Visa & MC Std

Clay Olbon II olbon at dynetics.com
Thu Feb 1 07:12:51 PST 1996 

At 8:25 AM 2/1/96, pj ponder wrote (much elided):

>AN FRANCISCO -- Hoping to remove a major impediment to credit card
>transactions over the Internet, a business group led by Mastercard
>International
>and Visa International plans to announce an industry-standard technology
>Thursday for protecting the security of electronic payments.
...
>
>The software standard, called Secure Electronic Transactions, or SET,
>will permit a user to send a credit card account numbers to a merchant
>in a scrambled
>form.
>
>The scrambled number is supposed to be unintelligible to electronic
>eavesdroppers and thieves -- and even to the merchants receiving the
>payment.
>
>But a special code is supposed to enable the merchant to check
>electronically and automatically with the bank that issued the credit
>card to make sure that it is a
>valid card number and that the customer is the authorized user of the
>card. The number-scrambling part of the system is based on a well-known
>and widely used
>national software standard known as the Data Encryption Standard.

----------------

A few psueudorandom points regarding this post:

        First, it seems silly to implement a separate standard that only
works for the credit card number.  What about the privacy of the rest of
the info (what I am ordering, how much, etc.).

        Can (or will) this be layered with Netscape's SSL?

        How is this to be implemented?  It sounds like the merchants will
just pass the encrypted number to the credit card company.  If this is the
case, key management could become an issue.  I suppose this could easily be
implemented using public key crypto, but only DES was mentioned.  If only
DES is used and everyone uses the same DES key, that would be a valuable
key to break!

        How about a MITM attack.  Get the encrypted credit card #, and
change the purchase amount, delivery info, etc if that is not encrypted.

If there is anyone on the list with more info on this, I would love to hear
it (heopfully we will hear something from Netscape, since they are quoted
in the article).  From what I know so far, it seems like a poor compromise.



---------------------------------------------------------------------------
Clay Olbon II            | olbon at dynetics.com
Systems Engineer         | ph: (810) 589-9930 fax 9934
Dynetics, Inc., Ste 302  | http://www.msen.com/~olbon/olbon.html
550 Stephenson Hwy       | PGP262 public key: finger olbon at mgr.dynetics.com
Troy, MI 48083-1109      | pgp print: B97397AD50233C77523FD058BD1BB7C0
    "To escape the evil curse, you must quote a bible verse; thou
     shalt not ... Doooh" - Homer (Simpson, not the other one)
---------------------------------------------------------------------------

More information about the cypherpunks-legacy mailing list