[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards

To: cypherpunks <[email protected]>, David Van Wie <[email protected]>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards
From: Nathaniel Borenstein <[email protected]>
Date: Tue, 30 Jan 1996 06:45:50 -0500 (EST)
In-Reply-To: <310D4CCE@hamachi>
References: <310D4CCE@hamachi>
Sender: [email protected]

Excerpts from mail: 29-Jan-96 RE: FV Demonstrates Fatal F.. David Van
[email protected] (764)

>  Using stolen credit card numbers is a risky business, and the ability of   
> the credit card companies in detecting fraud and locating criminals is   
> quite real.

And most of the fraud detection is premised on the fact that once a
criminal steals a card number, he'll use it several times.  That's why
an automated attack of the kind we've outlined is so dangerous -- a
clever criminal will use each stolen number only once, thus making
himself far harder to trace.

> Of course, since Federal law requires the credit card companies, not the   
> user, to pay the costs of fraud, First Virtual's entire premise is a red   
> herring.  If the credit card companies are willing to take the risk, they   
> will (and are).

Actually, you're wrong here too.  It is the banks, not the credit card
companies, that carry the risk.  If, for example, Visa defines a
standard for encrypted credit card numbers, and it turns out to be
fatally flawed, it is the banks that will lose their shirts.  This may
not seem like an important distinction to you, but I assure you that it
is important to bankers.

> Scare tactics are nothing new in the PR business, but I would recommend   
> that the principals at FV learn about "cutouts" for this type of   
> gimmickry if they wish to preserve their reputations....

My reputation in the technical community, I assume, will stand or fall
based on the validity of my technical claims, not on the knee-jerk
reactions of people who don't even read the announcement thoroughly
enough to understand the technique we have revealed.  I have not yet
heard anything that makes me think that my claim is untrue.  We have
revealed the first known strategy for an Internet-based large-scale
automated attack on the credit card system.  I think that's a real
threat.  -- Nathaniel
--------
Nathaniel Borenstein <[email protected]>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: [email protected]

Follow-Ups:
- I gave FV the idea for the keyboard sniffer
  - From: Bryce <[email protected]>

References:
- RE: FV Demonstrates Fatal Flaw in Software Encryption of Credi tCards
  - From: David Van Wie <[email protected]>

Prev by Date: [noise] Re: Escrowing Viewing and Reading Habits with the Governmen
Next by Date: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
Prev by thread: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards
Next by thread: I gave FV the idea for the keyboard sniffer
Index(es):
- Date
- Thread