[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
- To: [email protected]
- Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
- From: [email protected] (Andreas Bogk)
- Date: 30 Jan 1996 05:09:01 +0100
- In-Reply-To: Nathaniel Borenstein's message of Mon, 29 Jan 1996 15:07:46 -0500 (EST)
- Organization: ART+COM GmbH Berlin
- References: <[email protected]>
- Sender: [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Nathaniel" == Nathaniel Borenstein <[email protected]> writes:
First, pray tell, what prevents me from writing a virus that patches,
say, Eudora and Netscape, so they automatically reply to all FV-mails?
Or, to quote your security FAQ:
>To defeat this mechanism requires someone to steal a First Virtual
>account identifier;
... which is plainly and unencrypted visible in the E-Mails ...
>to identify the corresponding email address (which
>is not public knowledge, cannot be determined from the account
>identifier, and will not be released by First Virtual);
... which is in the header of said E-Mail ...
>to know or guess the account password;
... which is quite impossible unless you have your own FV shop,
monitor IP traffic or a *malicious program on the user's computer* ...
>to intercept all incoming messages to that email address;
... which said malicious program is of course completely unable to do ...
>and, of course, to know what First Virtual is and understand what our
>messages are about and how to respond to them.
Wow! I didn't think of that!
And while I'm at it, it doesn't take much to be more secure than
credit card payments. You shouldn't be too proud of that.
And it shouldn't take an experienced programmer one whole week to
write a keyboard sniffer.
But I think it's not too pessimistic to say that _any_ software-based
payment scheme can be hacked using malicious programs.
Nathaniel> world today. Once it detects a credit card number, a
Nathaniel> criminal program could use any of several techniques to
Nathaniel> send that number to the original criminal without
Nathaniel> providing any way to trace the criminal's receipt of
Nathaniel> it. (If you're skeptical about this claim, we'd prefer
Nathaniel> to talk with you privately, as we've never seen the
Nathaniel> "best" methods for doing this spelled out in public,
Nathaniel> and we would prefer to keep it that way.)
Oh, wow, it's your secret. I would post a message containing the
credit card number encrypted with a public key cipher to
alt.foo.bar. Or to the IRC. And it's not too difficult to hack
university computers, so I could even receive mail there without being
traceable. Not to speak of remailer chains. Any other ideas?
Andreas
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAgUBMQ2Zy0yjTSyISdw9AQEkHwP9HeYucy86Wdre4OuaYAa50YcNZ6LPrJJz
GrvDC5t4LRprAqggtYMRBS7NlJ2+rVV58+6R4WXn66wCLcjpAXq0s5FMxKDoxe9Y
JyKcevK7O9iFLIGzERZkz2RXLmk2PBlUsi8hzS+WsPBe0QfIK1bFW2gEum2eKjlm
bzmq6iI8dx0=
=5NT1
-----END PGP SIGNATURE-----