1996-02-01 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: zinc <zinc@zifi.genetics.utah.edu>
Message Hash: b0cc002fe94426b98a71a9f233b77f877d2c2bae972ac8d438993ce55c539efc
Message ID: <Ml3I=nWMc50eAWYBgO@nsb.fv.com>
Reply To: <Pine.LNX.3.91.960129141757.184E-100000@zifi.genetics.utah.edu>
UTC Datetime: 1996-02-01 16:12:57 UTC
Raw Date: Fri, 2 Feb 1996 00:12:57 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Fri, 2 Feb 1996 00:12:57 +0800
To: zinc <zinc@zifi.genetics.utah.edu>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: <Pine.LNX.3.91.960129141757.184E-100000@zifi.genetics.utah.edu>
Message-ID: <Ml3I=nWMc50eAWYBgO@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain

Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F..
zinc@zifi.genetics.utah. (3361*)

> this program is not specific to credit card numbers.  it sounds like
> it could have just as easily been written to watch for a login: or
> password: prompt and then record everything entered after that.

Yeah, but the real payoff is in the automated theft of items of value,
such as credit cards.  Since that's the real payoff for criminals, it's
also one of the biggest practical risks to watch for.

> the point is not that this can be done, the point is that users need
> tools that would check for programs like this running on their
> system.  is fv making a 'fix' available?  i would imagine a  'fix'
> would be a program that would look for tsr type programs (or inits on
> a mac) that do this sort of thing.  

That's why we've used terms like "fatal flaw" that have led to charges
of overinflated rhetoric, but the truth is that THERE IS NO GENERAL WAY
TO PREVENT THIS.  Our program only uses standard OS hooks.  There's no
way to distinguish a general program of this type from a legitimate
screen saver, keyboard macro package, etc.  We could easily write a
program that detects our demonstration program, but would good would
that do?  It wouldn't detect a malicious program using a similar
approach.  You can detect the last known attack, but not the next attack.

That's why we say it is a fatal flaw for software-encrypted credit card
numbers.  I believe it truly is.

> this is the sort of thing that crypto can help with.  there should be
> a site that PGP signs the programs available from their site.  these
> signed programs will have been testing on the appropriate system and
> verified to be free of small malicious programs such as the one you
> describe.  alternatively, the author themselves could PGP sign the app
> (this is already done) and this would be what users should d/l.

Do you really believe that the average Internet consumer can be trained
never to download any software before performing such checks?  Do you
really believe that the average Internet consumer can be trained in the
proper management of his crypto keys that will make such a check

With nearly 100,000 paying customers, we're seeing first-hand what the
average Internet consumer is like.  We have seen customers who complain
(seriously!) that they get so lost in our web pages that they have to
reboot their machines.  You want to explain key management to these

> it's disapointing to see the spin put on this by fv.  instead of
> going with scare tactics, they could encourage PGP signatures and suggest
> solutions to this problem like the ones i mentioned above.  in fact,
> fv could even volunteer to help set up a site where all software has
> been tested and signed by someone who has had their PGP key signed by
> fv, sort of an expansion of the web of trust.

I'm very big on PGP signatures.  In fact, the next major change
scheduled in our commerce system functionality will be the addition of
PGP signatures to the messages that FV sends to its merchants, which are
A) the ones most worth forging, B) sent to merchants, who are more
likely to be able to check them properly than consumers, and C)
dependent on the integrity of only one party's keys (FV's), which will
be changed VERY frequently.

I don't think that a software repository site of the kind you mention
will provide enough security to make credit cards on the desktop safe. 
It will certainly, however, make the people who use it safer than they
would be without it.  Having said that, I will that add we'd *love* to
help set up a site like that, but we don't have deep pockets to simply
fund it ourselves (yet).  We'd be very interested in working with
others, signing keys, providing some expertise, and so on.  What you're
really talking about here is an "underwriters lab" of the net.  The big
question is: who will pay for it?  My guess is that you really have to
end up having people subscribe to the site, and they'll need a safe way
to pay for it.  That's what we've been working on all along.    --