[2610] in cryptography@c2.net mail archive
Re: safety of SSL 2?
daemon@ATHENA.MIT.EDU (Phil Karn)
Thu Apr 30 09:53:22 1998
Date: Wed, 29 Apr 1998 21:05:52 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: loki@infonex.com
CC: johnl@iecc.com, mjr@nfr.net, cryptography@c2.net, karn@qualcomm.com
In-reply-to: <v03102801b16d1993710f@[209.75.197.18]> (message from Lance
Cottrell on Wed, 29 Apr 1998 11:00:32 -0700)
>When delivering physical goods, delivering the product gives a physical
>address where the user of the stolen card can be found. The Address
Never underestimate the cleverness of a determined credit card thief
to get around simple checks like these.
When I bought a house 6 years ago, the rental place I had been living
in went vacant for a couple of months. I'd go back occasionally to
pick up any unforwarded mail. One day I discovered several boxes from
Sears sitting on the lawn where UPS had left them. They contained
chairs for a dining room set, and they had my name on them. Only I had
never ordered them!
Turns out somebody had stolen my Visa card number, ordered several
thousand dollars worth of furniture at Sears and Pennys and had it
delivered to my old address. They must have had the number for a while
and then decided to use it when they saw the "FOR RENT" sign go up.
This solved a mystery from several weeks earlier. A notice had arrived
from Pennys, forwarded to my new address, saying my furniture had
arrived and I should come down and pick it up. Furniture I hadn't
ordered. I had written it off as a simple mistake at Pennys -- until I
went to my old house and saw the boxes from Sears. Then I instantly
knew what was going on.
Pennys policy required the customer to bring in his card when picking
up phone orders, so they didn't lose anything. But Sears just
drop-shipped the stuff, so they lost out -- some earlier furniture had
already been delivered that was no longer there.
What really galled me was my call to the SD police detective who was
supposedly in charge of investigating credit card fraud. I pointed out
that the notice I'd received from Pennys had a phone number with an
exchange in the same area as my old house, but it wasn't mine and it
wasn't Pennys. That sure seemed like a very strong lead, but the
detective said he wasn't interested. "If the company wants to
investigate, they'll have to call me." Geez. Sure does turn you into a
cynic.
Phil
