Nathaniel Borenstein wrote:
We have a few pages of C code that scan everything you type on a keyboard, and selects only the credit card numbers. How easy is that to do with credit card numbers spoken over a telephone?
The key is large-scale automated attacks, not one-time interceptions.
This fact that the filtering can be done on the client side is nearly irrelevant. Most people do not hit enough keystrokes in a day to prevent sending the entire keyboard stream back to the filtering agent. Since most folks do not spend most of their time typing in nonsense phrase, you could probably pick out the First Virtual account number also. With only a little more cleverness you can get the file containing private keys. With a few thousand tries through the stream you can decrypt that file using the user's pass phrase. If you have the ability to change the software on the user's machine to something arbitrary, why bother stopping at something as "trivial" as a single credit card number. PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation