Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Your Rights Online

IBM Reports On Spear Phishers 169

FrenchyinOntario writes "IBM reports that while "regular" phishing is declining the black hats are now engaging in targeted spear phishing to glean as much information about a specific identity as they can for all the usual cybercrime reasons. It concerns authorities because the usual suspects - criminal and terrorist organizations - will want to take advantage of this, but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."
This discussion has been archived. No new comments can be posted.

IBM Reports On Spear Phishers

Comments Filter:
  • by winkydink ( 650484 ) * <> on Thursday August 04, 2005 @02:41PM (#13242789) Homepage Journal
    click me, click me! []
    • This sounds absolutely nothing like "phishing", but rather like targeted trojans to gain access to priviledged info (getting some bank employee to launch a trojan). I'm fairly certain this has happened all along. Maybe the article summarizes the IBM information incorrectly.

      When I first read the article summary, I thought it was going to describe indirect phishing - e.g. trolling for ancillary info about someone such that one can "recover" the account. e.g. Many accounts can be accessed by claiming a forgott
      • You think that's bad? BT [] once ended up terminating my _ADSL_ line because someone had phoned up and supplied my mother's maiden name! The person that had phoned up wasn't the same GENDER as me, damnit! It was an honest mistake (they meant to get a different ADSL line cancelled), but it goes to show how 'secure' their system is.

        We sued them and got about £300 i think.
    • Your scheme is ingenious!

      1. Post mirror links to slashdot
      2. Check the browser string to see what OS they are running, which includeds SP level.
      3. Since most slashdot users probably run pirated copies of XP, they couldn't load SP1.
      4. Microsoft only distributes patches for SP1 and SP2 now.
      4. List of rootable hosts!
  • Didn't see that coming. Maybe their old tactics weren't working so well, so they had to adapt?
    Naw, it's an intelligent design!
  • what do they mean (Score:4, Insightful)

    by eobanb ( 823187 ) on Thursday August 04, 2005 @02:42PM (#13242805) Homepage 'multiple opposed to ebay, bank, etc.' Isn't that multiple institutions? I think what the summary is really trying to say is, to the phishers' advantage, a chain is only as strong as its weakest link.
    • Just last week, a friend of mine's bank account was overdrawn on her payday even though she had direct deposit.

      What happened is that someone used a fake id and her bank account number to cash $15,000 in fake money orders at two local banks. She didn't have even a thousand dollars in her account, but the banks gave the cash in "good faith". Well, now the bank is refusing to remove the 15,000 debit on her account and their only advice to her is to "borrow the 15,000 from your relatives and pay us back". S
      • by cluckshot ( 658931 ) on Thursday August 04, 2005 @05:07PM (#13244532)

        The Solution is already contained in the "Fair Debt Collection Practices Act of 1979." The only problem here is that it is only applied to credit. Being one who likes solutions here it comes!

        The solution is to make the feduciary agent (bank) responsible for 100% of all false charges to the account with triplicate damages plus collection costs and legal fees if you have to collect. (This isn't funky law it already works) Application of this to DEBIT accounts would solve the problem to a very large extent.

        The next part of the solution is to require all banks to provide you with 3 account numbers. One is for the actual account where you store your money. Another is an "Incoming Account" which you can publish to the world. Anyone like this friend could have a check deposited this way and no danger because the account is nothing but a key to put money in. The other is an "Out going" account where a person may place a limited amount of money for outgoing epay type or othe draws. This "Out Going" account could be closed and changed at will. That way one could lock out those skunks who try to autopay forever etc. This way one could protect their account.

        A few other notes: We should end the "Overdraft" and bounced check laws. If a check does not have money, it should just be a refused transaction. Coupled with this the provision to immediately transfer funds... This way nobody goes to jail for bad checks, we just refuse them the goods because we can validate their check and charge the funds immediately.

        Of course Banks would have a piss fit over these changes because no more overdraft fees etc. Well Tough Luck to them. Tell them to get a life and start earning their money serving their employers rather than screwing them. We would get fired if we treated our employer with such disrespect. This is only a proposal of good business practices. Nothing else. Skip the lectures about "Free Enterprise" because if a bank cannot make money under a good common set of laws they should go to hell. Mods this is good stuff, get a life if you don't like it!

