Re: FV's blatant double standards
At 09:26 AM 2/4/96 -0500, Simson L. Garfinkel wrote:
At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
FV demonstrated, through it's "card sharp" or whatever, that real-time transactions are vulnerable to sniffers on the recipient's own machine. Of course. We all knew that. But the mistake is to assume that FV isn't _equally_ vulnerable to that threat. If you can write a trojan that will somehow get privileged access to my machine, trap my keystrokes, and identify my credit card number, you can certainly write one that will, sitting on my machine: "intercept the user's electronic mail, read the confirmation message from First Virtual's computers, and send out a fraudulent reply" (to quote from Simson's article). Simson further quotes FV's Lee Stein: "A single user can be targeted, Stein said, but ''it is very difficult. . . . There are too many packets moving . . . to too many different machines.''" - which is of course equally true for real-time Netscape transactions.
Oh, I think that such a program can be written. However, it would be much harder to get right, considering all of the different ways that people read e-mail.
The code looks something like this: 1) hook into the winsock and look for an FV message in the web data stream, save the ID. 2) now look for an approve/deny/fraud, when you see one you know that the user uses an IP connection for mail and web. 3) Forward the ID to an anon box. 4) Look for outbound FV messages with 'fraud' or 'deny' and change to 'approve'. Clearly this will miss AOL, CI$ etc al but thats not important. The issue is not FV noticing the error, they will, it's how long it takes and how much you can steal in the interim. There is a Helen Keller quote I'm rather fond of which starts: "Security is mostly a superstition ..." *If the machine is not secure all bets are off* The most likly failure vector for this attack is that so few people use FV :-) John Pettitt, jpp@software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch
I've debunked this one before, but let me say it again. John outlines essentially the same scheme for an automated attack on FV that was previously posted by Jeff Weinstein at Netscape. (Actually, to be fair, Jeff's was considerably more sophsticated in its attempt to avoid detection by FV.) John's approach will essentially change all negative FV confirmation answers to positive ones. There are a couple of key flaws in his approach: 1. He doesn't explain how he's going to spot the VirtualPIN in the outgoing stream. Given the non-structured nature of the VirtualPIN, this alone probably requires more sophistication than our entire attack program. 2. He acknowledges that this approach will miss anyone who isn't buying things from the machine that actually composes his mail messages. What he doesn't seem to realize, however, is that this means that any automated attack will cause "fraud" to be called as soon as it hits a user of AOL, Compuserve, etc. Jeff's approach would last a bit longer, but is also vulnerable to heterogeneous mail environments. The real point is that an automated attack like this one is undermined by email heterogeneity, which will cause FV's fraud department to be alerted quite quickly & trace things down. In contrast, the attack we've outlined on credit card numbers is simple, single-step, and has no obvious "misfiring path" that would lead to quick detection. It could do its dirty work for a long time. Simson's comment almost, but not quite, made this clear:
Yes, clearly if you are not concerned about missing 50-75% of First Virtual's users, this attack will work just fine.
The "just fine" is incorrect, however, because those 50-75% will not be MISSED, they will be attacked incompletely, and they will object to false transactions, causing our fraud department to launch an investigation. This attack would get stopped pretty quickly, I believe. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
Nathaniel Borenstein of FV (not accepted at c2, by the way) said:
point is that an automated attack like this one is undermined by email heterogeneity, which will cause FV's fraud department to be alerted
Is that the same sort of "alerted" that would happen when a keyboard-sniffer- detecter detects a keyboard-sniffer? Or is it the kind of alerted like "The keyboard sniffer program was alerted by the OS that it could kiss off if it wants access to the keyboard" Or is it something entirely different, like "The government was alerted that someone was buying a few too many plane tickets to [foreign coutry here]" Don
participants (3)
-
Don -
John Pettitt -
Nathaniel Borenstein