1996-01-31 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: cypherpunks <dvw@hamachi.epr.com>
Message Hash: 6f23b1ae89cee0a473dec18aace115d0550fc6bb6d2b7eab3bae3cbee1a5b42d
Message ID: <Ql3UHiOMc50e5Ir1sa@nsb.fv.com>
Reply To: <310D4CCE@hamachi>
UTC Datetime: 1996-01-31 16:52:11 UTC
Raw Date: Thu, 1 Feb 1996 00:52:11 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Thu, 1 Feb 1996 00:52:11 +0800
To: cypherpunks <dvw@hamachi.epr.com>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards
In-Reply-To: <310D4CCE@hamachi>
Message-ID: <Ql3UHiOMc50e5Ir1sa@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain

Excerpts from mail: 29-Jan-96 RE: FV Demonstrates Fatal F.. David Van
Wie@hamachi.ep (764)

>  Using stolen credit card numbers is a risky business, and the ability of   
> the credit card companies in detecting fraud and locating criminals is   
> quite real.

And most of the fraud detection is premised on the fact that once a
criminal steals a card number, he'll use it several times.  That's why
an automated attack of the kind we've outlined is so dangerous -- a
clever criminal will use each stolen number only once, thus making
himself far harder to trace.

> Of course, since Federal law requires the credit card companies, not the   
> user, to pay the costs of fraud, First Virtual's entire premise is a red   
> herring.  If the credit card companies are willing to take the risk, they   
> will (and are).

Actually, you're wrong here too.  It is the banks, not the credit card
companies, that carry the risk.  If, for example, Visa defines a
standard for encrypted credit card numbers, and it turns out to be
fatally flawed, it is the banks that will lose their shirts.  This may
not seem like an important distinction to you, but I assure you that it
is important to bankers.

> Scare tactics are nothing new in the PR business, but I would recommend   
> that the principals at FV learn about "cutouts" for this type of   
> gimmickry if they wish to preserve their reputations....

My reputation in the technical community, I assume, will stand or fall
based on the validity of my technical claims, not on the knee-jerk
reactions of people who don't even read the announcement thoroughly
enough to understand the technique we have revealed.  I have not yet
heard anything that makes me think that my claim is untrue.  We have
revealed the first known strategy for an Internet-based large-scale
automated attack on the credit card system.  I think that's a real
threat.  -- Nathaniel
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com