  • A way around this... (Score:5, Informative)

    by ajiva ( 156759 ) on Thursday August 04, 2005 @02:42PM (#13242806)
    There is one way around this, that's to go to the 3 large credit companies and tell them to "Freeze" your credit (I think it costs $5-$10). Anyway nobody can open an account in your name, and as long as you remember to "thaw" your account before getting a loan, you'll be ok. It's no perfect, and I'd argue that all credit information should be purged from people who don't need it (this includes SSN numbers). Heck none of this should even be on file...
    • by Anonymous Coward
      This doesn't work. One of my best friends had his identity stolen and then Froze his credit, but Credit card companies were still issuing new cards in his name.
    • It's not always necessary to pay a fee to protect your information. Certain states have passed laws allowing you to request the freeze for free - check your state regs for the details.

      Folks should be aware that the credit industry is starting to push for legislation at the federal level that will be far weaker than, and will automatically trump, these state laws. God forbid they lose the ability to extend "valuable offers" from their affiliates and business partners.

      Another alternative approach is to fi

    • I have a flag on my credit report with the three major agencies. Basically I put a sentence in the report stating that I have been the victim of identity theft in the past and any request for credit using my name or SSN must be verified by a call to my home number. It didn't cost me anything.

      Oh, and as far as I've ever been able to find my name and SSN were sold after I applied for my passport at the post office. That was the only place I had given my SSN in years and the theft occured within days of tha
    • You can do that if you live in California. In some other states you have to be an ID theft victim first. In most the option doesn't exist at all. Write your legislator.
  • aw, crud.. (Score:5, Insightful)

    by werelord ( 562191 ) on Thursday August 04, 2005 @02:43PM (#13242822)
    And this is probably the easiest fishing they'll be able to do.. Until companies are made liable for any damages that occurr when they "lose" their information, this will probably be an extremely easy method of fishing..

    Social Engineering, anyone??
  • I have to say ... (Score:4, Interesting)

    by Daniel Dvorkin ( 106857 ) * on Thursday August 04, 2005 @02:43PM (#13242825) Homepage Journal
    ... I think it's kind of hilarious how stuffed-shirt companies like IBM, and the news organizations that report on them, have tried to adopt hacker slang. "Spear phishing"? It kind of reminds me of Christian pop music that desperately tries to be cool but always looks and sounds ten years behind the times.
    • I hate to break it to you, but hacker slang isn't cool. "Stuffed shirt companies" are just a different form of uncool. Uncool meet uncool, and this is their love child.
    • Make it about 2000. Christianity died with Christ.
    • Re:I have to say ... (Score:1, Interesting)

      by Anonymous Coward
      Um yeah, maybe in the 80's.

      I suggest you actually listen to some of it today.... in fact you have, many hit the top 40 charts in "secular alternative" music over the past 5 years.

      the clueless like you stay on your path to what you think. the rest of us get bit shit eating grins as you not realize that bands like Creed and others are simply christian rock bands that are flying under the radar subverting you in your music... (OMFG! I better listen to some Insane clown Possee to cleanse my soul of this evil c
  • it's bad on IRC (Score:3, Interesting)

    by eight and a quarter ( 904629 ) on Thursday August 04, 2005 @02:45PM (#13242839) Homepage Journal
    i've found a gang of romanian scammers on a popular IRC server because a friend's machine was compromised for spamming. i joined the chan and just monitored for a few hours.. i logged everything, e-mailed them to the IRC administrator, and absolutely nothing has been done.
    • Try e-mailing it to the FBI or Secret Service. I'm pretty sure they have a taskforce devoted to international scammers
    • Re:it's bad on IRC (Score:5, Insightful)

      by Steinfiend ( 700505 ) on Thursday August 04, 2005 @03:13PM (#13243146)
      What are the IRC Ops supposed to do in a case like this? I'm not trying to be a troll, I'm seriously asking. They can ban the users, they can close the room, and they can send the logs to whatever law enforcement agencies are responsible for their area. However, how much will that achieve?

      A Romanian scammer, on a Brazilian server (just a random pick, not trying to suggest anything negative about Brazil), scamming an American user. The legal hoops are mind-boggling. That's if the IRC Ops can even get any useful information from their logs, which isn't 100% sure.
    • One of the "toy" Linux servers in work was compromised, using an Apache SSL exploit. It had a rootkit installed on it and was doing SSL scans for other vulnerable machines. This was a few years ago now...

