For those that are sick of this thread (as I am), I apologize in advance for throwing another log on the fire. I just can't help trying to get through... Nathaniel Borenstein <nsb@nsb.fv.com> writes:

First of all, I believe that I owe the cypherpunk community an apology for an error in judgement on my part. The message that I [...] Our approach combines the following four known problems into a fatal attack:

1) Consumer machines are insecure and easily compromised. 2) Keyboard sniffers are easy to write. 3) Credit card numbers are self-identifying (they have check digits) and can easily be extracted from a huge stream of input data. 4) Once intercepted, small amounts of information (e.g. a cc #) may be distributed completely tracelessly over the Internet.

When you put all four of these together, you have an attack that IS new, in the sense that nobody we know of has ever mentioned it before, and which could in fact be used by a single criminal, with only a few weeks of programming, to tracelessly steal MILLIONS of credit cards, if software-encrypted credit-card schemes ever caught on.

You're right, the four problems you mention are known and have been for a long time, and have also been used in attacks. What you don't seem to understand is that the overall attack from the combination of these isn't new either. In many ways a credit card number, name and expiry date form a password. It's a password that the bank accepts to allow money transfers in much the same way as a computer accepts a password to allow information transfers. On this very list (amongst other places), there has been discussion of trojans and viruses for grabbing passwords, and of methods of determining what is a password and what isn't a password. In the same way you can decide if a number is a credit card number, there are heuristics you can use to determine if a user is entering a password, though often it may require more than just monitoring keystrokes. To collect expiry dates and names for credit cards, monitoring additional side information may also be useful. So I see no fundamental difference between the two, credit card numbers _are_ passwords. I myself have used precisely this technique many years ago, as I'm sure many others here have, to demonstrate security problems. The only difference is the heuristic for determining what constitutes a password in the domain you're snooping. What's more, the methods in existence before your post can be and have been built in viruses which are considerably more prolific than a trojan. Not only is your attack not new, it is less powerful that some similar attacks that predated yours. Implying credit card numbers are more valuable than passwords is dubious. There are organisations that could lose millions of dollars if their password security was compromised, but it's hard to say the same for credit cards. In this country, although I don't know about yours, I'm not even liable if somebody steals my credit card and uses it. I would consider a "credit card password" as a lesser commodity than a password for giving access to an entire computer system. [...]

So here's the factual claim, to be proven or disproven: One good programmer, in less than a month, can write a program that will spread itself around the net, collect an unlimited number of credit card numbers, and get them back to the program's author by non-traceable mechanisms. Does anyone on this list doubt that this is true? If so, I'd like to know the flaw in my thinking, -- I am *not* too proud to withdraw any claims that aren't true. If not, I think it's worth noting that this fact was previously completely unknown to the bankers and businessmen who are putting large sums of money at risk on the net. The only way to get the message to those communities is with a very visible public announcement of the kind you saw yesterday.

Of course this is a threat, I don't think _anybody_ will deny that, but this is not a new threat. True, the attack may not have been known to businesspeople and bankers, but there are many others areas of security they also know nothing about. Trying to claim an old invention as your own just looks like hype, PR and lies, not to mention showing a lack of knowledge which could do the reverse from what you set out to achieve. It is certainly a Good Thing for the public to know about the potential for various types of snooping, but surely it could be done in some way which doesn't make it look like you invented it. I don't think anybody here objects to the attack itself, but rather the claims you made about it and the way you communicated it. --- E-mail: sai@comp.vuw.ac.nz/sai@kauri.vuw.ac.nz +64 4 233 9427 PGP Fingerprint: 65 5B B4 6C CB 6A 65 F1 01 91 B9 FE 34 23 99 D3 PGP Key by mail, finger or from http://www.vuw.ac.nz/~sai/pgp-key.html