[nSLUG] Netscape

George N. White III gnwiii at gmail.com
Sat Jan 17 18:03:19 AST 2009


On Sat, Jan 17, 2009 at 3:27 PM, Mike Spencer <mspencer at tallships.ca> wrote:
>
> gnw> ...but if you have a credit card and don't check for bogus
> gnw> transactions every few days you may have trouble (this happened
> gnw> to someone I know) when someone manages to buy a dozen Dell
> gnw> systems on your card...
>
> That would require visiting a web site that is (or looks very like ;-)
> the CC company's site?  And exchanging passwords, secret handshakes
> etc. over the net?  Now it becomes a statistcal (if you have lots of
> data) or a subjective liklihood (if you don't) problem.  Where does
> the greatest risk lie?  I don't have a CC.  My wife has one but, now
> that she's retired, it's used maybe a dozen times or fewer in a year.

Some banks have a phone interface that would be good for someone with
very few transactions.   I don't think the interface is much use to crooks
unless they are inside the bank and can "hide" the transactions (that
actually happened to me!).

Using your card very little may reduce the chances that a crook gets
the number, but once it is some large corporate database there is the
the same chance it will be stolen as someone uses it more often, and
if you don't use it you won't want to spend time checking.

> gnw> If you check the account regularly, the card would have been cut
> gnw> off before the order could be placed with Dell, and certainly
> gnw> before the order shipped.  The bank is not going to be happy if
> gnw> they don't hear about the bogus transaction until after the goods
> gnw> have been delivered, which means they are goign to share the pain
> gnw> with you.
>
> Are you saying that evincing due diligence now includes, by default,
> such a check?  From my perspective, the *bank's* due diligence includes
> recognizing that we don't do any financial transactions or data access
> over the net, ever.  We go personally to the branch in meatspace.  And
> we never buy truckloads of anything on a CC.  From your perspective,
> George, does that make us more, rather than less, vulnerable?

The big-time thieves have some way to bypass the checks on usage
patterns.  A court might say that requiring you to check your transactions
every few days is excessive, but you can't go to court -- your contract
requires you to follow the dispute resolution mechanism.  I think any
CC that is used "responsibly" is similarly vulnerable.

> gnw> Some workplaces have IT running around blocking javascript,
> gnw> etc. and HR requires that everyone enable javascript to process
> gnw> leave requests, etc.
>
> I really don't get that. Javascript makes sense for the marketing
> droids because it offloads processing cycles onto the user, whom the
> droids regard with ultimate scorn [1]. Within the enterprise, why aren't
> server-side CGI scripts way better?  You only have to control security
> on your server(s).

One of the selling points is that the system has low server-hardware
and low network-bandwidth requirements.

> gnw> Have you looked at other lightweight browsers like dillo?
>
> No. I suppose I should.  Firefox is not too bad, save that it doesn't
> seem possible to turn things off as I'd like and still access  them
> when I want to without onerous messing about. And numerous little
> interface "features"  that annoy me.  Oh, and it calls home if I don't
> fudge /etc/hosts.  Mumble....not too bad..mutter.

Firefox is way to complex not to have security problems, and you
should do anything "sensitive" in a separate browser.

-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia



More information about the nSLUG mailing list