FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Christian Wettergren cwe at it.kth.se
Sat Feb 3 09:11:49 PST 1996



The "keyboard sniffer" of FV is really troublesome, and the
extension of this threat will hamper the Internet Commerce
tremendously, I believe. The thing that might have made it
hard to accept the threat for cypherpunkers is that it was 
presented together with a plug for the FV scheme, (which may 
or may not be valid btw.)

But more generally, I see the following happening.

The factors that now are "harmonizing" are;
* the tremendous growth of Inet commerce; Digicash, encrypted
  CardNo's etc. Many of the now proposed schemes have no
  independant "evidence" mechanism, whereby you can settle
  a disputed transaction fairly. You will have to choose
  to believe one of the parts, and that is very often the
  service provider/bank/card company.

* The decline of the "ordinary" card fraud market,
  VISA/Europay/Mastercard is rapidly finishing their
  forthcoming smart card systems. I'd guess this "market"
  is gone within 2-3 years. Some "big organisations" might
  start to move into the new "fraud markets" soon.

* The fact that the PC are such an extremely used platform,
  and that the need for back compatibility will make it
  almost impossibe to add substantial security to it now.

* The fact that anti-virus tools haven't been able to
  eradicate the virii problem even before the "forthcoming
  surge" in virus writing that I believe will come. According
  to a survey by Information Week (Nov 27 -95) 67% of the 
  companies had been hit by a virus the last year, and 12% 
  of the companies had suffered financial loss caused of it. 
  (1293 companies surveyed). 
  Admittedly there are social problems behind the continued spread
  of virii too, but that alone doesn't make them go away. Take
  a look at the article "Virus Authors strike Back" by Alan
  Solomon in "Computers and Security" 11 (1992) 602-606. The
  state of anti-virus tools seemed to be in a rather sad state
  back then, and I really wonder whether they are any better
  now.

* The knowledge about how to write virii has been spread
  rather far - a college kid can get his hands on one of
  the polymorphic virus generators, and start to output
  new self-encrypting virii with the same action routine
  regularly. Also, note that this new kind of virii ("virii
  with a mission") would start to cost immediately, in 
  contrast with the "old kind" that only cost when you 
  have to clean them out, or if they wipe un-backuped data.
  (your fault - core dumped)

* All PC's will be net-connected... Embed a public key in the
  virus, let it encrypt the loot and post it to Usenet
  in the group junk.erotica. You can then harvest the group
  with the secret key anywhere in the world.
  (Be generous, let the virus go away automatically if it
  has "contributed" enough money.)

The pay-off of continously updating your virus to cope with
new protection mechanisms would be enormous. Lets assume that I
employ 10 programmers 2 years from now, that writes new action 
routines and develop new virus types... I bet I could get 
a decent living quite soon. Also assume I settle down in a 
suitable country with lax enough laws, do you believe that I
would be a criminal then? What is the legal status of virii,
and what is this concept of "electronic money" anyway? :-)

I promise, I wont do that. It's not a bet.













More information about the cypherpunks-legacy mailing list