|
Grex > Coop6 > #71: Why not collect for memberships via credit cards & avoid the US Snail? | |
|
| Author |
Message |
| 10 new of 59 responses total. |
marcvh
|
|
response 50 of 59:
| 
Jan 7 06:00 UTC 1995 |
I guess it's not clear to me whether you're talking about risk to Grex
or risk to possible Grex members who choose to use Grex as their contact
point for personal FV accounts. I can't think of any good attack
scenarios against Grex that wouldn't also work for the current system.
I can think of potential problems with the latter creating risks for
individuals.
(Quick attack on current system: Attacker gets root, changes online
files specifying the address to mail checks to, fooling people into
sending donations to him instead of the real Grex. Hacks sendmail,
Picospan, and emacs to silently replace any reference to the old address
with a reference to the fake one. Creates general confusion for quite
some time until folks figure out what's up. There are tons of
variations on this, of course.)
Most any system will be vulnerable to attacks of this sort, but then
such an attack would be somewhat difficult to do and probably not net
very much money for the work.
I do agree there are security issues, but what Marcus suggests sounds
like it would involve spending more money and effort on security than
the value of what is being protected. It's not like somebody who broke
root would be able to clean out Grex's bank account; I'm not sure
exactly what Marcus's worst-case scenario would look like.
|
scg
|
|
response 51 of 59:
|
Jan 7 06:18 UTC 1995 |
Um, if somebody changed the address to send money to to their address, it
would be pretty easy to find them.
|
mdw
|
|
response 52 of 59:
|
Jan 7 08:51 UTC 1995 |
The danger is not to grex's bank account, precisely, but rather to grex
in a legal/financial sense. Having money at stake changes the risks
considerably. I'm not exactly sure how fv tries to authenticate
accesses, so the exact attack might vary: if, for instance, it's only
authenticated by the buyer, the bad guy could submit fake charges in the
name of grex, and inconvience hundreds, if not thousands of users, and
sorting out the resulting mess could be a royal pain. If charges are
only authenticated by the buyer; then the bad guy may be able to submit
fake charges in the name of the buyer, but credit the money to his own
entity. He could then abscound to the ether leaving grex at least
potentially responsible for the lost funds. Right now, if someone
breaks into grex, they can inconvenience a lot of people, and create a
big stink, but it's difficult for them to profit, in a personal and
useful sense, from this exercise. Entrusting money shifts the whole
picture, and makes it economically attractive for a whole new population
of criminals to break into grex. I don't believe we're ready for that
risk.
|
robh
|
|
response 53 of 59:
|
Jan 7 12:00 UTC 1995 |
Yeah, we've had enough problems from the hackers who are
willing to do it for free. >8(
Volunteer hackers... Hmm... Nah, forget it.
|
andyv
|
|
response 54 of 59:
|
Jan 7 13:19 UTC 1995 |
I enjoyed Marc's "Quick attack on current system:" I decided to enter
a couple more "worst case scenarios." I drive out on the road and some
jerk crosses the yellow line and destroys my only vehicle and cripples me
for life just after the state limits liability. I get on a small plane,
less (less than 15 seats) and the plane crashes on approach where a
photographer takes a picture of mangled body and sells it all the major
news papers and TV stations. Someone breaks inot my house and steals
my computer, rapes my wife and kills my children in front of me. I
come home early from college only to have the house catch on fire which
destroys my lungs and trashes almost the rest of my life.
The last one is true. I am surviving. I am doing the best I can with
what I have left. Life doesn't stop because there is risk.
|
marcvh
|
|
response 55 of 59:
|
Jan 7 13:41 UTC 1995 |
Re #51: come on, be creative. I'm sure you could think of half a dozen
ways to set up an anonymous maildrop that couldn't be easily traced back
to you, if you're willing to be fraudulent. The hard part is cashing the
checks in a fashion that can't be traced back to you.
