From: "Mr. Nobody" <mixmaster@anon.alias.net>
Date: Tue, 30 Jan 1996 19:03:06 +0800
To: jrochkin@cs.oberlin.edu.cypherpunks@toad.com
Subject: None
Message-ID: <199601301025.EAA17459@fuqua.fiftysix.org>
MIME-Version: 1.0
Content-Type: text/plain


In article <ad32cd9601021004af4e@[132.162.233.188]> jrochkin@cs.oberlin.edu (Jonathan Rochkind) writes:
> 3)  I believe that FV works by assigning the user some sort of id number.
> They send the id accross the net, FV has a database with "FV-ID" <->
> credit-card-number correspondences, the merchant sends FV the id, FV bills
> your card and pays the merchant.  Now, if I'm correct about how FV works,
> we could clearly write a program that searches your HD for FVs data files,
> extracts your FV-ID from it, and steals it.  It could be a virus, it could
> send the FV accross the net, whatever.  We could then use your FV-ID to
> make fraudulently make purchases through the FV system that would be billed
> to you.  This is essentially the same attack as FV "demonstrates" against
> software encrypted credit cards over the net: that is, the "You have an
> insecure system and if we can put evil software on it, we can get you."
> attack.

This sounds like a fatal security flaw in FV's system!  We need to
publicize this fact widely to prevent innocent people from using their
FV accounts from computers or over the network.