1996-01-31 - Apology and clarification

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: cypherpunks@toad.com
Message Hash: e9c5572c4de5f6fded8f725159d51176d4c97acdb8ead4e9d881ac834d5577d3
Message ID: <cl3ShvGMc50eEWY1pL@nsb.fv.com>
Reply To: N/A
UTC Datetime: 1996-01-31 15:50:43 UTC
Raw Date: Wed, 31 Jan 1996 23:50:43 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Wed, 31 Jan 1996 23:50:43 +0800
To: cypherpunks@toad.com
Subject: Apology and clarification
Message-ID: <cl3ShvGMc50eEWY1pL@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain


First of all, I believe that I owe the cypherpunk community an apology
for an error in judgement on my part.  The message that I sent out
yesterday regarding our demonstrations of a newly-discovered security
threat was the exact same text that I  sent to a  far less technical
audience.  As such, I understand that many people on this list found the
tone of my message to be insulting and offensive.  I apologize, and I
certainly didn't mean to insult anyone's intelligence.  

Having said that, please cut me a break.  If you read my message as
saying "FV has just invented keystroke sniffing" you've completely
missed the real attack here.  If you really think I'd throw away my
reputation on a bogus claim like that, you're insulting *my*
intelligence.   My (charitable?) take on it is that a lot of people were
so put off by the tone of my mass-market message that they leapt to the
quick but erroneous conclusion that there was no underlying content. 
There is.

The threat is NOT from keystroke sniffing per se, and we're certainly
not claiming to have invented keystroke sniffing.  However, we do have
to *explain* keystroke sniffing in the public announcement, because it
is a *part* of our attack, and most of the public does NOT already know
that it's possible.

What we at FV have done is to demonstrate how easy it is to develop an
FULLY AUTOMATED attack that undermines the security of all
software-based credit card commerce schemes.  It is the automated aspect
that separates it from all of the "dumpster-diving" attacks on credit
card numbers which have previously been widely discussed, because it
provides a path to large-scale fraud that has never been publicly
discussed before, to my knowledge.  The key "invention" in our approach
is to integrate several techniques that are already well-known (in this
community) into an automated attack that we consider to be devastating
to commerce systems based on software-encrypted credit cards.

Our approach combines the following four known problems into a fatal attack:

	1) Consumer machines are insecure and easily compromised.
	2) Keyboard sniffers are easy to write.
	3)  Credit card numbers are self-identifying (they have check digits) 
	    and can easily be extracted from a huge stream of input data.
	4)  Once intercepted, small amounts of information (e.g. a cc #)
	     may be distributed completely tracelessly over the Internet.

When you put all four of these together, you have an attack that IS new,
in the sense that nobody we know of has ever mentioned it before, and
which could in fact be used by a single criminal, with only a few weeks
of programming, to tracelessly steal MILLIONS of credit cards, if
software-encrypted credit-card schemes ever caught on.

This is a very real threat.  If you think we're just re-hashing keyboard
sniffers, you haven't yet understood what we're demonstrating.  The real
threat is the traceless theft of millions of credit card numbers by a
single easily mounted automated attack.

So here's the factual claim, to be proven or disproven:  One good
programmer, in less than a month, can write a program that will spread
itself around the net, collect an unlimited number of credit card
numbers, and get them back to the program's author by non-traceable
mechanisms.  Does anyone on this list doubt that this is true?  If so,
I'd like to know the flaw in my thinking, -- I am *not* too proud to
withdraw any claims that aren't true.  If not, I think it's worth noting
that this fact was previously completely unknown to the bankers and
businessmen who are putting large sums of money at risk on the net.  The
only way to get the message to those communities is with a very visible
public announcement of the kind you saw yesterday.  -- Nathaniel
--------
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com





Thread