[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards



[My apologies in advance if you see several copies of this message.  I
am posting this fairly widely due to the severity and importance of the
problem described.]

As you may already have heard via the popular press, First Virtual
Holdings has developed and demonstrated a program which completely
undermines the security of every known credit-card encryption mechanism
for Internet commerce.  This is a very serious matter, and we want to
make sure that the Internet community is properly informed about the
nature of the problem that we have uncovered, and the manner in which we
have made the information known.  In this (unavoidably lengthy) post, I
will try to explain the nature of the problem and its implications for
Internet commerce.  In deference to those who are not technically
oriented, the detailed explanation of how the attack works will be the
LAST part of this message.

First of all, let me be perfectly clear about the nature of the problem
we have exposed.  It is NOT a bug in a single program, and it is
therefore NOT something that can be fixed with a "patch" or any other
kind of software upgrade.  Instead, we have demonstrated a very general
attack that undermines ALL programs that ask users to type a credit card
number into their home computer.  We have tested the program and
confirmed that it undermines the security of the credit card encryption
software from Netscape and Cybercash, and we expect that it will work
similarly for ANY future software based on the encryption of credit card
numbers on the desktop.  Quite simply, we believe that this program
demonstrates a FATAL flaw in one whole approach to Internet commerce,
and that the use of software to encrypt credit card numbers can NEVER be
made safe.  For consumers, we recommend the following simple rule:

NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.

We should also be clear about the Internet commerce mechanisms that are
NOT affected by this problem.  First Virtual is unaffected because we
never ask the user to put a credit card number at risk by typing it into
a computer.  Hardware-based solutions can also be devised that are
immune to this attack, including solutions based on smart cards and
solutions based on "card swipe" machines in the home.  We believe that
current digital cash solutions are also not vulnerable to this attack,
although some variants of digital cash may be vulnerable to a similar
form of attack.  Commerce mechanisms based on the use of telephones or
fax machines to transmit credit card numbers are also unaffected by this
kind of attack.  Other proposed commerce mechanisms should, from now on,
be evaluated with this kind of attack in mind.  The bottom line: 
INTERNET COMMERCE CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS,
BUT ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE
MECHANISMS.

It's important to understand why we have taken this step.  Obviously, as
the long-time leaders in Internet commerce, the last thing we would want
to do is to undermine general confidence in Internet commerce.  However,
we realized that many people believed that credit card encryption was a
safe and easy path to Internet commerce, and that very few people
understood how easily it could be undermined.  Upon investigation, we
were frankly startled to realize just how easy it was -- a single
programmer got the first version of our program running in about a week.
 Aside from our obvious interest in promoting our own commerce
mechanism, we felt that we had an ethical obligation to bring this
problem to the attention of the consumers, banks, and other financial
institutions who could conceivably suffer catastrophic losses if
software encryption of credit card numbers became widespread.

We also realize that we have an obligation to do everything possible to
avoid helping any unscrupulous people who might seek to utilize this
flaw for malicious purposes.  We have accordingly been extremely
responsible in how we have handled our discovery.  We first demonstrated
and explained our program to vital organizations such as CERT (the
Computer Emergency Response Team) and the ABA (American Banking
Association).  Only after many such private disclosures, none of which
revealed any defense against our technique, did we publicly disclose the
existence of this program.

In addition, we have taken several steps to "cripple" our demonstration
program, all of which will be discussed below.    Furthermore, we have
NOT made the program itself generally available.  We are currently
demonstrating it to selected financial institutions and government
agencies, and will provide copies of the program only to CERT and a few
other independent security-minded organizations.  We have also alerted
Netscape to the problem as part of their "bugs bounty" program.  At some
future date, we might conceivably distribute the program, in binary form
on CD ROM, to selected financial institutions.  The source code will
always be very closely guarded.  Unfortunately, however, the general
method of attack is extremely easy to duplicate, and we don't know of
any good way to alert the public to the problem without explaining it.

THE TECHNIQUE

Our basic approach was to write a computer program that runs undetected
while it monitors your  computer system. A sophisticated version of such
a program can intercept and analyze every  keystroke, mouse-click, and
even messages sent to your screen, but all we needed was the keystrokes.
Selectively intercepted information can be immediately and secretly
transmitted via  Internet protocols, or stored for later use.  

First Virtual's research team has built and demonstrated a particular
implementation of such a program, which only watches for credit card
numbers.  Whenever you type a credit card number into your computer --
even if you are talking to "secure" encryption software -- it captures
your card number.  Our program doesn't do anything harmful with your
credit card number, but merely announces that it has captured it.  A
malicious program of this type could quietly transmit your credit card
number to criminals without your knowledge.

The underlying problem is that the desktop -- the consumer's computer --
is not secure.  There is no way of ensuring that all software installed
on the consumer's machine can be trusted.  Given this fact, it is unwise
to trust ANY software such as a "secure" browser, because malicious
software could have easily been interposed between the user and the
trusted software.  

The bottom line for consumers is that, on personal computers,
INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY.  We  have
dramatically proven that security  ends the moment you type sensitive
information into your computer. The vulnerability lies in the fact that
information must travel from your  keyboard, into your computer's
operating system, and then to your "secure" application. It can be
easily intercepted along the way.

