FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
Nathaniel Borenstein
nsb at nsb.fv.com
Fri Feb 2 15:17:56 PST 1996
Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F..
Weld Pond at l0pht.com (1503*)
> Here is an example of an imagemap for secure number entry.
> http://www.l0pht.com/~weld/numbers.html
I *really* like this example. That's because it demonstrates so clearly
the security/usability tradeoff that I keep trying to hammer home to
people.
Yes, with something like this -- and a LOT of variation, so it wasn't
the same every time -- you could avoid an attack like ours. But you'd
also have a user interface that was virtually unusable. The focus of
the attack we outlined was one particular, naive approach to Internet
commerce that sacrificed a lot of security for usability. If the net
result of what we've done is to force them to find a better balance, it
was well worth the effort.
Or, to put it another way, I'm not too worried about competing with
software-encrypted credit card numbers if they use an imagemap technique
like the one you've outlined.
--------
Nathaniel Borenstein <nsb at fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com
More information about the cypherpunks-legacy
mailing list