FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Jonathan Rochkind jrochkin at cs.oberlin.edu
Mon Jan 29 19:31:21 PST 1996


Congratulations to FirstVirtual for having taken key-capture techniqures
that everyone has known about forever, and skillfully propagandizing it as
a 'fatal flaw in software encryption' playing on the technophobia of the
masses, who are afraid of computers already ("INFORMATION IS INSECURE THE
MOMENT YOU TOUCH A KEY". snork), to engeder widespread fear in encryption
("ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE
MECHANISMS"), thereby (hopefully) enhancing market share of FV, which
doesn't use encryption.

1) I remember Mr. Borenstein saying a year or two ago, something like "We
have nothing against encryption; we're just using a non-encrypting
technique for the moment, becuase it can be quickly, easily, and safely
deployed by us. Eventually,  we'll probably use encryption."    Apparently,
this propaganda piece marks a change of strategy.

2)  This is the first net distributed "security alert" distributed that
I've noticed, with almost no real content.  No one who knows a bit about
computer security learned anything they didn't already know from that
"alert".  Rather, it was distributed in the _form_ of a CERT-like alert,
but with the purpose and effect that is almost solely marketting of FV.
I'm sure we can expect many more now that FV has pioneered the
propaganda-as-alert technique--people are really scared about virus and
security risks, since they know nothing about them, and will pay a lot of
attention to them (witness "Good Times")--much more attention then they'd
normally pay an advertisement.  This masquerading advertisement is akin to
the advertisements masquerading as editorial content that you see in many
magazines not respectable enough to prohibit such things.

3)  I believe that FV works by assigning the user some sort of id number.
They send the id accross the net, FV has a database with "FV-ID" <->
credit-card-number correspondences, the merchant sends FV the id, FV bills
your card and pays the merchant.  Now, if I'm correct about how FV works,
we could clearly write a program that searches your HD for FVs data files,
extracts your FV-ID from it, and steals it.  It could be a virus, it could
send the FV accross the net, whatever.  We could then use your FV-ID to
make fraudulently make purchases through the FV system that would be billed
to you.  This is essentially the same attack as FV "demonstrates" against
software encrypted credit cards over the net: that is, the "You have an
insecure system and if we can put evil software on it, we can get you."
attack.

True, we wouldn't have your credit card number, and we couldn't order stuff
from LL Bean billed to you.  We could just order stuff from FV merchants.
So maybe it's marginally better.  Maybe.  But I can't see any way FV could
be immune to an attack of this sort.  I believe that all they do is give
you a first virtual ID number sent accross the net (in the clear!) in lieu
of your card number.      With an insecure PC as an assuption (and it is
probably a good one, actually), I can't see how FV could be immune from an
attack of this sort.   If Mr. Borenstein or anyone else thinks it is,
please explain how.

Sigh.








More information about the cypherpunks-legacy mailing list