This kind of insecurity is very frightening, and has implications far
beyond credit card theft.  However, credit cards embody and demonstrate
the kind of information that is MOST vulnerable to this kind of attack. 
Credit card numbers are far more vulnerable to this kind of attack than
most other forms of information because of the following particular
characteristics of credit card numbers:

-- Credit card numbers are easily recognized by simple pattern recognition.
-- Credit card numbers are "one way" financial instruments, with no
user-level confirmation or verification required for their use.
-- Credit card numbers are of direct financial value.

In short, credit card numbers are an almost perfect example of how NOT
to design a payment instrument for an insecure public computer network
such as the Internet.

DETAILS:  HOW TO TOTALLY UNDERMINE SOFTWARE ENCRYPTION OF CREDIT CARDS

First Virtual's demonstration credit-card interception program, once
installed, observes every keystroke that you type, watching for credit
card numbers.  It recognizes credit card numbers with almost perfect
accuracy, because credit card numbers are specifically designed to match
a simple, self-identifying pattern, including a check digit.  Our
program is even smart about punctuation and simple editing functions, so
that nearly any credit card number that you type into your computer is
immediately recognized as such by this program.  

When our program spots a credit card number, it immediately plays a
warning sound and pops up a window on your screen, including an iconic
representation of the type of credit card that you have just entered,
along with a clear explanation of what has just happened.  The current
program works only on Microsoft Windows (Windows 3.1, Windows NT, and
Windows 95), but we believe that it would be simple to implement on
Macintosh and UNIX systems as well.  The program doesn't exploit any
"holes" or bugs in the operating system.  It uses existing, necessary
operating system facilities which are part of the published Windows API,
and which are necessary for the implementation of screen savers,
keyboard macros, and other important software packages.

First Virtual's intent is to educate the public, certainly not to
endanger it.  For that reason, our program incorporates four important
precautions intended to prevent any possibility of harm:

1)  Our program is not self-replicating.  While a malicious program
exploiting the same security flaw could easily be embedded in a virus,
spreading itself all over the world, that was not our goal.  Instead,
the program must be deliberately and manually installed on each computer
on which it is to run.  

2)  Our program always puts up an icon on your screen when it is
watching your keystrokes.  This is certainly not necessary, and it is
clear that a malicious program would be unlikely to do this.

3)  Our program is easy to remove from your computer, and even offers an
"Uninstall" button to the user.  Obviously a malicious program would
hide itself as well as possible, and make itself as hard to remove as
possible.

4)  Our program never transmits your credit card over the Internet. 
While a program using this approach could transmit your information to a
criminal in a totally untraceable manner, we would never do anything
like that.  In fact, we erase your credit card number from our program's
memory before we even tell you that we've seen it, thus making sure that
the credit card number can't even be retrieved by an inspection of our
program's memory.

It is frankly difficult to overstate the severity of the problem
demonstrated by our program.  A clever criminal could use viral
techniques to spread a malicious program based on the same approach, and
would be no more likely to be caught in the act than the authors of any
of the computer viruses that plague the world today.  Once it detects a
credit card number, a criminal program could use any of several
techniques to send that number to the original criminal without
providing any way to trace the criminal's receipt of it.  (If you're
skeptical about this claim, we'd prefer to talk with you privately, as
we've never seen the "best" methods for doing this spelled out in
public, and we would prefer to keep it that way.)  Altogether, this
means that if millions of credit card numbers were being typed into
Internet-connected personal computers, a criminal could obtain a
virtually unlimited supply of card numbers for his own use.  In fact,
for all we know this could already be happening today.  The first
visible sign of such an attack, if it were well-executed, would be a
gradual rise in the overall rate of credit card fraud.

POSSIBLE SOLUTIONS

First Virtual believes that the flaw we have uncovered is fatal.  In the
foreseeable future, all commerce schemes based on software encryption of
credit cards on the desktop are completely vulnerable to this sort of
attack.

The basic problem is that software encryption of credit cards is
predicated on the notion of "trusted software".  On the consumer
computing platforms, however, general purpose operating system
functionality makes it unwise to assume too strong a level of trust in
such software.  No operating system with anything less than
military-grade security (B2) is likely to be safe from an attack such as
this one.

This does not mean that Internet commerce is dead.  Any scheme that is
not based on self-identifying one-way financial instruments such as
credit cards will be essentially unaffected by this problem.  Moreover,
even credit cards may be made safe on the Internet using one of two
approaches:  secure hardware add-ons and the First Virtual approach.

First Virtual's Internet Payment Systems never places the consumer's
credit card number on the Internet.  Instead, the consumer provides it
to us by telephone when the account is opened.  After that, all
purchases are made using a "Virtual PIN".  Virtual PINs are essentially
Internet aliases for underlying payment mechanisms such as credit card
numbers, but with several kinds of added security.  Virtual PINs are
free-form text, with no recognizable pattern, which makes them much
harder to detect with the kind of attack we have just demonstrated. 
Moreover, Virtual PINs are only usable in conjunction with First
Virtual's unique email verification process.  No payment is made until
the consumer confirms an email query, which means that defrauding First
Virtual is a multi-step process that is extremely difficult to automate.
 (For more details, we recommend our paper, "Perils and Pitfalls of
Practical CyberCommerce", available via ftp from
ftp://ftp.fv.com/pub/nsb/fv-austin.txt.)

The bottom line, once again, for those of you who have read this far:

NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.

There's simply no other way to keep credit cards safe on the net.  The
program we have demonstrated completely undermines the security of all
known programs that claim to handle credit card numbers safely on the
Internet.
--------
Nathaniel Borenstein <[email protected]>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: [email protected]