1996-02-01 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Header Data

From: “Ed Carp, KHIJOL SysAdmin” <erc@dal1820.computek.net>
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Message Hash: baf7d3808eb4ccb3c3f6be18fb4327f44eda63ae1ef68be894a46b7a05a4c160
Message ID: <199601300255.VAA17086@dal1820.computek.net>
Reply To: <Al3GYGSMc50eQWYAdR@nsb.fv.com>
UTC Datetime: 1996-02-01 18:04:23 UTC
Raw Date: Fri, 2 Feb 1996 02:04:23 +0800

Raw message

From: "Ed Carp, KHIJOL SysAdmin" <erc@dal1820.computek.net>
Date: Fri, 2 Feb 1996 02:04:23 +0800
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: <Al3GYGSMc50eQWYAdR@nsb.fv.com>
Message-ID: <199601300255.VAA17086@dal1820.computek.net>
MIME-Version: 1.0
Content-Type: text


[general back-patting hysterical text elided]

> Our basic approach was to write a computer program that runs undetected
> while it monitors your  computer system. A sophisticated version of such
> a program can intercept and analyze every  keystroke, mouse-click, and
> even messages sent to your screen, but all we needed was the keystrokes.
> Selectively intercepted information can be immediately and secretly
> transmitted via  Internet protocols, or stored for later use.  

"Sophisticated"?  Any first-year comp sci student could do the same.  
Hooking into the keyboard interrupt is child's play.  Reading the display 
memory is even easier.  Who is this guy trying to bullshit, anyway?

> First Virtual's research team has built and demonstrated a particular
> implementation of such a program, which only watches for credit card
> numbers.  Whenever you type a credit card number into your computer --
> even if you are talking to "secure" encryption software -- it captures
> your card number.  Our program doesn't do anything harmful with your
> credit card number, but merely announces that it has captured it.  A
> malicious program of this type could quietly transmit your credit card
> number to criminals without your knowledge.
> 
> The underlying problem is that the desktop -- the consumer's computer --
> is not secure.  There is no way of ensuring that all software installed

No shit.

> on the consumer's machine can be trusted.  Given this fact, it is unwise
> to trust ANY software such as a "secure" browser, because malicious
> software could have easily been interposed between the user and the
> trusted software.  

Uh-huh.  So, no one should ever use a computer ever again, if this 
nonsense is to be believed...

> The bottom line for consumers is that, on personal computers,

Oh?  So non-personal computers are secure?

> INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY.  We  have

OH-MY-GOD-PLEASE-FIRST-VIRTUAL-SAVE-ME-FROM-MY-EVIL-COMPUTER-AND-MAKE-THE-
NET-SAFE-FOR-ONLY-YOUR-PRODUCTS!!

> dramatically proven that security  ends the moment you type sensitive

The only thing that this post "dramatically proves" is that the poster is 
an idiot.  Double for his company.

Even LD was never this stupid.

> information into your computer. The vulnerability lies in the fact that
> information must travel from your  keyboard, into your computer's
> operating system, and then to your "secure" application. It can be
> easily intercepted along the way.
> 
> This kind of insecurity is very frightening, and has implications far

Oh, yeah, please save me from my evil computer.  Give me a break.

> In short, credit card numbers are an almost perfect example of how NOT
> to design a payment instrument for an insecure public computer network
> such as the Internet.

Unless, of course, you use *our* products, services, etc.

> DETAILS:  HOW TO TOTALLY UNDERMINE SOFTWARE ENCRYPTION OF CREDIT CARDS
> 
> First Virtual's demonstration credit-card interception program, once
> installed, observes every keystroke that you type, watching for credit
> card numbers.  It recognizes credit card numbers with almost perfect
> accuracy, because credit card numbers are specifically designed to match
> a simple, self-identifying pattern, including a check digit.  Our
> program is even smart about punctuation and simple editing functions, so
> that nearly any credit card number that you type into your computer is
> immediately recognized as such by this program.  

So what?  Any first-year comp sci student could do the same.

> First Virtual's intent is to educate the public, certainly not to
> endanger it.  For that reason, our program incorporates four important
> precautions intended to prevent any possibility of harm:

First Virtual's apparant "intent" is to scare the public and panic people
into believing that they, and only they, have some sort of "magic bullet"
that will save us all from Evil Computer Geniuses.  Just another scam to
try and make money off of unsuspecting people by trying to scare them to 
death.  Just another version of the "Good Times Virus".

> It is frankly difficult to overstate the severity of the problem
> demonstrated by our program.  A clever criminal could use viral

It is frankly difficult to overstate the idiocy of this post.

> First Virtual believes that the flaw we have uncovered is fatal.  In the
> foreseeable future, all commerce schemes based on software encryption of
> credit cards on the desktop are completely vulnerable to this sort of
> attack.

And the sky is falling, too...

> The basic problem is that software encryption of credit cards is
> predicated on the notion of "trusted software".  On the consumer
> computing platforms, however, general purpose operating system
> functionality makes it unwise to assume too strong a level of trust in
> such software.  No operating system with anything less than
> military-grade security (B2) is likely to be safe from an attack such as
> this one.

Nonsense.  This also implies that Windows, MS-DOS, NT, etc., are all some 
sort of "insecure platform" and they are presumably infected from the 
start.  I suppose that when Bill Gates picks himself up off the floor 
from laughing, he just might send his lawyers after you.  Maybe.

> This does not mean that Internet commerce is dead.  Any scheme that is
> not based on self-identifying one-way financial instruments such as
> credit cards will be essentially unaffected by this problem.  Moreover,
> even credit cards may be made safe on the Internet using one of two
> approaches:  secure hardware add-ons and the First Virtual approach.

Gee, why did I know this was coming?

> There's simply no other way to keep credit cards safe on the net.  The
> program we have demonstrated completely undermines the security of all
> known programs that claim to handle credit card numbers safely on the
> Internet.

With a Windows program?  I guess it runs on every known platform, under 
every known OS.  My, that *is* one hell of a program...

I guess I'd better stop using my linux box .. it could've been infected 
with the "FV Windows Virus" ... hehehe
--
Ed Carp, N7EKG    			Ed.Carp@linux.org, ecarp@netcom.com
					214/993-3935 voicemail/digital pager
					800/558-3408 SkyPager
Finger ecarp@netcom.com for PGP 2.5 public key		an88744@anon.penet.fi

"Past the wounds of childhood, past the fallen dreams and the broken families,
through the hurt and the loss and the agony only the night ever hears, is a
waiting soul.  Patient, permanent, abundant, it opens its infinite heart and
asks only one thing of you ... 'Remember who it is you really are.'"

                    -- "Losing Your Mind", Karen Alexander and Rick Boyes





Thread