1996-02-01 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: zinc <zinc@zifi.genetics.utah.edu>
Message Hash: 4d7260ba708ba742f0ca5edb4d4a517f221c401d510b912004cf93e858f43cdb
Message ID: <Ml3HWaOMc50eEWY6pA@nsb.fv.com>
Reply To: <Pine.LNX.3.91.960129134655.184C-100000@zifi.genetics.utah.edu>
UTC Datetime: 1996-02-01 18:20:30 UTC
Raw Date: Fri, 2 Feb 1996 02:20:30 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Fri, 2 Feb 1996 02:20:30 +0800
To: zinc <zinc@zifi.genetics.utah.edu>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: <Pine.LNX.3.91.960129134655.184C-100000@zifi.genetics.utah.edu>
Message-ID: <Ml3HWaOMc50eEWY6pA@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain

Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F..
zinc@zifi.genetics.utah. (1368*)

> so what?  fv has a keyboard sniffer...

It's considerably more than that.  Please read on.

> for what it's worth, this sort of program could easily be used to get 
> info more important than credit card numbers.  passphrases and 
> passwords of all kinds could be obtained leading to broken accts or 
> worthless cryptography.

Yes, but I think you've missed the main point, probably because we
haven't made it clear enough.  What's unique about credit card numbers
is that they're very small amounts of data, self-identifying, and of
direct financial value as a one-way financial instrument (i.e. with no
confirmation process).  

The attack we've outlined -- and partially demonstrated -- is based on
the combination of several known flaws:

	-- It's easy to put malicious software on consumer machines
	-- It's easy to monitor keystrokes
	-- It's trivial to detect credit card numbers in larger data streams
	-- It's easy to disseminate small amounts of information tracelessly

We don't claim to have "discovered" any of these flaws.  However, when
you combine these known flaws, you have something new:  a plan for
stealing MILLIONS of credit card numbers without a trace.  That's the
new threat, and we think it's very real.

The other kinds of information you mention are certainly all vulnerable
to keyboard-sniffer attacks.  But the unique aspects of credit card
numbers make them particularly vulnerable to large scale automated theft
by this kind of attack.  I don't know of any other kind of sensitive
information that is as easily recognized and as worthwhile to steal.  Do

> additionally, this hardly has anything to do with netscape.  this is not 
> a 'bug' in netscape.

You're right, and I feel very bad about the fact that the article in the
Merc made it sound like this was specifically targeting Netscape.  While
it's true that we submitted this to Netscape's "bugs bounty" program --
which is probably what created the Netscape angle in the story -- we
really weren't targeting Netscape at all.  We consider this flaw to be a
very serious "design bug" in the whole
software-encryption-of-credit-cards approach to Internet commerce. 
Netscape is just one of several companies that have gone down this path,
but we think it's a very dangerous path, and one that Netscape, as a
vendor of web browsers and servers, can do quite well without.

it's a malicious program.  

No, ours is a demonstration program, not a malicious program.  Our
program never installs itself automatically, always puts up an icon when
it's running, never does anything bad when it intecepts your credit card
number, and is easy to un-install.  However, it demonstrates a technique
that could be used by a malicious program to do some very nasty things.

> the only way to prevent 
> malicious programs from causing you problems is to know what your 
> computer is doing; what it's loading when you boot and what data it sends 
through your phone lines when you're online.

This is fine for you & me.  But Internet commerce has to work for the
hundreds of millions of non-technical consumers who are swarming onto
the Internet.  If someone emails them a program that purports to show
them pretty pictures (dirty movies?) for free, how many of them will
stop to try to make sure that this program isn't going to do something
malicious in the process?  The bottom line is that the consumer platform
is never going to be a very safe place, so commerce mechanisms shouldn't
assume that it is.  We may not like that fact, but it's true
nonetheless.  -- Nathaniel