Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [802SEC] RE: WPAN/ RE: WLAN/ Agenda for July Meeting




Bob, I agree that we had to come up with a more cost effective way
registration methodology.  That does not mean that the first attempt to do
so is perfect.  It has now been pointed out that it has an obvious flaw.  No
one is recommending we scrap all the progress we have made.  What is needed
is to fix the flaw.  This can be done by handling on an exception basis,
registration with credit card information called in, or some other
methodology preferred by Face-to-Face Events and Buzz.  I certainly see no
reason to penalize the people that want to preregister but have concerns
about filing their credit card information on-line.

To use your business example, it is my experience that web based
transactions allow for the option of calling in a credit card number for
those that are uncomfortable with entering that information on the web.
There is no penalty for doing so.

Best regards,

Robert D. Love
Chair, Resilient Packet Ring Alliance
President, LAN Connect Consultants
7105 Leveret Circle     Raleigh, NC 27615
Phone: 919 848-6773       Mobile: 919 810-7816
email: rdlove@ieee.org          Fax: 208 978-1187
----- Original Message -----
From: "Bob O'Hara" <bob@informed-technology.com>
To: "'Sherman, Matthew J, ALRES'" <mjsherman@att.com>; <jgilb@mobilian.com>
Cc: "'Ivan Reede'" <i_reede@amerisys.com>; "'IEEE802-11 (E-mail)'"
<stds-802-11@ieee.org>; <Stds-802-15@ieee.org>; "'802sec (E-mail)'"
<stds-802-sec@ieee.org>
Sent: Sunday, June 24, 2001 10:19 PM
Subject: [802SEC] RE: WPAN/ RE: WLAN/ Agenda for July Meeting