      The connections came from Romanian dial-up accounts, and I reported it to the ISP (obviously, nothing was ever done). I also extracted IRC information from a bot on the compromised server, and joined the channel. I found a handful of other bots in there, and mailed the admins of each I could see (with s
  • by GFunk83 ( 686657 ) on Thursday August 04, 2005 @02:45PM (#13242843) Homepage
    "...the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information, as opposed to eBay, PayPal, your bank, etc."

    Wasn't it a company's responsibility to protect your personal information already? I don't understand how this new method of phishing changes that (not including the technical aspects of said protection).

  • by under_score ( 65824 ) <<mishkin> <at> <>> on Thursday August 04, 2005 @02:47PM (#13242868) Homepage
    I'm starting to feel like the right to privacy might be a red herring. The benefits of technology and a truely collaborative and just society might only be fully realized if we completely give up privacy... and that that might actually be a good thing. I know that I've read an essay or something about this before, but I can't find a link - anyone know who wrote about this or where I can find some references? (Actually, Robert J. Sawyer [] wrote a series of books where one of the societies is like this... but it's not what I'm thinking of.)
    • by Locke2005 ( 849178 ) on Thursday August 04, 2005 @02:58PM (#13243001)
      Are you thinking of the Transparent Society [] essay by David Brin?
      • Thanks! This is the one I was thinking of. Mod parent up - it's an important essay that should be made more commonly known.
      • Interesting essay but the guys sounds like a bit of an asshole apologist for 'Big Brother'.

        For in fact, it is already far too late to prevent the invasion of cameras and databases. The djinn cannot be crammed back into its bottle. No matter how many laws are passed, it will prove quite impossible to legislate away the new surveillance tools and databases. They are here to stay. Light is going to shine into nearly every corner of our lives.

        Why? No one is going to 'legislate away' the development of ne

        • the guys sounds like a bit of an asshole apologist for 'Big Brother' No, the guy sounds like a realist. Scott "Privacy is dead, get over it []" McNealy sounds much more like an asshole apologist for Big Brother!
        • Why? No one is going to 'legislate away' the development of new surveillance technology but what the hell does that have to do with using it to monitor everyone's activities? Assuming the people can actually rein in the government, laws preventing the use of such technology in any public place by any one for any reason would be easy to pass

          The problem is that cameras are so common and so unobtrusive most people just don't grasp how much they are being observed/recorded. If anything that is only going to ge
      • Actually, Sawyer also wrote along this line in his Neanderthal series.

        This is a fictional Neanderthal dominated Earth where they have evolved a technological society.

        Every action they make - their entire lives - is recorded. The recordings can only be accessed during legal proceedings.

        I've read the first 1 and a half of the 3 books in the series. Pretty cool.
    • How does that protect my bank account from unauthorised access? Sure, giving up my privacy would make it very much harder to blackmail me, but that's not generally what this sort of attack is about.
    • One problem with an open InSoc is the potential development of a police state.

      People break laws they don't agree with every day - including speeding, using illegal drugs (as opposed to legal ones []), refusing to mow their laws, etc.

      With no privacy, the American police system will either fail miserably, or will over-compensate, and we'll have no privacy AND no freedom.

      I wish we COULD live in a society where one could do what they wanted, and no one questioned it, so long as what you do doesn't infringe u
    • And if you do something people don't like?

      Everyone will judge you and you are guaranteed to piss people off.


      Hit your child? Child abuser! (people saying this, let's call them group A)
      Don't hit your child? Raising an undisciplined kid! (B)
      No child? Something must be wrong with you! (C)

      One of the above 3 groups will be pissed at you no matter what.

      Also, there are unjust laws - imagine if you'd get convicted of every law you ever broke.

      Most people alive would have over 100 years of jail time.
    • David Brin wrote Earth [] where that was one of the sub-plots of the story, started with the invasion Switzerland to end Swiss bank accounts or some such silliness. Might not be what you were looking for though.
    • This is a classic prisoner's dilemma. Your idea is a great one -- as long as EVERYONE plays by the same rules and opens up. If one person (or entity) does not, then they have an advantage over the rest of us.

      And this is why your idea will not work. As long as there is incentive NOT to open up, then someone, someplace won't do it.

