From: Phil Karlton <karlton@netscape.com>
Date: Thu, 8 Feb 1996 10:16:35 +0800
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Subject: Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!)
In-Reply-To: <c=US%a=_%p=msft%l=RED-66-MSG960129190324HH007C00@red-02-imc.itg.microsoft.com>
Message-ID: <310F13E7.13AA@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Nathaniel Borenstein wrote:

> We have a few pages of C code that scan everything you type on a
> keyboard, and selects only the credit card numbers.  How easy is that to
> do with credit card numbers spoken over a telephone?
> 
> The key is large-scale automated attacks, not one-time interceptions.

This fact that the filtering can be done on the client side is nearly 
irrelevant. Most people do not hit enough keystrokes in a day to prevent sending 
the entire keyboard stream back to the filtering agent.

Since most folks do not spend most of their time typing in nonsense phrase, you 
could probably pick out the First Virtual account number also. With only a 
little more cleverness you can get the file containing private keys. With a few 
thousand tries through the stream you can decrypt that file using the user's 
pass phrase.

If you have the ability to change the software on the user's machine to 
something arbitrary, why bother stopping at something as "trivial" as a single 
credit card number.

PK
--
Philip L. Karlton			karlton@netscape.com
Principal Curmudgeon			http://www.netscape.com/people/karlton
Netscape Communications Corporation