[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FV's blatant double standards



I only just managed to go through my mail backlog and read
Simson Garfinkel's original Mercury News article. I was appalled 
by FV's double standards in evaluating security risks. Both First
Virtual and real-time transaction models (without encryption, or 
with it e.g. Netscape) require that the recipient not be compromised. 
FV relies on e-mail (domain names); Netscape relies on IP addresses. 

IP addresses are much harder to intercept than domain names
(which can be hijacked - see my earlier posts). This essentially
means that while e-mail can be mis-routed, IP packets can't.
Additionally, plaintext e-mail as well as IP traffic can often be 
sniffed along the way. 

FV demonstrated, through it's "card sharp" or whatever, that
real-time transactions are vulnerable to sniffers on the recipient's
own machine. Of course. We all knew that. But the mistake is to
assume that FV isn't _equally_ vulnerable to that threat. If you
can write a trojan that will somehow get privileged access to my
machine, trap my keystrokes, and identify my credit card number,
you can certainly write one that will, sitting on my machine:
    "intercept the user's electronic mail, read the confirmation 
    message from First Virtual's computers, and send out a fraudulent 
    reply" 
(to quote from Simson's article). Simson further quotes FV's Lee
Stein: "A single user can be targeted, Stein said, but ''it is very 
difficult. . . . There are too many packets moving . . . to too many 
different machines.''" - which is of course equally true for real-time
Netscape transactions. 

Simply put, if there's a program sitting on your computer with
privileged access, it can read your mail, hide it from you, and reply,
as easily as it can read your keystrokes. Even simpler: if there's
a privileged program on your machine, NOTHING IS SECURE - not SSL,
not FV, not plaintext credit cards, not PGP, NOTHING.

This is old hat, and FV has shown nothing new with its one-sided
stunt; the only reason there has been little hype recently about
card-sniffing trojans is that trojans and viruses and the rest of
their ilk have being dying of exposure in the media, ever since the
Internet Worm grabbed headlines years ago.

Rishab