|
|
| Author |
Message |
| 25 new of 191 responses total. |
scg
|
|
response 149 of 191:
| 
Feb 15 19:35 UTC 1999 |
Except that we could treat the card number as ID.
|
remmers
|
|
response 150 of 191:
|
Feb 15 21:53 UTC 1999 |
We'd have to amend the policy on what constitutes acceptable ID, I
think, in order to do that. But yes, it could be done.
|
jshafer
|
|
response 151 of 191:
|
Feb 15 23:26 UTC 1999 |
(Sorry, I wasn't implying that we needed to be
concerned about contributors overdrawing their
accounts. I was just pointing out one of the
differences between using the 'debit' and the
'credit' features of a 'Visa Check Card' or the
like.)
Do credit card #'s provide adiquate ID?
How do we know they aren't stolen?
My interest in grex accepting credit cards is
entirely because I'm lazy .) I don't deal
with checks. But I have sent checks in in the
past, so I wouldn't need to send further ID
in in the future. So grex would be _much_
more likely, in any given month, to receive
my financial support, were an easy-to-use
credit card procedure in place.
That doesn't necessarily mean that it would be
worthwhile to accept credit cards; just that
if we did, I would use them. Probably more
often than I'd get around to sending a check.
|
mdw
|
|
response 152 of 191:
|
Feb 15 23:30 UTC 1999 |
I don't think credit card companies do *that* good a job of checking
identity; and I don't know that they necessarily make such records
available, even in extraordinary conditions. I've heard too many cases
of people's dogs getting credit cards, or of applications being sent to
people long dead. A driver's license is a matter of public record. A
credit card is a private thing. A driver's license contains lots of
additional "helpful" identifying material. A credit card doesn't
contain any of that material.
|
i
|
|
response 153 of 191:
|
Feb 16 01:41 UTC 1999 |
Don't we also take personal checks as both an ID & payment? I doubt
that the bank checks what gets printed on a check any better than they
check what goes into the credit card account record. My experience as
a small-time credit card merchant is that one can ask for the name "as
it appears on the card" and the billing address for the card, then call
the card merchant customer service 800-number, and they'll do a "yes"/
"no" verification of the name & address. The issue is whether it's
worth the time & bother.
|
aruba
|
|
response 154 of 191:
|
Feb 16 03:17 UTC 1999 |
Hmmm. I'd forgotten that someone told me at lunch the other day that we can
ask for the billing address and then do a yes/no lookup on it. That might be
a good enough ID, then. I really don't know whether it's better or worse
than a checking account number.
|
dang
|
|
response 155 of 191:
|
Feb 16 04:08 UTC 1999 |
We don't really need to know who the person is, do we? Just that they
are one person, and something the Feds can use to track them down? I
imagine we could give a CC# to the Feds, and they would find the person.
|
scg
|
|
response 156 of 191:
|
Feb 16 04:49 UTC 1999 |
For what it's worth, most ISPs consider a credit card number, along with
expiration date and billing address, to be good enough ID.
|
aruba
|
|
response 157 of 191:
|
Feb 16 14:19 UTC 1999 |
I guess it ought to be good enough for us, then. OK, I withdraw my
prediction.
|
devnull
|
|
response 158 of 191:
|
Feb 16 22:30 UTC 1999 |
It's certainly reasonable to check the billing address for auction stuff.
If someone fradulently uses someone else's credit card, they can't
usefully buy auction stuff.
As for membership authenication, this seems more troubling. I believe there
have been cases where people's credit card numbers have been read from
mail order vendor's databases, and I imagine that this includes all the
information that a vendor uses to autthenticate a transaction, including
the name on the card and the billing address.
The purpose of membership authentication is to make it hard for crackers
to get outgoing access on grex, right? If that's the main reason to have
it, I think pure electronic authentication via a credit card is inadaquate.
|
jshafer
|
|
response 159 of 191:
|
Feb 17 01:35 UTC 1999 |
I would tend to agree with Joel, but sending a copy of a
drivers' licence one time might not be _that_ much of a
bother...
Oh, and the last time I ordered checks, I had to have them
delivered to the address printed on the check. I don't know
if that's the rule or the exception.
|
scg
|
|
response 160 of 191:
|
Feb 17 04:45 UTC 1999 |
I've also dealt with some situations where a photocopy of my drivers license
has been requested, other than my Grex membership, so given that we allow
photocopies of drivers licenses as ID, I don't think that the possibility of
people pulling credit card information from company files should be too much
more of a problem than we already potentially have.
What it comes down to, I think, is that there will always be security problems
with any method short of requiring people to show up in person with several
forms of ID, and even that may not be perfect, but that's good enough to get
the state to issue more ID cards. With that in mind, we just have to decide
what's good enough. It is certainly possible that, no matter what precautions
we take, we may end up at some point being confronted with a case of credit
card fraud. If that happens, the card companies will tell us about it, give
us the oportunity to make our case that it wasn't fraud, and then have us
refund the money. The big difference between us and other merchants accepting
credit cards in the regard is that Grex memberships don't cost us anything,
so we wouldn't be stuck refunding money for something we had already paid for
and sent to the "customer."
|
devnull
|
|
response 161 of 191:
|
Feb 17 07:04 UTC 1999 |
Steve, there's an important bit of psychology that you're overlooking:
I strongly suspect that the sort of people who are going to use outgoing
access to cause trouble are much more likely to be willing to hand us
a stolen credit card number than bother to send us actual snail mail.
