From: Jiri Baum <jirib@sweeney.cs.monash.edu.au>
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Message Hash: 8d9268d0f96d1a195b1f0035b1778f07cac48e9b4f526d1fcf9844dedbcbba43
Message ID: <199601301058.VAA09911@sweeney.cs.monash.edu.au>
Reply To: <4l3Iox2Mc50eMWY=8n@nsb.fv.com>
UTC Datetime: 1996-01-30 11:36:17 UTC
Raw Date: Tue, 30 Jan 1996 19:36:17 +0800
From: Jiri Baum <jirib@sweeney.cs.monash.edu.au>
Date: Tue, 30 Jan 1996 19:36:17 +0800
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: <4l3Iox2Mc50eMWY=8n@nsb.fv.com>
Message-ID: <199601301058.VAA09911@sweeney.cs.monash.edu.au>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Hello Nathaniel Borenstein <nsb@nsb.fv.com>
and cypherpunks@toad.com, Peter Monta <pmonta@qualcomm.com>
NSB wrote:
> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Peter
> Monta@qualcomm.com (651*)
...
> > > NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.
>
> > Never speak it either. Walls (and audio peripherals) have ears.
>
> When you can give me a cheap device that can be planted in the wall,
> listen to everything you say, and just spit out the credit card numbers,
> then I'll start to be worried about speaking it.
...
And in a later post:
...
> I used to trust the telephone not to be tapped in a selective way based
> on keyword recognition, but in recent years, with the improvement in
> voice recognition technology, I have stopped trusting it that way, and I
> know plenty of other people have too -- if you say "NSA" into a cellular
> call, you are probably inviting an eavesdropper.
...
So, what's wrong with the virus listening through the audio card?
Many people have their phone close to their computer, and credit-card
numbers spoken over the phone are usually spoken clearly.
> Similarly, we trust the postal service and certain uses of email not to
> be free of any insecurities, but to be hard to defeat in a large scale
> automated way.
...
Presumably mail from FV asking for confirmation wouldn't be too hard
to search for - I guess one would watch WinSock for connection
to the POP port then grab the password etc, followed by periodically
checking for new e-mail (without the user's knowledge).
Many people would already have their CC number on the computer somewhere,
in a letter they wrote (and later printed out and posted). If it's a virus,
it doesn't even need a net connection to communicate it back (it can just
remember it and pass it 'home' several infections later).
The real problem ain't the net, but lousy security in home systems.
(Hmm, with the sound cards, couldn't the virus just hypnotise the user....)
Jiri
- --
If you want an answer, please mail to <jirib@cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMQ35nCxV6mvvBgf5AQF6YQQAn4G7Ks+3Tbdc5k5t1Y3H1y6xTYtdQEyS
rpespy10GEqCV1QY7LSHSkqqDDfR3Mdx6dlLIMv+gyay9gz5jFp0IKBweWvNfGDr
iJa7EiE+6sHt9lR0pjDcL9MGca1cdzOvwZYX6wGoC3JPZBmgFbM7YYv/EYum63TH
CwsAkgA2hAk=
=2UHy
-----END PGP SIGNATURE-----
Return to February 1996
Return to “zinc <zinc@zifi.genetics.utah.edu>”