>
> Mat,
>
> While some may share your assessment of the security of web-based
> transactions, the fact remains that 802 LMSC is much more like a business,
> than a membership-based club.  The cost of doing registration the way it
had
> been done was increasing.  An alternative that is not so labor intensive
was
> instituted that will allow costs to remain stable for some unforeseen
amount
> of time.  For those that choose not to allow 802 to use a method for
> registration that helps contain costs, there is an alternative
registration
> method that is heavily human oriented but does not provide the discounted
> registration fee.
>
>  -Bob
>
> -----Original Message-----
> From: Sherman, Matthew J, ALRES [mailto:mjsherman@att.com]
> Sent: Thursday, June 21, 2001 10:02 PM
> To: 'jgilb@mobilian.com'; Bob O'Hara
> Cc: 'Ivan Reede'; 'IEEE802-11 (E-mail)'; Stds-802-15@ieee.org; 802sec
> (E-mail)
> Subject: RE: WPAN/ RE: WLAN/ Agenda for July Meeting
>
>
> All,
>
> I personally am not comfortable with placing credit card information over
> the web.  Web security has simply not been around long enough for me to
> believe it is truly tested and secure.  At home, I have reserved one
credit
> card where I have placed the lowest limit possible that I use in
situations
> where I just cannot avoid ordering over the web.  However, I always take
the
> phone option first just for this reason.  That IEEE gives me no other
> "reduced cost" option to register for meetings I find objectionable.  I
> think the "credit card on file" option should be maintained, if not by
face
> to face, than by our new secure transaction vendor.  If not that, then
there
> should be a phone method for leaving the credit card number.  I do not
want
> to provide my credit card number over the web every time I reserve for an
> IEEE meeting, and believe that current technology should allow for a
credit
> card on file option.
>
> Sorry if I upset anyone, but I feel compelled to express my opinions.
>
> Mat
>
> Matthew Sherman
> PTSM - Communications Technology Research
> AT&T Labs - Shannon Laboratory
> Room 3K18, Building 104
> 180 Park Avenue
> P.O. Box 971
> Florham Park, NJ 07932-0971
> Phone: +1 (973) 236-6925
> Fax: +1 (973) 360-5877
> EMAIL: mjsherman@att.com
>
>
>
> -----Original Message-----
> From: jgilb@mobilian.com [mailto:jgilb@mobilian.com]
> Sent: Friday, June 22, 2001 12:29 AM
> To: Bob O'Hara
> Cc: 'Ivan Reede'; 'IEEE802-11 (E-mail)'; Stds-802-15@ieee.org; 802sec
> (E-mail)
> Subject: Re: WPAN/ RE: WLAN/ Agenda for July Meeting
>
>
>
> Bob O'Hara wrote:
> >
> > Ivan,
> >
> > I think you are being much too paranoid for your own (or our) good.
> > Certainly if your credit card is going to be compromised, it is much
more
> > likely to be done by a dishonest employee that has a hard copy of the
> credit
> > card number from a receipt of a purchase at their store, than it is to
be
> > recovered from a 128-bit encrypted packet on the internet.  I would also
> ask
> > you why you feel safer having your credit card stored in a Windows 98 PC
> > connected to the internet (at Face to Face Events), than in an encrypted
> > server at one of the more respected security companies in the world.
>
> I didn't think Versign was a respected security company.  They do some
> simple key escrow stuff, but I haven't heard much about them regarding
> security.
>
> In any event, the computer at Verisign is much more likely to be subject
> to cracking attempts than the computer at Face to Face events since it
> contains more information that is valuable.
>
> Does F2F store their credit card data on a computer without any sort of
> firewall?  (That would be bad.)  Chances are they have some type of
> firewall, possibly as good as the one at Verisign.
>
> The real question is, will either one (F2F or Verisign) assume any
> liability?  If not, then you have no guarantee either way.
>
> BTW: The new digital signature laws make you liable for actions taken
> with your digital signature, even if it was stolen.  So while the curent
> laws provide some protection for the consumer (e.g. using a credit card
> with a dishonest server), the new digital laws (UCITA, DMCA, digital
> signature, etc.) tend to remove this protection when the consumer goes
> online.  We should think carefully about using our cards on the net.
>
> IMHO
>
> James Gilb
> >
> > If you have anything other than vague unease and innuendo to defend your
> > position, please state it.
> >
> > I must point out that your statement that you "MUST have our credit card
> > info circulate over the internet" is incorrect.  That is only required
if
> > you desire to take advantage of the preregistration discount.  You can
> still
> > register on site at the meeting, where no electronic record is made of
> your
> > credit card number.
> >
> > I, for one, am comfortable with the level of risk involved in credit
card
> > transactions over the internet.  It is not entirely safe.  But, I
believe
> > that it is less risky than the alternatives.
> >
> >  -Bob O'Hara
> >
> > -----Original Message-----
> > From: owner-stds-802-11@majordomo.ieee.org
> > [mailto:owner-stds-802-11@majordomo.ieee.org]On Behalf Of Ivan Reede
> > Sent: Friday, June 15, 2001 11:25 AM
> > To: IEEE802-11 (E-mail); Stds-802-15@ieee.org
> > Subject: Re: WLAN/ Agenda for July Meeting
> >
> > Hello to all,
> >
> > I think we should start a public discussion on the topic of this
Verisign
> > registration mechanism.
> >
> > Although it may be convienet for the agency who processes our credit
card
> > info to have us "do it ourselfs", I think this is a major step backwards
> in
> > quality of service. I for one find it objectionable that we MUST have
our
> > credit card info circulate over the internet. In some conuntries, it is
> > mandatro for ISP's to store records of data travelling from your PC to
> other
> > machines on the internet. This means that although maybe encrypted, an
> audit
> > trail of your data can end up in an endless trace route. If anyone in
one
> of
> > those "router" services is dihonest, you may end up in trouble. For most
> > countries, fraud made on your credit card based on data collected on the
> > internet is solely at your own risk! And the standard fraud liability
> limits
> > may not apply.
> >
