[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: What are the flaws with FV payment system?
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 10 Oct 1996, Kip DeGraaf wrote:
> I only received this an hour ago. I would very much like to attend, but
> can't put my fingers on the detailed analysis of FV's flaws in their
> system, which I would like to bring up in person at this seminar.
>
> Could someone please point me in the right direction?
>
I haven't seen any such analysis myself, but there is likely one available.
- From looking at FV's claims and descriptions of transactions, here's
a few things I'd say:
o A buyer's VirtualPIN is given insecurely to the merchant, unless
transmitted via secure HTTP. If not over SSL or HTTPS, anyone along
the way can swipe the VirtualPIN.
o It is easy to "verify" a PIN as a valid PIN. You can use finger, telnet,
and email among other things. Easy target for a dictionary attack.
o Payment confirmation messages are sent to the buyer via email,
unencrypted, insecure, etc... Easy target for slightly-less-than-honest
system admins, and most anyone else between FV and the buyer. Easy
traffic analysis, though the FV payment scheme does not offer
anonymity as a feature. Absolutely zero privacy.
o Read this: http://www.fv.com/pubdocs/FAQ-security.txt
Nuff said.
o It appears that anyone can fake a reply to a payment confirmation
message. It appears some sort of transaction id is necessary in the reply,
but it's not entirely evident. (the id comes in the comfirmation
request if it does exist, you wouldn't need any other knowledge).
o Given the above, it doesn't seem hard to spoof either merchant requests
and/or buyer confirmations, charging the real VirtualPIN-holder without
his/her knowledge. If the confirmation-request email could be prevented
from reaching the intended user, they would never even know it happened,
til they get their credit-card bill.
o Logistically, it requires a user has access to his/her email account
at all times to make purchases. For a timely purchase, it requires a
user to receive the confirmation-request quickly, and the reply to
reach FV quickly. Every ISP I've used has noticeable lag handling mail
at times, often minutes long. Mail queues get big.
o On the plus side, you send your credit card info over the incredibly,
massively, montrously secure phone lines by calling these people up. ;-)
This is all from looking over their pages for a few minutes a while back,
and quicky just now, so I may have erred in places. Someone with experience
using the system and/or someone with FV's email message specs would be good
to talk to.
The claims they make about encryption just generally make me want to dislike
them immensely, regardless of the merits of their system.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jeremey Barrett
Senior Software Engineer [email protected]
VeriWeb Internet Corp. http://www.veriweb.com/
PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
PGP Public Key: http://www.veriweb.com/people/jeremey/pgpkey.html
"less is more." -- Mies van de Rohe.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMl1QoC/fy+vkqMxNAQE2VgQA2A75PJWRhh8n5rdOYhRS2vnuod2O9lzn
K8Rdxui9NZ6ZXk3RBCQHXG1vbzmKgwA9sb7BBjygrE4KdzdQUrHwhmJKZJfP7IGe
jbgNuAtXEYeIgP5K4pjjWWl0fVN4H7vV98AukkBxDDaif1Iklw/g4ByzKVa23i5k
9MCXNdercOU=
=Fws8
-----END PGP SIGNATURE-----