From: Jeremey Barrett <jeremey@veriweb.com>
Date: Thu, 10 Oct 1996 12:37:26 -0700 (PDT)
To: Kip DeGraaf <kip@monroe.lib.mi.us>
Subject: Re: What are the flaws with FV payment system?
In-Reply-To: <Pine.SUN.3.91.961010103809.463D-100000@monroe.lib.mi.us>
Message-ID: <Pine.BSI.3.93.961010114549.7919B-100000@descartes.veriweb.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 10 Oct 1996, Kip DeGraaf wrote:

> I only received this an hour ago.  I would very much like to attend, but 
> can't put my fingers on the detailed analysis of FV's flaws in their 
> system, which I would like to bring up in person at this seminar.  
> 
> Could someone please point me in the right direction?
> 

I haven't seen any such analysis myself, but there is likely one available.
- From looking at FV's claims and descriptions of transactions, here's
a few things I'd say:

 o A buyer's VirtualPIN is given insecurely to the merchant, unless
   transmitted via secure HTTP. If not over SSL or HTTPS, anyone along
   the way can swipe the VirtualPIN.

 o It is easy to "verify" a PIN as a valid PIN. You can use finger, telnet,
   and email among other things. Easy target for a dictionary attack.

 o Payment confirmation messages are sent to the buyer via email, 
   unencrypted, insecure, etc... Easy target for slightly-less-than-honest
   system admins, and most anyone else between FV and the buyer. Easy 
   traffic analysis, though the FV payment scheme does not offer 
   anonymity as a feature. Absolutely zero privacy.

 o Read this: http://www.fv.com/pubdocs/FAQ-security.txt
   Nuff said.

 o It appears that anyone can fake a reply to a payment confirmation
   message. It appears some sort of transaction id is necessary in the reply,
   but it's not entirely evident. (the id comes in the comfirmation
   request if it does exist, you wouldn't need any other knowledge).

 o Given the above, it doesn't seem hard to spoof either merchant requests
   and/or buyer confirmations, charging the real VirtualPIN-holder without
   his/her knowledge. If the confirmation-request email could be prevented
   from reaching the intended user, they would never even know it happened,
   til they get their credit-card bill.

 o Logistically, it requires a user has access to his/her email account
   at all times to make purchases. For a timely purchase, it requires a
   user to receive the confirmation-request quickly, and the reply to
   reach FV quickly. Every ISP I've used has noticeable lag handling mail
   at times, often minutes long. Mail queues get big.

 o On the plus side, you send your credit card info over the incredibly,
   massively, montrously secure phone lines by calling these people up. ;-)

This is all from looking over their pages for a few minutes a while back,
and quicky just now, so I may have erred in places. Someone with experience
using the system and/or someone with FV's email message specs would be good
to talk to.

The claims they make about encryption just generally make me want to dislike
them immensely, regardless of the merits of their system.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jeremey Barrett
Senior Software Engineer                         jeremey@veriweb.com
VeriWeb Internet Corp.                           http://www.veriweb.com/

PGP Key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64
PGP Public Key: http://www.veriweb.com/people/jeremey/pgpkey.html
                
		"less is more."  -- Mies van de Rohe.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMl1QoC/fy+vkqMxNAQE2VgQA2A75PJWRhh8n5rdOYhRS2vnuod2O9lzn
K8Rdxui9NZ6ZXk3RBCQHXG1vbzmKgwA9sb7BBjygrE4KdzdQUrHwhmJKZJfP7IGe
jbgNuAtXEYeIgP5K4pjjWWl0fVN4H7vV98AukkBxDDaif1Iklw/g4ByzKVa23i5k
9MCXNdercOU=
=Fws8
-----END PGP SIGNATURE-----