The first attack Marcus points out could work on a small scale with a
lot of work, though as he points out, this would only inconvenience
some people until the fraud was noticed and the bogus transactions
rolled back, but would not financially enrich the attacker. The
second attack is more or less what I had in mind; it's an electronic
version of the fake-addresses-for-checks attack. The risk is to
users, not to Grex, though the consumer protections associated with
credit cards make it much easier to repudiate a fraudulent transaction
long after the fact than it is with checks. Either attack would require
some real-world fraud (e.g. obtaining a checking account under an
assumed name) to be done successfully.
I think Marcus's main point is that he doesn't want Grex encouraging
people to do something that might be dangerous, because we might be
responsible for problems that result in the legal, or at least moral,
sense. (Note: If so, someone may want to change the current support
message, which suggests people send cash through the USnail.)
Doing all this with high-level encryption and the like would be a win;
unfortunately, the infrastructure for all that is slow in coming and
probably won't be very viable for Grex until the relevant patents
expire. Until then, there are trade-offs.
|
popcorn
|
|
response 56 of 59:
|
Jan 8 01:11 UTC 1995 |
Re impulse purchases: There's a huge number of people who say they
intend to become a Grex member, one of these days. These are the people
who would be more likely to become members if we made it easier.
|
mdw
|
|
response 57 of 59:
|
Jan 8 02:09 UTC 1995 |
Actually, there's a worse danger to grex in the first attack - it could
do a lot of damage to grex's reputation that would be hard to repair.
Imagine, if you will, if you are an innocent user who has never heard of
"cyberspace communcations, inc", and you get charged $60 bucks (a whole
week's worth of food) out of the blue. Your first reaction will be
"they stole from me", and no doubt, fleeting thoughts of lawyers, fbi
agents, and other methods of revenge will cross your mind as you think
of what options you might have in getting your money back. Now, if grex
is lucky, it will be able to resolve the matter in short order, but
imagine the feeling of a potential user of grex, whose first encounter
is "We're sorry, somebody broke into us, and stole money from you.
Here's your money back." Would you give money to that organization?
Would you trust your e-mail there?
Both these attacks are kind of theoretical - the first thing to do would
be to investigate whatever sorts of safeguards fv might have to protect
against these problems. They probably do have some safeguards. We
should make sure we understand exactly what they are, before we proceed
further.
But this idea of doing credit card transactions online on grex is only
one extreme. There's a whole range of options we could consider,
including setting up a separate secure machine, doing it over the phone,
doing it by snail mail, and so forth. Before getting too caught up in
trying to pioneer end to end automated electronic cash exchanges over
insecure communications lines, we ought to consider some of those other
alternatives.
|
marcvh
|
|
response 58 of 59:
|
Jan 8 02:27 UTC 1995 |
I don't think the attack scenario of somebody who has never heard of Grex
being gotten is very plausible, because no account information about that
person would exist on Grex to be stolen and used illicitly. More
likely is that somebody who does use Grex runs an illicitly hacked version
of Grex's billing program and discloses his account ID to a hacker, who
could then use it to submit phony bills with money going to Grex or, more
sensibly, himself.
The main check of the FV model is that every transaction is verified
with the buyer via the "independent channel" of email. The problem is
that, with Grex, if the person uses their Grex address for their contact
point the channel is not independent, and a hacker could muck it up at
the same time. I suspect a significant portion of the folks who would be
interested in this would have a different "primary" email account than
Grex, and should use that, in which case the risks are lessened greatly.
Having the email transactions between FV and whoever is representing
Cyberspace Comm (the treasurer, I guess) go via a system which is
independent of Grex would also help.
Anyway, the point isn't to discuss nuances of various security attacks
(well, actually it's sort of interesting, but probably goes in jellyware
or something.) I agree that various options like phones, USmail, and
the like should be looked at and the trade-offs in terms of convenience,
effort and security be considered.
|
lilmo
|
|
response 59 of 59:
|
Jan 28 20:35 UTC 1995 |
re: #55: I don't think we (you?) ought to be encouraging sending cash through
the mail anyways. generally, I would think that the largest group of potential
users w/o access to a checking account is children, and we wouldn't, i think,
want to be taking their money w/o their parents' knowledge anyways.
<lilmo steps off soapbox and shakes his head, as if just waking up>
|