[cryptography] PKI "fixes" that don't fix PKI (part III)

John Levine johnl at iecc.com
Sat Sep 10 16:14:00 EDT 2011


>This makes no sense whatsoever.  Credit card numbers are *universally*
>encrypted; of course there's no interception of them.

There's a fair amount of low-level ecommerce by e-mail.  They don't
seem to be intercepted there, either.

>In 1993, there was interception of passwords on the Internet.

This strikes me as another example of "make your password totally
obscure and change it every week", advice that was specific to a long
ago environment that's been passed along as received wisdom.

In the early 1990s there was still a fair amount of coax Ethernet, and
twisted pair was usually connected to hubs rather than switches, so it
was easy for a bad guy on your network or intermediate networks to
snoop on the traffic.  These days, the only shared media are hotel and
coffee shop wifi.

While we've certainly seen evidence that bad guys snoop on open wifi,
it's not my impression that they're particularly looking for credit
cards, more often passwords to accounts they can steal.  The price of
stolen credit cards in the underground economy is very low, so there's
no point.  The chokepoint to using stolen cards isn't getting the card
numbers, it's to find cashers or money mules.

So while I agree that it's a good idea in general to encrypt your
traffic, I don't see any evidence that card numbers are at particular
risk.

R's,
John



More information about the cryptography mailing list