1996-02-01 - Re: Apology and clarification

Header Data

From: “Simon McAuliffe” <sai@comp.vuw.ac.nz>
To: cypherpunks@toad.com
Message Hash: 7a95249c54ba26581e6629ea51c230ec3fc82f9a748af039db51e1e77123fe6f
Message ID: <199601302254.LAA00347@caesar.sans.vuw.ac.nz>
Reply To: N/A
UTC Datetime: 1996-02-01 16:16:41 UTC
Raw Date: Fri, 2 Feb 1996 00:16:41 +0800

Raw message

From: "Simon McAuliffe" <sai@comp.vuw.ac.nz>
Date: Fri, 2 Feb 1996 00:16:41 +0800
To: cypherpunks@toad.com
Subject: Re: Apology and clarification
Message-ID: <199601302254.LAA00347@caesar.sans.vuw.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain


For those that are sick of this thread (as I am), I apologize in
advance for throwing another log on the fire.  I just can't help 
trying to get through...

Nathaniel Borenstein <nsb@nsb.fv.com> writes:

> First of all, I believe that I owe the cypherpunk community an
> apology for an error in judgement on my part.  The message that I
[...]
> Our approach combines the following four known problems into a
> fatal attack:
> 
>   1) Consumer machines are insecure and easily compromised.
>   2) Keyboard sniffers are easy to write.
>   3) Credit card numbers are self-identifying (they have check digits) 
>      and can easily be extracted from a huge stream of input data.
>   4) Once intercepted, small amounts of information (e.g. a cc #)
>      may be distributed completely tracelessly over the Internet.
> 
> When you put all four of these together, you have an attack that
> IS new, in the sense that nobody we know of has ever mentioned it
> before, and which could in fact be used by a single criminal, with
> only a few weeks of programming, to tracelessly steal MILLIONS of
> credit cards, if software-encrypted credit-card schemes ever caught
> on.

You're right, the four problems you mention are known and have been
for a long time, and have also been used in attacks.  What you don't
seem to understand is that the overall attack from the combination of
these isn't new either.

In many ways a credit card number, name and expiry date form a
password.  It's a password that the bank accepts to allow money
transfers in much the same way as a computer accepts a password to 
allow information transfers.

On this very list (amongst other places), there has been discussion
of trojans and viruses for grabbing passwords, and of methods of
determining what is a password and what isn't a password.  In the
same way you can decide if a number is a credit card number, there
are heuristics you can use to determine if a user is entering a
password, though often it may require more than just monitoring
keystrokes.  To collect expiry dates and names for credit cards,
monitoring additional side information may also be useful.  So I
see no fundamental difference between the two, credit card numbers
_are_ passwords.

I myself have used precisely this technique many years ago, as I'm 
sure many others here have, to demonstrate security problems.  The 
only difference is the heuristic for determining what constitutes a 
password in the domain you're snooping.

What's more, the methods in existence before your post can be and
have been built in viruses which are considerably more prolific than
a trojan.  Not only is your attack not new, it is less powerful that
some similar attacks that predated yours.

Implying credit card numbers are more valuable than passwords is
dubious.  There are organisations that could lose millions of dollars
if their password security was compromised, but it's hard to say the
same for credit cards.  In this country, although I don't know about
yours, I'm not even liable if somebody steals my credit card and uses
it.  I would consider a "credit card password" as a lesser commodity
than a password for giving access to an entire computer system.

[...]
> So here's the factual claim, to be proven or disproven:  One good
> programmer, in less than a month, can write a program that will
> spread itself around the net, collect an unlimited number of credit
> card numbers, and get them back to the program's author by
> non-traceable mechanisms.  Does anyone on this list doubt that
> this is true?  If so, I'd like to know the flaw in my thinking, --
> I am *not* too proud to withdraw any claims that aren't true.  If
> not, I think it's worth noting that this fact was previously
> completely unknown to the bankers and businessmen who are putting
> large sums of money at risk on the net.  The only way to get the
> message to those communities is with a very visible public
> announcement of the kind you saw yesterday.

Of course this is a threat, I don't think _anybody_ will deny that,
but this is not a new threat.  True, the attack may not have been
known to businesspeople and bankers, but there are many others areas
of security they also know nothing about.  Trying to claim an old
invention as your own just looks like hype, PR and lies, not to
mention showing a lack of knowledge which could do the reverse from
what you set out to achieve.

It is certainly a Good Thing for the public to know about the
potential for various types of snooping, but surely it could be done
in some way which doesn't make it look like you invented it.  I
don't think anybody here objects to the attack itself, but rather
the claims you made about it and the way you communicated it.

---
E-mail: sai@comp.vuw.ac.nz/sai@kauri.vuw.ac.nz     +64 4 233 9427
PGP Fingerprint: 65 5B B4 6C CB 6A 65 F1  01 91 B9 FE 34 23 99 D3
PGP Key by mail, finger or from http://www.vuw.ac.nz/~sai/pgp-key.html





Thread