[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
Nathaniel Borenstein <[email protected]> writes:
>The attack we've outlined -- and partially demonstrated -- is based on
>the combination of several known flaws:
>
> -- It's easy to put malicious software on consumer machines
> -- It's easy to monitor keystrokes
> -- It's trivial to detect credit card numbers in larger data streams
> -- It's easy to disseminate small amounts of information tracelessly
But take away the inputting of the credit card number via keystroke and
the flaw disappears. How would your program deal with a scheme like
this?
Programs needing secure entry create a "secure entry field" which is
really just an imagemap with the digits (and alphas if required) placed
randomly about. The user then uses the mouse to click on these numerals.
Ideally the graphics that represent the numerals would be drawn from a
random pool and are misformed to thwart any OCR attempts. The graphics
could be made even more difficult to OCR by mixing in words and pictures
to represent the numbers.
An even better solution may be to have the imagemap generated by the
server and just the mouse clicks sent back to be decoded on the server.
That is how server side imagemaps work now over the web. It shouldn't be
hard to take credit card numbers this way.
Weld Pond - [email protected] - http://www.l0pht.com/
L 0 p h t H e a v y I n d u s t r i e s
Technical archives for the people - Bio/Electro/Crypto/Radio
L0pht Open House 2/3/96 at 8:00pm - Live on irc #l0pht - write
[email protected] for details.