What are the flaws with FV payment system?
I only received this an hour ago. I would very much like to attend, but can't put my fingers on the detailed analysis of FV's flaws in their system, which I would like to bring up in person at this seminar. Could someone please point me in the right direction? ---------- Forwarded message ---------- Date: Thu, 10 Oct 1996 09:51:56 -0400 From: Sue Davidsen <davidsen@umich.edu> To: michlib-l@mlink.hh.lib.umich.edu Subject: Seminar Announcement Commerce on the Internet 7:00 PM Thursday, October 10, 1996 Room N130 New Business Building, MSU Dr. Nathaniel Borenstein, Chief Scientist, First Virtual Holdings, Inc., is known worldwide as a leading developer of Internet technologies, including the MIME standard and the First Virtual Payment System. In this presentation on commerce on the Internet he will discuss: The limitations of current encryption schemes The technical aspects of the First Virtual payment scheme The future of commerce on the Internet Dr. Borenstein contributed to the development of numerous Internet technologies including the MIME standard (used for email attachments and Web content typing), Andrew, metamail, ATOMICMAIL, and Safe-Tcl. Dr. Borenstein devised the First Virtual payment system, a popular mechanism for conducting commerce on the Internet. [a lot of cute biographical details left out, I'm not impressed]
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 10 Oct 1996, Kip DeGraaf wrote:
I only received this an hour ago. I would very much like to attend, but can't put my fingers on the detailed analysis of FV's flaws in their system, which I would like to bring up in person at this seminar.
Could someone please point me in the right direction?
I haven't seen any such analysis myself, but there is likely one available. - From looking at FV's claims and descriptions of transactions, here's a few things I'd say: o A buyer's VirtualPIN is given insecurely to the merchant, unless transmitted via secure HTTP. If not over SSL or HTTPS, anyone along the way can swipe the VirtualPIN. o It is easy to "verify" a PIN as a valid PIN. You can use finger, telnet, and email among other things. Easy target for a dictionary attack. o Payment confirmation messages are sent to the buyer via email, unencrypted, insecure, etc... Easy target for slightly-less-than-honest system admins, and most anyone else between FV and the buyer. Easy traffic analysis, though the FV payment scheme does not offer anonymity as a feature. Absolutely zero privacy. o Read this: http://www.fv.com/pubdocs/FAQ-security.txt Nuff said. o It appears that anyone can fake a reply to a payment confirmation message. It appears some sort of transaction id is necessary in the reply, but it's not entirely evident. (the id comes in the comfirmation request if it does exist, you wouldn't need any other knowledge). o Given the above, it doesn't seem hard to spoof either merchant requests and/or buyer confirmations, charging the real VirtualPIN-holder without his/her knowledge. If the confirmation-request email could be prevented from reaching the intended user, they would never even know it happened, til they get their credit-card bill. o Logistically, it requires a user has access to his/her email account at all times to make purchases. For a timely purchase, it requires a user to receive the confirmation-request quickly, and the reply to reach FV quickly. Every ISP I've used has noticeable lag handling mail at times, often minutes long. Mail queues get big. o On the plus side, you send your credit card info over the incredibly, massively, montrously secure phone lines by calling these people up. ;-) This is all from looking over their pages for a few minutes a while back, and quicky just now, so I may have erred in places. Someone with experience using the system and/or someone with FV's email message specs would be good to talk to. The claims they make about encryption just generally make me want to dislike them immensely, regardless of the merits of their system. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jeremey Barrett Senior Software Engineer jeremey@veriweb.com VeriWeb Internet Corp. http://www.veriweb.com/ PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64 PGP Public Key: http://www.veriweb.com/people/jeremey/pgpkey.html "less is more." -- Mies van de Rohe. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMl1QoC/fy+vkqMxNAQE2VgQA2A75PJWRhh8n5rdOYhRS2vnuod2O9lzn K8Rdxui9NZ6ZXk3RBCQHXG1vbzmKgwA9sb7BBjygrE4KdzdQUrHwhmJKZJfP7IGe jbgNuAtXEYeIgP5K4pjjWWl0fVN4H7vV98AukkBxDDaif1Iklw/g4ByzKVa23i5k 9MCXNdercOU= =Fws8 -----END PGP SIGNATURE-----
Kip DeGraaf <kip@monroe.lib.mi.us> wrote:
I only received this an hour ago. I would very much like to attend, but can't put my fingers on the detailed analysis of FV's flaws in their system, which I would like to bring up in person at this seminar.
Could someone please point me in the right direction?
You can start with http://www.c2.org/nofv/ Basically, if you can get access to someone's email, then you can defraud the system. FV protects themselves by holding payments for 90 days before they pay the merchant. It's an unsecure system, with no encryption. FV will accept no responsibility for this, and when people cheat, the merchant gets screwed.
Excerpts from mail: 10-Oct-96 What are the flaws with FV .. Kip DeGraaf@monroe.lib.m (1410*)
I only received this an hour ago. I would very much like to attend, but can't put my fingers on the detailed analysis of FV's flaws in their system, which I would like to bring up in person at this seminar.
Could someone please point me in the right direction?
I'm very sorry that you apparently didn't show up to discuss your concerns; I thought the talk went quite well, with some good give and take, but nobody really tried hard to tear apart FV's system. Believe it or not, that was a disappointment to me. I always enjoy an open debate with a spirited opponent. FYI, the content of the talk was largely the same as the content of my paper that appeared in the June issue of Communications of the ACM, in the special issue on electronic commerce. Readers of this list will be particularly interested in the section entitled "Cryptography: Myths and Realities". -------- Nathaniel Borenstein <nsb@fv.com> | FAQ & PGP key: Chief Scientist, First Virtual Holdings | nsb+faq@nsb.fv.com
On Fri, 11 Oct 1996, Nathaniel Borenstein wrote:
Excerpts from mail: 10-Oct-96 What are the flaws with FV .. Kip DeGraaf@monroe.lib.m (1410*)
I only received this an hour ago. I would very much like to attend, but can't put my fingers on the detailed analysis of FV's flaws in their system, which I would like to bring up in person at this seminar.
Could someone please point me in the right direction?
I'm very sorry that you apparently didn't show up to discuss your concerns; I thought the talk went quite well, with some good give and take, but nobody really tried hard to tear apart FV's system. Believe it or not, that was a disappointment to me. I always enjoy an open debate with a spirited opponent.
I'm rather sorry too. I found the information at http://www.c2.org/nofv to be of interest and would have liked an answer to the privacy issue specifically and the other issues brought up by that document. Unfortunately I had a work-related problem that kept me from leaving Monroe in time to make the trip up to East Lansing. If you would answer that point on privacy, that was to be the main interest I had in attending the meeting. Having read through the material offered at http://www.fv.com, I still feel the privacy issue and the ability to intercept email confirmations still haven't been addressed. You discuss email interception in http://www.fv.com/pubdocs/FAQ-security.txt, but that document is from Nov, 1995 and doesn't address the concern adequately in my opinion.
participants (4)
-
Jeremey Barrett -
Kip DeGraaf -
Nathaniel Borenstein -
nobody@replay.com