[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!)
Nathaniel Borenstein wrote:
> We have a few pages of C code that scan everything you type on a
> keyboard, and selects only the credit card numbers. How easy is that to
> do with credit card numbers spoken over a telephone?
>
> The key is large-scale automated attacks, not one-time interceptions.
This fact that the filtering can be done on the client side is nearly
irrelevant. Most people do not hit enough keystrokes in a day to prevent sending
the entire keyboard stream back to the filtering agent.
Since most folks do not spend most of their time typing in nonsense phrase, you
could probably pick out the First Virtual account number also. With only a
little more cleverness you can get the file containing private keys. With a few
thousand tries through the stream you can decrypt that file using the user's
pass phrase.
If you have the ability to change the software on the user's machine to
something arbitrary, why bother stopping at something as "trivial" as a single
credit card number.
PK
--
Philip L. Karlton [email protected]
Principal Curmudgeon http://www.netscape.com/people/karlton
Netscape Communications Corporation