[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!)



Excerpts from mail: 29-Jan-96 Re: FV's Borenstein discove.. Jeremy
Mineweaser@area1s (1692*)

> Question: Could you please describe the nature of the First Virtual 
> protocol?  Now before you tell me to RTFM, let me explain.

> I assume, although without absolute certainty, that in order to bill me
> you must know my credit card number.  If you do not know my credit
> card number, and depend on someone else who does, you are nothing
> more than a middleman who introduces additional possibility for
> breach of security.  If you do know my credit card number, you must
> deal with the associated problem of storing this number.  Now perhaps
> I am wrong, and you really do keep all of your clients' card numbers
> in a printed book hidden within a safe, and for each transaction you
> remove the book, use your table to match FV_ID to CC#, process the
> transaction, and replace the book.  However, I doubt this.  More
> likely, you store the card numbers on a computer.  And no doubt,
> someone or something enters those numbers into a database.

> You have just violated your own cardinal rule.

Nope, afraid not.  We keep the credit card numbers on a non-Internet
computer.  The only communication between it and the Internet world is a
proprietary *batch* protocol.  If you break through multiple firewalls
to our most secure Internet machine, then you can begin
reverse-engineering the batch protocol, and even then, there's nothing
in the protocol that will send credit card numbers back over.  

As to how the credit card numbers are entered:  they are entered at
account setup time via a telephone call.  Yes, telephones can be tapped,
but it's really hard to set up an automated attack that taps all the
phone calls and retrieves all the credit card numbers.  Moreover,
eventually we hope to have the credit card numbers downloaded directly
from the credit card issuing banks, thus elminating even the telephone
vulnerability.

Believe me, we've thought a LOT about this.  Please check out our
academic paper on our first year of operation, which you can find at
http://www.fv.com/pubdocs/fv-austin.txt -- I think it will answer a lot
of your questions.  -- Nathaniel
--------
Nathaniel Borenstein <[email protected]>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: [email protected]