RE: FV Demonstrates Fatal Flaw in Software Encryption of Credi tCards
This announcement describes a rather sophisticated technology that delivers nthe same information that any retail clerk can capture today. Using stolen credit card numbers is a risky business, and the ability of the credit card companies in detecting fraud and locating criminals is quite real. Of course, since Federal law requires the credit card companies, not the user, to pay the costs of fraud, First Virtual's entire premise is a red herring. If the credit card companies are willing to take the risk, they will (and are). Scare tactics are nothing new in the PR business, but I would recommend that the principals at FV learn about "cutouts" for this type of gimmickry if they wish to preserve their reputations.... dvw
This announcement describes a rather sophisticated technology that delivers nthe same information that any retail clerk can capture today. Using stolen credit card numbers is a risky business, and the ability of the credit card companies in detecting fraud and locating criminals is quite real.
Retail clerks are not lone bandits. Retail clerks are employees of companies which have a strong interest in keeping their reputation squeaky clean (or risk losing business and welcoming lawsuits). Yes, there is no absolute guarantee that clerks will not do something bad anyway, but there is some self-regulation in that scenario because someone involved has a strong investment in the community. A lone bandit writing difficult to detect viruses scamming for credit card numbers all over the net does not have the strong investment in the community to preserve or protect. You wouldn't give your credit card to some random punk on the street, would you? However, you have no trouble giving it to a reputable store. Why? For exactly the same reason.
Of course, since Federal law requires the credit card companies, not the user, to pay the costs of fraud, First Virtual's entire premise is a red herring. If the credit card companies are willing to take the risk, they will (and are).
Federal law does not require that a company stay in business once it has entered the banking market. If the risks are too high for them to make a profit, they will fold. If they are smart enough to see the writing on the wall, they will pack up and move elsewhere in the market. Ern
Excerpts from mail: 29-Jan-96 RE: FV Demonstrates Fatal F.. David Van Wie@hamachi.ep (764)
Using stolen credit card numbers is a risky business, and the ability of the credit card companies in detecting fraud and locating criminals is quite real.
And most of the fraud detection is premised on the fact that once a criminal steals a card number, he'll use it several times. That's why an automated attack of the kind we've outlined is so dangerous -- a clever criminal will use each stolen number only once, thus making himself far harder to trace.
Of course, since Federal law requires the credit card companies, not the user, to pay the costs of fraud, First Virtual's entire premise is a red herring. If the credit card companies are willing to take the risk, they will (and are).
Actually, you're wrong here too. It is the banks, not the credit card companies, that carry the risk. If, for example, Visa defines a standard for encrypted credit card numbers, and it turns out to be fatally flawed, it is the banks that will lose their shirts. This may not seem like an important distinction to you, but I assure you that it is important to bankers.
Scare tactics are nothing new in the PR business, but I would recommend that the principals at FV learn about "cutouts" for this type of gimmickry if they wish to preserve their reputations....
My reputation in the technical community, I assume, will stand or fall based on the validity of my technical claims, not on the knee-jerk reactions of people who don't even read the announcement thoroughly enough to understand the technique we have revealed. I have not yet heard anything that makes me think that my claim is untrue. We have revealed the first known strategy for an Internet-based large-scale automated attack on the credit card system. I think that's a real threat. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
-----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Nathaniel Borenstein <nsb@nsb.fv.com> is alleged to have written:
I have not yet heard anything that makes me think that my claim is untrue. We have revealed the first known strategy for an Internet-based large-scale automated attack on the credit card system. I think that's a real threat.
I know that you are being swamped by hate mail from cypherpunks, so I'll try to keep my comments brief. First, I commend you for forging ahead with research and business as you see fit, despite the regular barrages of venomous condemnation that you are subjected to. "I think that's a real threat", too. I believe that you have valuable insights into Internet commerce security which the typical cypherpunk lacks, and I'm glad that you are "getting the word out" both to the cpunks and to larger communities. (Having said that, and having decided to Cc: this message to cpunks and e$, I shall elaborate:) The ideas that you espouse that the typical cpunk lacks fall into two broad categories which have something in common. First, the overwhelming importance of user interface and dealing with technically clueless users. Second, the importance of evaluating risks from a cost/benefit perspective, and trusting in a system once it is "secure enough". What these ideas have in common is simply that they are *practical*. And that's important. If First Virtual uses simple techniques which are crackable, but so unprofitable to crack that no-one will ever do so, and if First Virtual uses this technique and allows everyday users to do transactions over the Internet, then that is a net.commerce success story. Furthermore, it's a *cryptographic* success story. Much more so than "CYpherPunk Agent X" who writes a black-market implementation of Chaumian electronic cash which no-one will ever use. He has accomplished little more than entertaining and educating himself. This is the cypherpunk fallacy which is enshrined in the Manifesto when it says "code can never be destroyed". Yes it can. Or it can be ignored which has the same effect. The important thing is when code and users meet. (Of course, I still think First Virtual is marketing an ugly klooge that doesn't stand a chance against better technologies in the next couple of years, but I digress...) But despite all of the above, Nathaniel, I must protest your claim to have "revealed" the "first known strategy". That strategy has been common knowledge since probably before you were born. In fact just a couple of weeks ago *I* posted articles to cypherpunks and the "ecash" list saying that I thought the most viable attack on DigiCash Ecash would be a virus/Trojan horse which attacked the computer on the user's end. Did you read these articles of mine? Is it possible that that is where you got the idea for your experiment? As an aside you recently said that you didn't see any reason to PGP-sign list traffic. Here is a good example of its usefulness: I can prove that I authored the aforementioned messages, and when. (Also it has already been more or less proven to people who use PGP on their cpunks traffic that the author of the aforementioned messages was also the author of hundreds of other messages including this one both in cpunks and in other forums over the last six months.) Now I didn't mention in my articles that such an attack would be as viable (more so, actually) against a credit card scheme as it would against Ecash, for two reasons 1: It was already common knowledge, and 2: I consider credit card schemes to be hopeless anachronisms that will soon be eliminated in the evolutionary race of modern currency. Anyway, keep up the good work, and consider the merits of being a little more circumspect in your press releases. Regards, Bryce P.S. Okay I admit that the Subject: line was a little bit inflammatory. If I had named my message "Re: FV demonstrates fatal flaw" then nobody would have read it... "Toys, Tools and Technologies" the Niche New Signal Consulting -- C++, Java, HTML, Ecash Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMQ7HVPWZSllhfG25AQGBQQQAin5OYD+yq+1FXlYEocJHrTm3muPmaIRs tYRMxv5JckjqplAImJZywFDxrKqWTojGC6c290nTFCHly/YfZ6ziBpuKEN+ULF4y Gf9EKrYABkm2I7yn4sUU0Bhw/GTQj7CXnmaSH3G/zDGCYZFnQHB6AaptYOsKwE+m 5No3AqyULa8= =/v0Q -----END PGP SIGNATURE-----
participants (4)
-
Bryce -
David Van Wie -
Ernest Hua -
Nathaniel Borenstein