1996-01-30 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Header Data

From: zinc <zinc@zifi.genetics.utah.edu>
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Message Hash: 480a6f49c30dd631a843f37cf6ea9ac662179e4b220d90074e6e4bd2bda43c05
Message ID: <Pine.LNX.3.91.960129141757.184E-100000@zifi.genetics.utah.edu>
Reply To: <Ml3HWaOMc50eEWY6pA@nsb.fv.com>
UTC Datetime: 1996-01-30 01:04:48 UTC
Raw Date: Tue, 30 Jan 1996 09:04:48 +0800

Raw message

From: zinc <zinc@zifi.genetics.utah.edu>
Date: Tue, 30 Jan 1996 09:04:48 +0800
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: <Ml3HWaOMc50eEWY6pA@nsb.fv.com>
Message-ID: <Pine.LNX.3.91.960129141757.184E-100000@zifi.genetics.utah.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Mon, 29 Jan 1996, Nathaniel Borenstein wrote:

> Date: Mon, 29 Jan 1996 16:14:14 -0500 (EST)
> From: Nathaniel Borenstein <nsb@nsb.fv.com>
> To: zinc <zinc@zifi.genetics.utah.edu>
> Cc: cypherpunks@toad.com
> Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F..
> zinc@zifi.genetics.utah. (1368*)
> > so what?  fv has a keyboard sniffer...
> It's considerably more than that.  Please read on.
> > for what it's worth, this sort of program could easily be used to get 
> > info more important than credit card numbers.  passphrases and 
> > passwords of all kinds could be obtained leading to broken accts or 
> > worthless cryptography.
> Yes, but I think you've missed the main point, probably because we
> haven't made it clear enough.  What's unique about credit card numbers
> is that they're very small amounts of data, self-identifying, and of
> direct financial value as a one-way financial instrument (i.e. with no
> confirmation process).  
> The attack we've outlined -- and partially demonstrated -- is based on
> the combination of several known flaws:
> 	-- It's easy to put malicious software on consumer machines
> 	-- It's easy to monitor keystrokes
> 	-- It's trivial to detect credit card numbers in larger data streams
> 	-- It's easy to disseminate small amounts of information tracelessly

this program is not specific to credit card numbers.  it sounds like
it could have just as easily been written to watch for a login: or
password: prompt and then record everything entered after that.

the point is not that this can be done, the point is that users need
tools that would check for programs like this running on their
system.  is fv making a 'fix' available?  i would imagine a  'fix'
would be a program that would look for tsr type programs (or inits on
a mac) that do this sort of thing.  

this is the sort of thing that crypto can help with.  there should be
a site that PGP signs the programs available from their site.  these
signed programs will have been testing on the appropriate system and
verified to be free of small malicious programs such as the one you
describe.  alternatively, the author themselves could PGP sign the app
(this is already done) and this would be what users should d/l.

it's disapointing to see the spin put on this by fv.  instead of
going with scare tactics, they could encourage PGP signatures and suggest
solutions to this problem like the ones i mentioned above.  in fact,
fv could even volunteer to help set up a site where all software has
been tested and signed by someone who has had their PGP key signed by
fv, sort of an expansion of the web of trust.

more of my $0.02..

- -pjf

"Those that give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety." -- Benjamin Franklin (1773)

zifi runs LINUX 1.3.59 -=-=-=WEB=-=-=->  http://zifi.genetics.utah.edu 

Version: 2.6.2
Comment: Processed by mkpgp1.6, a Pine/PGP interface.