Can the Web be made safe for credit cards? Online merchants say yes, but plenty of shoppers disagree. Studies show that up to 80 percent of people who make financial use of the Web don't trust it with their credit card numbers. They might check the Net for prices and products. But for actual purchasing, they visit the store or pick up the phone.

Card issuers, hoping to calm these fears, are always on the lookout for new technologies that might make you feel safe. The latest is a system for creating disposable credit card numbers. You use each number once and -- poof! -- it disappears. There's nothing in the merchant's data bank for hackers to steal.

Shoppers have two security concerns. First, they worry that their credit-card numbers will be stolen. As a practical matter, that's a minor issue. By law, they're liable only for the first $50 spent by a thief, and most card issuers waive even that.

Ummm, one problem with dismissing this problem is debit cards. They are marketed as credit card replacements and most organizations ignore the additional risks to the client. Unlike credit cards there is none of the mandated protections that exist on credit cards. With a debit card, your account can be cleaned out and you might never see that money again unless you can prove, to the banks satisfaction, that the money should be returned. While the law does not mandate any specific limits to your exposure, some financial institutions have put in place voluntary limits.

The second, far greater problem is identity theft. If crooks get your name, credit card number, Social Security number and other identifiers, they can create a virtual you -- open accounts in your name, charge up a storm and ignore the bills. You'll be dunned and sued. It can take a year or more to straighten out the mess.

Slashdot | Disposable Credit Card Numbers.

Advertising Age - Interactive Daily - 3/12/01 - Consumers More Confident Online, But Privacy Still A Concern.

For the first time, consumers say they are more at ease providing their credit card and other personal information online than they are over the telephone, but concerns over privacy remained strong with respondents, according to a survey being released March 13 by Market Facts Interactive.

The study reported that 74.5% said they are concerned about their personal information being distributed online, while 71.1% say that they were concerned about being monitored while online. Some 56.9% said they are "comfortable" or "somewhat comfortable" giving credit card information over the Internet, compared to 43.5% by telephone.

Junk e-mail, or spam, was another trouble are with the respondents, with 74.9% of consumers questioned say they are "very concerned" or "somewhat concerned" about receiving unsolicited e-mail.

InfoWorld - Cryptography tools abound, yet we rarely use them. Are they really only for crooks? I was thinking about cryptography the other day while reading about the rift between Phil Zimmerman and Network Associates over just how much of the PGP (Pretty Good Privacy) source code will be published. For crypto fans, this is the equivalent of Martin Luther nailing his Theses to the cathedral door. For the rest of us, it's just another corporate fight. But bigger questions in my head won't go away. Why haven't we taken more interest in encryption and digital signing of e-mail? More importantly, why aren't we using the tools we already have? Even I, your Security Watch guru, can't be bothered to use the crypto and signing features of my e-mail. Article also carried by: IDG.

InfoWorld - USPS delivers a digital, signature-certified mail system .

Through the use of an electronic postmark service and CA (certificate authority), NetPost.Certified enables two parties -- one of which currently must be a government agency -- to obtain a USPS-issued digital certificate. The digital certificate is stored on a NetPost.Certified smart card and lets users create a digital signature for strong authentication when messaging files to government computers via a secure and private channel. Upon receipt, the service generates a transaction postmark verifying each delivery.

Digital signatures are verified by comparing the sender's public and private keys. The private key, which is used to create the digital signature, is known only to the sender. The public key, which is used to verify authenticity, is distributed to people who need to recognize the sender's digital signature.

"The postal service will stand by [the date and time] it was transmitted and [by the fact] that it was not tampered with en route. That's the beauty of electronic sending," Krause notes. "The attributes of the physical mail piece have literally been replicated in electronic message form."

Slashdot | Is Crypto Solely for Criminals?

"When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist." I wonder if the government feels the same about corporations encrypting their business plans in order to avoid having them stolen.