit
> card
> number within a certain period of time.
>
> Brad
>


Isn't it amazing how people will use a method that is more insecure?
Hitting digits on a telephone. Yeah, like no one tapping your line
could figure out what was your credit card number from that. That's
like folks that are worried about ordering online and yet they go
speaking their credit number on the telephone to place an order that
way.

Instead of using your real credit card number, why not use a temporary
one? I have an account with MBNA Visa/MC. They have their ShopSafe
scheme where you have them generate a temporary credit card number. It
is tied back to your real account but only they know the linkage. You
can specify both a maximum dollar limit on that temporary card number
and an expiration (minimum is 1 month). That means when you order that
$8 case fan with $5 shipping that you use ShopSafe to generate a temp
card number that has a maximum charge of $15 (I always add a bit to
account for any sales tax and other charges they may happen to omit when
you are checking out) and have it expire in 1 month (the default term).
That means if anyone steals that number, they can only nail you for the
$15 and they'd have to use it before it expires in a month (i.e., your
card number doesn't go floating around indefinitely and remain usable).
My other credit card companies don't have this service so I end up using
temp cards generated from my MBNA card all the time for online order, or
even for telephone orders.

I'm sure at some point in setting up the ShopSafe account or registering
online with the credit card company to get an web account that you'll be
typing in the sensitive info unless they ask for confirmation info to
prove who you are instead of directly asking for your credit card
numbers (or look you up on a partial card number). You could use an
onscreen keyboard that you click on with the mouse as a keylogger
wouldn't get that but a packet sniffer might *IF* the sight were so
stupid as to not use SSL to encrypt your communications. However, you
obviously should be periodically cleaning your system, anyway.

--
__________________________________________________ __________
*** Post your replies to the newsgroup. Share with others.
*** For e-mail, you must append "#NEWS#" to the Subject.
__________________________________________________ __________

_Vanguard_

On Fri, 31 Dec 2004 01:09:42 -0600, "_Vanguard_" <>
wrote:

>why not use a temporary one? I have an account with MBNA

Very nice, but they won't issue one to me.

Bastards.

They were soliciting clients in the depature lounge at
Gatwick airport and wasted my time filling in an application
only to announce later 'UK residents only'.
--
Jim Watt
http://www.gibnet.com

Jim Watt

"Jim Watt" <_way> wrote in message
news:...
> On Fri, 31 Dec 2004 01:09:42 -0600, "_Vanguard_" <>
> wrote:
>
>>why not use a temporary one? I have an account with MBNA
>
> Very nice, but they won't issue one to me.
>
> Bastards.
>
> They were soliciting clients in the depature lounge at
> Gatwick airport and wasted my time filling in an application
> only to announce later 'UK residents only'.



Must've been the branch to which you sent the application. MBNA is
incorporated in Maryland (http://www.mbna.com/investor/articles.html).

--
__________________________________________________ __________
*** Post your replies to the newsgroup. Share with others.
*** For e-mail, you must append "#NEWS#" to the Subject.
__________________________________________________ __________

_Vanguard_