      And for those that don't know what a priosoner's dilemma is, let me try to explain. It goes something like this: 2 prisoners are in jail and awaiting trial. The exp
      • Actually, your numbers are a bit off from the original prisoner's dilemma. As usual, Wikipedia has a good article [] on the matter. However, variations on the game are always fun thought experiments.
    • Privacy exists, but people treat it strangely. They want it to be legaly protected like property but are unwilling to personally protect it. For example, you lock your doors at night but consider buying a firewall too inconvenient. We peek out the door to see who's there before opening it, but we open every email regardless of who sends it.

      Our attitude towards privacy is like living in a house without doors and then complaining that the government needs to do something to stop the epidemic of robberies.
  • by Heffenfeffer ( 888559 ) on Thursday August 04, 2005 @02:48PM (#13242874)
    'Spear phishing'? Oh great, what's next? Bass phishing - searching for orders made at Phly phishing - searching for info in TRL posts Net phishing - Oh, wait...
  • Server (Score:2, Informative)

    by cached ( 801963 )
    Because the server is being /.ed, heres TFA:

    A report published this week from IBM Corp. suggests that phishing schemes are growing in sophistication, allowing would-be Internet criminals to target their victims by name. A targeted or "spear phishing" attack is designed to extract data from a specific individual or organization, maximizing damage caused and financial gain. IBM estimates that these types of attacks have grown ten-fold this year alone. According to the company, they can be used for identity
    • This isn't the first time banks have been identified as a lucrative target.

      More like the billionth time. As Willie Sutton [] never said when asked why he robbed banks: "Because that's where the money is."

  • by spun ( 1352 ) * <loverevolutionar ... m ['oo.' in gap]> on Thursday August 04, 2005 @02:52PM (#13242932) Journal
    Why not phunting or gaphering, hmmm? Isn't this whole thing rather fish-centric? I prefer to think of the rubes taken in by these cons as vegetables, thus I think we should use the term gaphering.
  • by It doesn't come easy ( 695416 ) * on Thursday August 04, 2005 @02:56PM (#13242972) Journal
    I've always thought that someone with a strong opinion on the pitiful state of privacy laws in the US would ... how do you say it ... demonstrate just how easy it is to steal someone's identity in this country (using, of course, selective politically connected individuals as test cases). Nothing like getting a senator interested in stronger privacy protection after they get the bill for that $5000 digital camera someone "bought" using their credit card.
    • by Anonymous Coward
      It's still a hot debate, but some Republicans definitely perked their ears up when Ron Reagan's family started getting involved with stem cell lobbying.

      All it takes is one high-profile, CNN-covered major story to get our government's attention and get some changes done.
      • > It's still a hot debate, but some Republicans definitely perked their ears up when Ron Reagan's family started getting involved with stem cell lobbying.

        Yep, like Bill Frist. Using a veto when your party controls congress is an embarassing display of disunity -- using it against your own senate majority leader is mortifying. Karl Rove must be getting really distracted by the grand jury to not be greasing the wheels here.
    • I can think of lots of ideas like this. For example fake DMCA complaint against a website belonging to a a member of a politicians family.

      There is, however, a drawback. ANYTHING LIKE THIS IS A CRIMINAL OFFENCE. Jail sounds like a good reason not to do it.

      Morally it is not dissimilar to beating up a politician to demonstrate the trauma of violent crime. Not acceptable, even if your motive is the "greater good".

      Anyway, all you need to do is wait. Sooner or later the genuine bad guys will do it anyway.
  • by swelke ( 252267 ) on Thursday August 04, 2005 @02:58PM (#13242993) Homepage Journal
    The real question is: Would this still be news if they hadn't come up with such a catchy name (spear phishing)?
  • by MirrororriM ( 801308 ) on Thursday August 04, 2005 @03:03PM (#13243038) Homepage Journal
    but the chilling part is how your identity will now be dependent on multiple institutions protecting your personal information

    The way I see it, all personal information I send to a particular company should be confidential and protected. Some if it they simply don't need. For instance, why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?! They did not need my SSN and I sure as hell didn't give it to him either, but it makes me wonder how many people actually *have* given out their SSN just for a Hollywood Video account. Not good.

