[ale] OT: Security code on Credit/Debit cards

JK jknapka at kneuro.net
Tue Feb 23 09:55:43 EST 2010


On 2/23/2010 6:56 AM, Lightner, Jeff wrote:
> Funny the talk about bank transfers.  We do a fair amount of them are
> amazed at how many of them want us to just allow ftp in clear text.  We
> don't.   We force them to use sftp if possible or at least pgp encrypt
> the files that we pick up with ftp (we don't let them ftp into us).
> That way if someone does get the ftp information or does a man in the
> middle attack they end up with gobbledygook.   What's really scary is
> how many of them seem to know so little about pgp and sftp.  On occasion
> we do get a suggestion of ftps but we don't do that.
>
> PCI is making folks more conscious of security for Credit/Debit cards
> (PCI = Payment Card Industry) but doesn't address things like lockboxes
> and other transmittals not related to bank cards.


I wonder how much of this blase attitude to really critical security
measures, is a product of an essentially Luddite attitude toward
IT?  I see it among many of my friends and acquaintances, even those
who are highly-credentialed in their own non-IT fields, and therefore
pretty smart cookies: the idea that the process of moving data from
one computer to another over a network must be so incredibly complicated
and mysterious that only a true wizard would be able to understand
it, or care to do so.  And gosh, I've never met one of those wizardly
people, so how much of a concern could it be?

A demonstration of how easy it is to pull account numbers and so
forth out of a clear FTP stream with Wireshark might be an eye-opening
experience.

-- JK


-- 
We Americans are a freedom-loving people, and nothing says "freedom"
like Getting Away With It. -- Guy Forsyth, "Long Long Time"


More information about the Ale mailing list