I'm not worried about collecting the membership money; it's a matter
that people have insisted that we have some identification for outgoing
connections, and I'm convinced that credit cards may be too convinient.
(Unless crackers are always different from the people who will commit
credit card fraud; one of my cow orkers has claimed that it's reasonable
to store pin numbers for atms on computers, and write down passwords.
however, pin numbers are only useful if you also can get access to the
physical card...)
|
krj
|
|
response 162 of 191:
|
Feb 17 16:12 UTC 1999 |
I would like to see us think in terms of "good enough" security.
If a credit card is sufficient authentication for commerical ISPs,
as was stated above, it should be good enough for Grex.
Grex's goal should be to be no more of a problem source on the net than
any good ISP.
I'd guess that more problems are caused by users of our unregistered and
free e-mail services than would ever be caused by someone
getting outbound telnet access with a stolen credit card number.
And if we are really worried about this, than let's think about
de-coupling membership and telnet authentication, which has already
been discussed somewhere. Most of the people we hope to get money
from via credit cards don't need our outbound telnet: they more likely
don't live around here, or they are prosperous & computer-involved
enough to already have a "real" ISP account.
|
mdw
|
|
response 163 of 191:
|
Feb 17 23:15 UTC 1999 |
The purpose of requiring ID isn't to make it hard for vandals; it's to
provide accountability in case someone complains that someone was trying
to break in to their computer. We'd like to make it as easy as possible
for vandals to be accountable for their actions. The other reason to
ask for ID is for membership purposes; basically, to make it
unattractive to sign up one's 6 dead grandmothers for memberships and to
try to take over the board.
Credit cards do have an "interesting" disadvantage compared to DL's.
The state goes to considerable effort to make sure there's not more than
one DL per person. Credit card companies go to considerable effort to
try to sell as many credit cards as possible to the same person. ISP's
don't generally care about uniqueness - if you buy 6 different ISP
accounts using 6 different credit cards with the same ISP, they won't
care (and they won't care if you use the same credit card for all 6,
too.) On the other hand, because we care about making sure it's "one
person, one vote", we do care.
|
devnull
|
|
response 164 of 191:
|
Feb 18 02:10 UTC 1999 |
Yes, marcus, but in practice vandals probably have enough clue to find
ways to make it harder for their activities to be traced...
|
janc
|
|
response 165 of 191:
|
Feb 18 04:18 UTC 1999 |
We recently had a vandal trying to break into several hundred computers
in two other countries using "lynx" on Grex. We give lynx access away
free to everyone, without authentication. It is also possible to attack
the other systems with mail. I don't think we should change the
services we require authentication for, but I also don't think we should
overstate the importance of having ID for people we give telnet access
to. It is a good thing to have, but if we get fool occasionally, I
don't think it would be the end of the world.
|
mdw
|
|
response 166 of 191:
|
Feb 18 16:18 UTC 1999 |
I think we recently had the vandal discussion elsewhere. Do we really
want to confuse it with credit cards?
|
janc
|
|
response 167 of 191:
|
Feb 18 18:28 UTC 1999 |
Only if it is being put forward as a justification for stronger
validation than we can get with a credit card.
|
mdw
|
|
response 168 of 191:
|
Feb 18 19:42 UTC 1999 |
I think there is a difference, but I'm not sure it's important. With
membership and voting rights, though, I think there is a problem.
|
srw
|
|
response 169 of 191:
|
Feb 18 20:53 UTC 1999 |
yeah, perhaps, if we didn't track the billing address, but I think we
should be asking for the billing address along with the card number, and
should use it as part of the supplied ID. So I don't think there's a
problem even WRT voting rights and membership, at least not worse than
what we have today in accepting personal checks.
Re Joel's worry about crackers -- I'm not worried about being fooled by
people using stolen CCs. That is a problem for the bank. They will
notify us of hanky-panky, and we can turn off membership, if it comes to
that.
|
dpc
|
|
response 170 of 191:
|
Feb 19 21:18 UTC 1999 |
I'd really like to see us get off the dime and make credit cards
useable for Grex. These security issues won't arise 999 times out
of 1000 if we just do what regular merchants do.
|
tpryan
|
|
response 171 of 191:
|
Feb 19 22:45 UTC 1999 |
Nice conversation, wish I had the time to follow it.
|
janc
|
|
response 172 of 191:
|
Feb 22 01:30 UTC 1999 |
David, every web site I've ever bought anything from uses a secure
server. Doing this reasonably well requires buying a Verisign key,
which is from our point of view expensive. The whole point is that what
regular merchants do may not be within our reach.
|
dpc
|
|
response 173 of 191:
|
Feb 24 20:01 UTC 1999 |
We're sellers, not buyers. The risk of an unsecure transaction is
on the buyer, not us, it would seem. That risk is set by law at
$50. We should act to accept credit cards *without* a Verisign key.
We should accept credit card numbers by e-mail. We should do this
now.
|