From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Wed, 13 Dec 1995 01:24:14 +0800
To: sameer@c2.org>
Subject: Hacking FV is just no fun (was Re: More FUD from First Virtual [NOISE])
In-Reply-To: <199512120743.XAA24011@infinity.c2.org>
Message-ID: <IknLod_Mc50eI2iw5O@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain


Watching this thread has been fascinating.  I want to underscore and
summarize a tiny bit.

First, I commented about the aspects of FV's system that made it
particularly hard to mount a large-scale automated attack against the FV
transaction system.  Then, David Wagner asked:

> Is it just me, or does this sound like a challenge?
.....
> Maybe Sameer will create a Hack FV page :-)
> Or maybe NB will offer a $1000 bug bounty to anyone who can successfully
> forge a transaction in FV's system (since it's so foolproof)...

Before I could answer, Sameer said more or less what I would have said,
although I'm sure he didn't think he was offering FV's position:

> 	FV isn't worth it.

This is absolutely true in the sense that a simple one-time attack on FV
is well-understood and easy to mount.  (For those of you who haven't
seen it, I recommend that you read our paper on lessons from First
Virtual's first full year in operation, available at
ftp::/ftp.fv.com/pub/nsb/fv-austin.{ps,txt}.  Among other things, it
spells out in precise detail how to break the FV transaction system --
see Appendix A, Question 25:  "How can a criminal break First Virtual's
system, and does it matter?"

Unlike other systems, FV doesn't claim to be "foolproof" -- quite the
contrary, we very deliberately tell you exactly how to break the system,
and we focus on limiting the damage that can be done by such an attack. 
Given that fact, a bounty is ludicrous.  We're not going to turn around
and pay you a bounty for doing exactly what we told you how to do!  A
bounty on crypto-payment-systems makes sense precisely because the
possible costs of a bug can be so high.

However, Sameer went on to write:

> 	Actually, Hack FV seems pretty pointless. Someone hacks FV,
> and a chargeback is issued on the credit card. Big deal. Same old
> outdated credit-card based payment systems.
> 	No more secure than credit cards.

This last line is not quite right.  The email loop that FV adds will, in
general, cause fraud to be detected far more quickly than it is detected
in today's credit card world.  Thus FV is a bit more robust (if not more
"secure", a word fraught with problems of definition) than the physical
credit card infrastructure.  Using encrypted credit cards on the net,
however, is demonstrably *less* secure/robust than the existing physical
credit card infrastructure, as the first-year paper also explains in
detail.

Finally, Bill and Sameer (jointly, sort of) provided a very brief
synopsis of the "does it matter?" part:

> > Besides, if you hack FV you've got the money :-)

> 	Uh, no you don't. I can't think of any ways you could hack FV
> and actually make money at it, because in the end the credit card
would just get a chargeback.

FV is vulnerable to several nuisance attacks, and we make no bones about
that fact.  We've even seen it happen a couple of times -- no money was
lost, and the culprit was persuaded to cease and desist via pressure
through his ISP.  But we've designed the system to be very robust in
protecting the actual money, which is what we believe MUST be a payment
system's first priority.  -- Nathaniel
--------
Nathaniel Borenstein <nsb@fv.com> (FAQ & PGP key: nsb+faq@nsb.fv.com)
Chief Scientist, First Virtual Holdings

VIRTUAL YELLOW RIBBON==> http://www.netresponse.com/zldf