From: Weld Pond <weld@l0pht.com>
To: cypherpunks@toad.com
Message Hash: c182d5ad5f012615b0a167fd2496980864dc01c2344f63d7e5ae7b3532c46054
Message ID: <Pine.BSD/.3.91.960130094017.9580A-100000@l0pht.com>
Reply To: N/A
UTC Datetime: 1996-02-01 00:55:51 UTC
Raw Date: Thu, 1 Feb 1996 08:55:51 +0800
From: Weld Pond <weld@l0pht.com>
Date: Thu, 1 Feb 1996 08:55:51 +0800
To: cypherpunks@toad.com
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
Message-ID: <Pine.BSD/.3.91.960130094017.9580A-100000@l0pht.com>
MIME-Version: 1.0
Content-Type: text/plain
Nathaniel Borenstein <nsb@nsb.fv.com> wrote:
>> Programs needing secure entry create a "secure entry field" which is
>> really just an imagemap with the digits (and alphas if required) placed
>> randomly about. The user then uses the mouse to click on these numerals.
>> Ideally the graphics that represent the numerals would be drawn from a
>> random pool and are misformed to thwart any OCR attempts. The graphics
could
>> be made even more difficult to OCR by mixing in words and pictures to
>> represent the numbers.
>If any particular program for doing this came into widespread use, we
>could engineer an attack, similar to our keystroke attack, based on the
> specific properties of the approach used.
You could try but I don't think you would succeed. I have problems doing
OCR on faxes with a top of the line OCR program. Don't tell me your
trojan horse is going to be able to OCR images that are designed to be
hard to OCR.
Here is an example of an imagemap for secure number entry.
http://www.l0pht.com/~weld/numbers.html
Since this is inherently a visual thing, I thought I would cook up a
graphic on the web siince you cannot do this via email easily.
Weld Pond - weld@l0pht.com - http://www.l0pht.com/
L 0 p h t H e a v y I n d u s t r i e s
Technical archives for the people - Bio/Electro/Crypto/Radio
L0pht Open House 2/3/96 at 8:00pm - Live on irc #l0pht - write
root@l0pht.com for details.
Return to February 1996
Return to “Weld Pond <weld@l0pht.com>”