Excerpts from mail: 29-Jan-96 RE: FV Demonstrates Fatal F.. David Van Wie@hamachi.ep (764)
Using stolen credit card numbers is a risky business, and the ability of the credit card companies in detecting fraud and locating criminals is quite real.
And most of the fraud detection is premised on the fact that once a criminal steals a card number, he'll use it several times. That's why an automated attack of the kind we've outlined is so dangerous -- a clever criminal will use each stolen number only once, thus making himself far harder to trace.
Of course, since Federal law requires the credit card companies, not the user, to pay the costs of fraud, First Virtual's entire premise is a red herring. If the credit card companies are willing to take the risk, they will (and are).
Actually, you're wrong here too. It is the banks, not the credit card companies, that carry the risk. If, for example, Visa defines a standard for encrypted credit card numbers, and it turns out to be fatally flawed, it is the banks that will lose their shirts. This may not seem like an important distinction to you, but I assure you that it is important to bankers.
Scare tactics are nothing new in the PR business, but I would recommend that the principals at FV learn about "cutouts" for this type of gimmickry if they wish to preserve their reputations....
My reputation in the technical community, I assume, will stand or fall based on the validity of my technical claims, not on the knee-jerk reactions of people who don't even read the announcement thoroughly enough to understand the technique we have revealed. I have not yet heard anything that makes me think that my claim is untrue. We have revealed the first known strategy for an Internet-based large-scale automated attack on the credit card system. I think that's a real threat. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com