    If a company does not protect my personal information and it gets stolen and/or misused, you bet your ass they'd see some backlash from me. The only bad thing is, it's hard to figure out exactly *which* company that held your personal information was compromised. It's certainly not like they're going to volunteer the fact that they were comprimised, otherwise you might take your business elsewhere (to a more responsible company). Just look at the millions of people who had their information on backup tapes "misplaced" by a UPS driver (posted on slashdot a while back) after the company was stupid enough to send that info via UPS to begin with.

    Companies that have our personal information need to be held accountable on how they handle it and should be prosecuted to the fullest when they mishandle it.

    • why the hell did the clerk at Hollywood Video ask for my SSN to open a damn account to rent movies?!

      Video places use it for a credit check. They're loaning you a movie.

      On the other hand, here's a trick I learned. When you're asked for a SSN, say "I'm soooo sorry! I didn't think I needed it. I'll have to come back!" 90% of the time, the clerk will just say "We really don't need it, just hang on." I kid you not! Try it! It pisses me off that a lot of firms "require" this information but when you balk or plea

    • Damn straight.

      Just last week, I was going through my mail and found, like I do all the time, a set of balance transfer/cash/etc. checks for one of my credit cards. I opened it since I always shred these checks, and was surprised to find not only a set of my checks, but also someone else's.

      If I had wanted to, I could have used those checks in 6 different places where they wouldn't have checked ID. The banks sure as hell don't check signatures anymore -- I've seen instances where checks with NO signatur

    • Several people I know use random non-essential chunks of data as identifiers to track where such information comes from, most often, a middle initial. So if you get junk mail for John A. Public, it was leaked from company 1; mail to John B. Public was leaked from company 2, etc. It gives a good idea of whom to go after if you decide to sue (or whom to stop doing business with if you don't).

      I've heard of the same technique being used by people who aggregate and publish public-domain information; their comp
  • Instead of harvesting as much information as possible about everyone they can and then winnowing that down to information they can use, the cybercrooks are now targetting those individuals from whome they expect to be able to steal something, and then going after all the information they can on that select group?

    This is great!!! With my credit history, I'm safer than ever now! Nobody in his right mind would try to use my identity for any money-making venture! ;^D

  • The "spear" dubnym surprises me. Why is it we're not out on the theft ledge just as yet? So, I feel a little ill coming down off the server room floor, and I read this, and I'm glad the air is on. So many little busy unlaid phisher bitches out there want to steal my identity. Hey, I'll hand it to you and give you a 200 dollar shopping spree if you want to come fight me for it in person. And I don't mean your bosses in the mob paying you for your efforts...I mean you. If you're bigger than me...well, I
  • Fishing (Score:4, Funny)

    by zimus ( 68982 ) on Thursday August 04, 2005 @03:10PM (#13243112)
    Spear fishing is kinda hard, I prefer using a shotgun or dynamite.
  • You just know that something would be done to limit sharing of financial and personal information if a bunch of high ranking congresspeople had their identites stolen. Perhaps then they would think of someone other than the corporations who insist on "the right" to share whatever information they want about anybody.

  • by Jeremi ( 14640 ) on Thursday August 04, 2005 @03:38PM (#13243400) Homepage
    "Its concerns are linked to cyberterrorism as well as obviously organized crime."

    Surreptitiously organized crime may be involved also, but they keep such a low profile that it's hard to tell.

  • The only way to protect our info is through a combo of tech and law. We need to keep control of our personal info ourselves, through crypto client databases which issue one-time password access to counterparties which need to authenticate us. We need to minimize the authentication transactions to only those necessary for actual authentication, encapsulating the transactions as much as possible - passing only money to counterparties, rather than our identites, for example. We need to log accesses to our pers
  • by Animats ( 122034 ) on Thursday August 04, 2005 @04:09PM (#13243803) Homepage
    The "computer security" industry has turned into a volume business aimed at annoyance attacks. The very profitable "wait for high-volume exploit and patch" mindset into which the industry has settled is useless against serious attackers.

    A serious attack has a specific target and attacks it quietly. Serious attackers aren't going to show up in the "top 10 virus" lists. They're probably not going to use an attack that appears in some known signature list. They may have the ability to craft their own attacks, or at least modify known ones beyond recognition. The volume-oriented defense techniques won't work.

    Military security people are very aware of this issue. You don't want to tie up all your resources chasing kids who are throwing rocks at the airfield fence. The real threat is probably being quietly mounted elsewhere.

