This flaw has been widespread and well known for over a year. Obviously there is no "easy" way to secure an on-line transaction. One method that comes to mind is exchanging the actual public key over a phone instead of the Internet so as to verify the integrity (thus preventing a man-in-the-middle-attack). But how many e-commerce sites would even know what you're talking about? This also brings up the subject that credit cards themselves are pretty insecure. For example, you can pay your bill at a restaraunt and if waiter or waitress is nepharious they may have a pocket card reader to capture the data on your magnetic strip, thus being able to reproduce you credit card. The end result is generally someone on the other side of the world using your card to rack up thousands of dollars of frivelous spending. In closing, the fundamental problems in our financial infrastructure and the systems involved therein are serious and must be addressed expeditiously.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/60/10575#10575