Congratulations to FirstVirtual for having taken key-capture techniqures that everyone has known about forever, and skillfully propagandizing it as a 'fatal flaw in software encryption' playing on the technophobia of the masses, who are afraid of computers already ("INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY". snork), to engeder widespread fear in encryption ("ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE MECHANISMS"), thereby (hopefully) enhancing market share of FV, which doesn't use encryption. 1) I remember Mr. Borenstein saying a year or two ago, something like "We have nothing against encryption; we're just using a non-encrypting technique for the moment, becuase it can be quickly, easily, and safely deployed by us. Eventually, we'll probably use encryption." Apparently, this propaganda piece marks a change of strategy. 2) This is the first net distributed "security alert" distributed that I've noticed, with almost no real content. No one who knows a bit about computer security learned anything they didn't already know from that "alert". Rather, it was distributed in the _form_ of a CERT-like alert, but with the purpose and effect that is almost solely marketting of FV. I'm sure we can expect many more now that FV has pioneered the propaganda-as-alert technique--people are really scared about virus and security risks, since they know nothing about them, and will pay a lot of attention to them (witness "Good Times")--much more attention then they'd normally pay an advertisement. This masquerading advertisement is akin to the advertisements masquerading as editorial content that you see in many magazines not respectable enough to prohibit such things. 3) I believe that FV works by assigning the user some sort of id number. They send the id accross the net, FV has a database with "FV-ID" <-> credit-card-number correspondences, the merchant sends FV the id, FV bills your card and pays the merchant. Now, if I'm correct about how FV works, we could clearly write a program that searches your HD for FVs data files, extracts your FV-ID from it, and steals it. It could be a virus, it could send the FV accross the net, whatever. We could then use your FV-ID to make fraudulently make purchases through the FV system that would be billed to you. This is essentially the same attack as FV "demonstrates" against software encrypted credit cards over the net: that is, the "You have an insecure system and if we can put evil software on it, we can get you." attack. True, we wouldn't have your credit card number, and we couldn't order stuff from LL Bean billed to you. We could just order stuff from FV merchants. So maybe it's marginally better. Maybe. But I can't see any way FV could be immune to an attack of this sort. I believe that all they do is give you a first virtual ID number sent accross the net (in the clear!) in lieu of your card number. With an insecure PC as an assuption (and it is probably a good one, actually), I can't see how FV could be immune from an attack of this sort. If Mr. Borenstein or anyone else thinks it is, please explain how. Sigh.