[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards



Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F..
Weld [email protected] (1503*)

> Here is an example of an imagemap for secure number entry.

> http://www.l0pht.com/~weld/numbers.html

I *really* like this example.  That's because it demonstrates so clearly
the security/usability tradeoff that I keep trying to hammer home to
people.

Yes, with something like this -- and a LOT of variation, so it wasn't
the same every time -- you could avoid an attack like ours.  But you'd
also have a user interface that was virtually unusable.  The focus of
the attack we outlined was one particular, naive approach to Internet
commerce that sacrificed a lot of security for usability.  If the net
result of what we've done is to force them to find a better balance, it
was well worth the effort.

Or, to put it another way, I'm not too worried about competing with
software-encrypted credit card numbers if they use an imagemap technique
like the one you've outlined.
--------
Nathaniel Borenstein <[email protected]>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: [email protected]