> > Buz, I think we need to put an end to this now. Your staement below
> clearly
> > states that although you may be accomodating people for this time around
> > that you are intened in  making credit card apyment over the internet
> > compulsary! We need to keep the possibility of "card on file" or
> > pre-reistering without penality by paying our registration on site.
> > Undersatnd that I am not saying registering on site without penalty but
> > paying pre-registration on site or by "card on file" without penalty
> should
> > be an option. I appreciate your efforts to mechanise things. I think
there
> > are places where mechanisation is great. I think this is NOT one of
them.
> > There are ways to make this mechaism voluntary instead of compulsary.
> >
> > We, out of all people, know that TCP/IP communications are not very
> secure,
> > no matter how you may try to make us beleive they are. I also know that
> many
> > "forms" submitted over the internat are logged, recorded and archived by
> ISP
> > routers for legal audit trail reasons. There is no real control of who
> > accesses those logs within most ISPs.
> >
> > People, this is a democratic group.
> >
> > I would like to hear the voice of "the people" on this topic.
> >
> > How many of you appreciate being cohersed into a form of payment over
the
> > internet without choice and with penalties if you don't use it.
> >
> > How many of you appreciate having your credit card data, personnal
> address,
> > etc... being given to a third party without specific knowledge of what
the
> > third party may do with this information and whithout control over to
whom
> > they may sell it to?
> >
> > Just an opinion,
> >
> > Ivan Reede
> >
> > ======================================
> >
> > ----- Original Message -----
> > From: "Rigsbee, Everett O" <Everett.Rigsbee@PSS.Boeing.com>
> > To: "802 ALL" <stds-802-all@majordomo.ieee.org>
> > Cc: "802 Exec" <stds-802-sec@ieee.org>
> > Sent: Thursday, June 14, 2001 6:57 PM
> > Subject: 802all: URGENT - More Tips on Using Web Registration !!!
> >
> > >
> > > ATTENTION:  All IEEE 802 Attendees !!!
> > >
> > > WARNING !!!   Some additional important Information for Web
Registration
> > Users:
> > >
> > > * All Credit Card numbers must be entered with NO embedded spaces or
> > dashes,
> > > e.g.  NNNNNNNNNNNNNNNN  for VISA, M/C, or Discover, and
> > >         NNNNNNNNNNNNNNN     for AMEX
> > > or you receive the generic "Transaction Declined" message which
provides
> > no guidance
> > > on the reason for failure !!!  This is especially a problem for AMEX
> card
> > users, since the
> > > the number with spaces or dashes will fit in the field (not true for
the
> > other cards) but
> > > the transaction is always declined for invalid account number.
> > >
> > > I have requested that VeriSign fix this problem by removing the spaces
> or
> > dashes before they
> > > test the account number, or at least provide a caption on their form,
> > which collects the CC info,
> > > to warn of this requirement, and they have indicated that they will
look
> > into it, but that may take
> > > some time. So for now you just have to remember:  NO DASHES or SPACES
> for
> > CC#'s, only digits.
> > >
> > > We do recognize that the generic "Transaction Declined" message is
> > confusing because it indicates
> > > several possibilities, which may or may not apply.  Please be assured
> that
> > our system does not
> > > attempt to verify addresses or ZIP codes with the ones which the
credit
> > card company has on file.
> > > That is NOT the reason your transaction was declined !!!
> > >
> > > * NO  Ampersand's (i.e. "&") Are Allowed !!!  I have learned that
> VeriSign
> > chose to use
> > > the "&" character as their field delimiter, so they will not permit an
> "&"
> > to appear in any
> > > entered field. Suggested work-around is to use the word "and" instead.
> (I
> > know, I know;
> > > this would be simple to fix with an escape sequence or quoting
> convention,
> > but they
> > > seem unwilling to consider doing that at present.
> > >
> > > Some Additional User Tips:
> > >
> > > * International Phone Numbers:  the VeriSign field checker does not
> allow
> > a "+" (i.e. Plus
> > > Sign) in front of the Country Code, even though it IS the most common
> > convention.  They
> > > are apparently working on a fix for this, but suggest that in the
> meantime
> > that you may
> > > use a "-" (i.e. a Minus Sign/Hyphen) instead.
> > >
> > > * The "State" field has now been made optional to alleviate
difficulties
> > for some of our
> > > International attendees whose countries don't have states.  If we
> restore
> > the mandatory
> > > requirement in the future, we will include the instruction to enter
"NA"
> > if the field is "not
> > > applicable for your country".
> > >
> > > * There is no provision for a "Credit Card On-File" any more.  Keeping
> > credit card info
> > > on file is too much of a potential liability.  We only resorted to
that
> > option because we
> > > did not have a secure method for processing payments.  Now that we
have
> a
> > secure
> > > (encrypted) payment mechanism we will no longer store credit card
> > information.
> > >
> > > * The processing for your charge is now IMMEDIATE (within 24 hours of
> > approval).
> > >
> > > We're very sorry about the start-up problems but we hope to continue
> > improving as we
> > > gain more experience.  Please bear with us, and if you experience or
> spot
> > a problem,
> > > please let us know ASAP.  Thank-you for your patience and cooperation.
> > :-)
> > >
> > >
> > > Thanx,  Buzz
> > > Dr. Everett O. (Buzz) Rigsbee
> > > Boeing - SSG
> > > PO Box 3707, M/S: 7M-FM
> > > Seattle, WA  98324-2207
> > > (425) 865-2443    Fx: (425) 865-6721
> > > everett.o.rigsbee@boeing.com
> > >
> > >
> > > TO REMOVE YOURSELF FROM THIS LIST:
> > > Send an email message with no subject to:
> > >
> > > majordomo@majordomo.ieee.org
> > >
> > > and put as the first 2 lines of the message the following:
> > >
> > > unsubscribe  stds-802-all  <your-email-address>
> > > end
> > >
> >
> > --------
> > This message came from the IEEE P802.15 Mailing List
> > Info at http://grouper.ieee.org/groups/802/15/
>

--------
This message came from the IEEE P802.15 Mailing List
Info at http://grouper.ieee.org/groups/802/15/