From: Jeremy Mineweaser <Jeremym@area1s220.residence.gatech.edu>
Date: Wed, 31 Jan 1996 09:12:08 +0800
To: cypherpunks@toad.com
Subject: Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!)
Message-ID: <2.2.32.19960130042632.00966364@area1s220.residence.gatech.edu>
MIME-Version: 1.0
Content-Type: text/plain


At 04:39 PM 1/29/96 -0500, Nathaniel Borenstein wrote:

>Well, the mis-conceptions are flying fast and furious.
>
>You're twisting our words.  We believe it is a truly fatal flaw in those
>internet commerce schemes that are based on software encryption of
>credit card numbers.  There are several schemes for Internet commerce
>that are unaffected:
>
>	-- First Virtual (of course)

Question: Could you please describe the nature of the First Virtual 
protocol?  Now before you tell me to RTFM, let me explain.

I assume, although without absolute certainty, that in order to bill me
you must know my credit card number.  If you do not know my credit
card number, and depend on someone else who does, you are nothing
more than a middleman who introduces additional possibility for
breach of security.  If you do know my credit card number, you must
deal with the associated problem of storing this number.  Now perhaps
I am wrong, and you really do keep all of your clients' card numbers
in a printed book hidden within a safe, and for each transaction you
remove the book, use your table to match FV_ID to CC#, process the
transaction, and replace the book.  However, I doubt this.  More
likely, you store the card numbers on a computer.  And no doubt,
someone or something enters those numbers into a database.

You have just violated your own cardinal rule.


Jeremy
---
   Jeremy Mineweaser     | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$
 j.mineweaser@ieee.org   | L+>++ E-(---)  W++ N+  !o-- K+>++  w+(++++) O-  M--
                         | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+()
    *ai*vr*vx*crypto*    | tv(+)  b++>+++ DI+(++)  D+  G++ e>+++  h-() r-@ !y-