Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. zinc@zifi.genetics.utah. (1368*)
so what? fv has a keyboard sniffer...
It's considerably more than that. Please read on.
for what it's worth, this sort of program could easily be used to get info more important than credit card numbers. passphrases and passwords of all kinds could be obtained leading to broken accts or worthless cryptography.
Yes, but I think you've missed the main point, probably because we haven't made it clear enough. What's unique about credit card numbers is that they're very small amounts of data, self-identifying, and of direct financial value as a one-way financial instrument (i.e. with no confirmation process). The attack we've outlined -- and partially demonstrated -- is based on the combination of several known flaws: -- It's easy to put malicious software on consumer machines -- It's easy to monitor keystrokes -- It's trivial to detect credit card numbers in larger data streams -- It's easy to disseminate small amounts of information tracelessly We don't claim to have "discovered" any of these flaws. However, when you combine these known flaws, you have something new: a plan for stealing MILLIONS of credit card numbers without a trace. That's the new threat, and we think it's very real. The other kinds of information you mention are certainly all vulnerable to keyboard-sniffer attacks. But the unique aspects of credit card numbers make them particularly vulnerable to large scale automated theft by this kind of attack. I don't know of any other kind of sensitive information that is as easily recognized and as worthwhile to steal. Do you?
additionally, this hardly has anything to do with netscape. this is not a 'bug' in netscape.
the only way to prevent malicious programs from causing you problems is to know what your computer is doing; what it's loading when you boot and what data it sends
You're right, and I feel very bad about the fact that the article in the Merc made it sound like this was specifically targeting Netscape. While it's true that we submitted this to Netscape's "bugs bounty" program -- which is probably what created the Netscape angle in the story -- we really weren't targeting Netscape at all. We consider this flaw to be a very serious "design bug" in the whole software-encryption-of-credit-cards approach to Internet commerce. Netscape is just one of several companies that have gone down this path, but we think it's a very dangerous path, and one that Netscape, as a vendor of web browsers and servers, can do quite well without. it's a malicious program. No, ours is a demonstration program, not a malicious program. Our program never installs itself automatically, always puts up an icon when it's running, never does anything bad when it intecepts your credit card number, and is easy to un-install. However, it demonstrates a technique that could be used by a malicious program to do some very nasty things. through your phone lines when you're online. This is fine for you & me. But Internet commerce has to work for the hundreds of millions of non-technical consumers who are swarming onto the Internet. If someone emails them a program that purports to show them pretty pictures (dirty movies?) for free, how many of them will stop to try to make sure that this program isn't going to do something malicious in the process? The bottom line is that the consumer platform is never going to be a very safe place, so commerce mechanisms shouldn't assume that it is. We may not like that fact, but it's true nonetheless. -- Nathaniel