Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!)
At 04:39 PM 1/29/96 -0500, Nathaniel Borenstein wrote:
Well, the mis-conceptions are flying fast and furious.
You're twisting our words. We believe it is a truly fatal flaw in those internet commerce schemes that are based on software encryption of credit card numbers. There are several schemes for Internet commerce that are unaffected:
-- First Virtual (of course)
Question: Could you please describe the nature of the First Virtual protocol? Now before you tell me to RTFM, let me explain. I assume, although without absolute certainty, that in order to bill me you must know my credit card number. If you do not know my credit card number, and depend on someone else who does, you are nothing more than a middleman who introduces additional possibility for breach of security. If you do know my credit card number, you must deal with the associated problem of storing this number. Now perhaps I am wrong, and you really do keep all of your clients' card numbers in a printed book hidden within a safe, and for each transaction you remove the book, use your table to match FV_ID to CC#, process the transaction, and replace the book. However, I doubt this. More likely, you store the card numbers on a computer. And no doubt, someone or something enters those numbers into a database. You have just violated your own cardinal rule. Jeremy --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser@ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y-
Excerpts from mail: 29-Jan-96 Re: FV's Borenstein discove.. Jeremy Mineweaser@area1s (1692*)
Question: Could you please describe the nature of the First Virtual protocol? Now before you tell me to RTFM, let me explain.
I assume, although without absolute certainty, that in order to bill me you must know my credit card number. If you do not know my credit card number, and depend on someone else who does, you are nothing more than a middleman who introduces additional possibility for breach of security. If you do know my credit card number, you must deal with the associated problem of storing this number. Now perhaps I am wrong, and you really do keep all of your clients' card numbers in a printed book hidden within a safe, and for each transaction you remove the book, use your table to match FV_ID to CC#, process the transaction, and replace the book. However, I doubt this. More likely, you store the card numbers on a computer. And no doubt, someone or something enters those numbers into a database.
You have just violated your own cardinal rule.
Nope, afraid not. We keep the credit card numbers on a non-Internet computer. The only communication between it and the Internet world is a proprietary *batch* protocol. If you break through multiple firewalls to our most secure Internet machine, then you can begin reverse-engineering the batch protocol, and even then, there's nothing in the protocol that will send credit card numbers back over. As to how the credit card numbers are entered: they are entered at account setup time via a telephone call. Yes, telephones can be tapped, but it's really hard to set up an automated attack that taps all the phone calls and retrieves all the credit card numbers. Moreover, eventually we hope to have the credit card numbers downloaded directly from the credit card issuing banks, thus elminating even the telephone vulnerability. Believe me, we've thought a LOT about this. Please check out our academic paper on our first year of operation, which you can find at http://www.fv.com/pubdocs/fv-austin.txt -- I think it will answer a lot of your questions. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
participants (2)
-
Jeremy Mineweaser -
Nathaniel Borenstein