Nathaniel Borenstein <nsb@nsb.fv.com> writes:
The attack we've outlined -- and partially demonstrated -- is based on the combination of several known flaws:
-- It's easy to put malicious software on consumer machines -- It's easy to monitor keystrokes -- It's trivial to detect credit card numbers in larger data streams -- It's easy to disseminate small amounts of information tracelessly
But take away the inputting of the credit card number via keystroke and the flaw disappears. How would your program deal with a scheme like this? Programs needing secure entry create a "secure entry field" which is really just an imagemap with the digits (and alphas if required) placed randomly about. The user then uses the mouse to click on these numerals. Ideally the graphics that represent the numerals would be drawn from a random pool and are misformed to thwart any OCR attempts. The graphics could be made even more difficult to OCR by mixing in words and pictures to represent the numbers. An even better solution may be to have the imagemap generated by the server and just the mouse clicks sent back to be decoded on the server. That is how server side imagemaps work now over the web. It shouldn't be hard to take credit card numbers this way. Weld Pond - weld@l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio L0pht Open House 2/3/96 at 8:00pm - Live on irc #l0pht - write root@l0pht.com for details.