  • by vidarh ( 309115 ) <> on Thursday August 04, 2005 @04:29PM (#13244070) Homepage Journal
    This hit home, as just today I got an e-mail from one of my credit card companies... I regularly (as in several times daily) get phishing attempts to that e-mail accounts pretending to be from all kinds of banks I've never used, so I assumed it was yet another one from the start. But I got curious anyway. After lots of checking it turned out to be genuine.

    The scary part, however, was that it greated me with my first name, suggested I log on to their site, then ended with a paragraph going roughly like this:

    "To make sure you c"n recognise genuine e-mails from us, we will always include the post code of your registered account with us"

    Now, it does stop a phisher from firing off a million random e-mails. What it doesn't do is prevent someone from following your local mail man a couple of days and writing down who gets a statement from said bank (which is one of the worlds largest credit institutions) and firing off messages. That is worse than a random phisher as the bank itself is teaching it's clients to trust messages that include their postcode, even though their postcode is an easily available piece of information, so people are more likely to take the e-mail at face value and not scrutinise it as well as they should. What's worse is that the e-mail included links instead of asking people to go to the site listed on their statements, or similar, teaching people that hey, it's ok to click on links in mails that claims to be from their bank...

    The worst thing is that this kind of behaviour is the norm for British banks. The fuckwits deserve everything they get from these phishers. What sucks is that their customers will get screwed over in the process.

    I've twice been called up by one of my other banks fraud department because they wanted to verify transactions. In both cases they wanted me to provide the security information for my account over the phone when they had called me and I had no way of verifying that they were who they said they were (caller id is trivial to fake, and you wouldn't even need that if the number is unknown but looks plausible to the person taking the call). So again, the fraud department of my bank is teaching its customers that it's ok to give out the very same security details that are sufficient to a) do transfers, b) get passwords for online banking reissued, c) get credit cards reissued.

    Just the other day I overheard a woman on the train to work complaining to her boyfriend about the same thing. In my cases I know it was genuine calls because I called back on numbers I knew belonged to the bank.

    This same bank also tends to accept corporate id cards to let you sign for your credit cards if they're ordered to an office. So, trick people with a phony call, get the credentials, call the bank to get the card reissued, create your own plastic laminated id card, and order it sent to a serviced office somewhere where you rent a room with cash for a day or two... The same bank have twice refused to deliver cards to my home address because dropping it through the letter box was apparently too insecure.

    The great thing about getting a credit card reissued, is that many banks here will accept it as ID. So get a credit card reissued, and voila, instant access to all the poor persons other accounts as well, and from past experience they'll happily offer to let you do over the counter cash withdrawals of however much you want from your credit card accounts.

    They're so clueless it's scary to think I trust them with my money (but the rest of them are just as bad).

    Why did I have to move to a country with a banking system from the dark ages?

  • Identity proxy (Score:3, Interesting)

    by digidave ( 259925 ) on Thursday August 04, 2005 @04:43PM (#13244266)
    I wonder how long before some company comes out with an identity proxy service. You sign up for, say $10/month, and create your virtual identity complete with a real credit card number that's mapped to yours through the service, then sign up to eBay, PayPal, etc using the virtual identity. If it gets compromised, you get a free switch to a new identity.

    You'd end up having to trust that one company, but a single company could quite easily put in place policy and technology to keep your identity safe... that would be their primary focus. That's unlike eBay and others who really just want to do business with you and happen to also have your personal information. Their policies aren't as good as they need to be.

    Besides, with your info only at one place it'd make spear phishing much harder: no relying on little bits of info from many places as a hacker would need to get all your personal info from one place.
  • In news today, IBM has captured one of the notorious spear phishers. Here is a picture of the dubious scum, the Spear Phisher [].
  • Ok, sure I'm busting an open door here on /. but I wonder (aloud) why does amazon or ebay ever need to have my credit card data on their db? To lure me into 1-click compulsion shopping? I'm not that stupid and of course I ALWAYS go for kart transaction style and still, it irritates me that amazon doesn't ask me for my visa or shipping every time or better, routes me to with a session code on visa's servers.

    An estore shouldn't need to keep my CC, personal bio and address at all, on the same tables.

All laws are simulations of reality. -- John C. Lilly