[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] more security
On Fri, 12 Nov 1999, Michael James wrote:
>****** message to minivend-users from Michael James <mwjames@ak.planet.gen.nz> ******
>
>Are the security implications different for the following three scenarios
>1. Credit card number collected via the secure server and saved in a mail box on the local machine.
>2. As above but sent to a mailbox on the local network
>3. As 2 above but collected by someone who has a dial up ppp account with the server.
I'm finding this interesting, also.
A mailbox is a file, albeit with limited permissions. In all
three cases above, you're storing cc information to a file. The
differences are: how many people have access to the machine that
carries that file and how often does your dial-up ppp account
collect their mail?
Dial-up PPP can offer one layer of protection in an offbeat way -
let's say (theoretically :-) that I have a catalog owner with their
own mail server and dial-up access. They dial into my server every
15 min and pick up their mail via pop3. At that point, the mail
disappears from my server and goes to theirs. We carry the risk of
someone hacking into the mailbox file, but that hacker can only get
the last 15 minutes worth of transactions. If I'm monitoring my system
as I should be, it's easier to catch someone trying to get in every
15 min than someone who only gets in once and captures the entire
order history file. The damage to our client's customers is also
not as catastrophic. That's why we don't keep history on our server.
Comment for the security conscious - even with a 15 min rollover,
we still don't store cc numbers in unencrypted anything, be it
file or mailbox.
-- Loy
--
Loy Ellen Gross * Web Designer & Programmer * Xcalibur Internet
Voice: 716-344-1114 * design@iinc.com * http://www.iinc.com
