[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F..
Weld [email protected] (1503*)
> Here is an example of an imagemap for secure number entry.
> http://www.l0pht.com/~weld/numbers.html
I *really* like this example. That's because it demonstrates so clearly
the security/usability tradeoff that I keep trying to hammer home to
people.
Yes, with something like this -- and a LOT of variation, so it wasn't
the same every time -- you could avoid an attack like ours. But you'd
also have a user interface that was virtually unusable. The focus of
the attack we outlined was one particular, naive approach to Internet
commerce that sacrificed a lot of security for usability. If the net
result of what we've done is to force them to find a better balance, it
was well worth the effort.
Or, to put it another way, I'm not too worried about competing with
software-encrypted credit card numbers if they use an imagemap technique
like the one you've outlined.
--------
Nathaniel Borenstein <[email protected]>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: [email protected]