FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Jiri Baum jirib at sweeney.cs.monash.edu.au
Tue Jan 30 03:36:17 PST 1996


-----BEGIN PGP SIGNED MESSAGE-----

Hello Nathaniel Borenstein <nsb at nsb.fv.com>
  and cypherpunks at toad.com, Peter Monta <pmonta at qualcomm.com>
 
NSB wrote:
> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Peter
> Monta at qualcomm.com (651*)
...
> > > NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.
> 
> > Never speak it either.  Walls (and audio peripherals) have ears.
> 
> When you can give me a cheap device that can be planted in the wall,
> listen to everything you say, and just spit out the credit card numbers,
> then I'll start to be worried about speaking it.  
...

And in a later post:

...
> I used to trust the telephone not to be tapped in a selective way based
> on keyword recognition, but in recent years, with the improvement in
> voice recognition technology, I have stopped trusting it that way, and I
> know plenty of other people have too -- if you say "NSA" into a cellular
> call, you are probably inviting an eavesdropper.
...

So, what's wrong with the virus listening through the audio card?

Many people have their phone close to their computer, and credit-card
numbers spoken over the phone are usually spoken clearly.

> Similarly, we trust the postal service and certain uses of email not to
> be free of any insecurities, but to be hard to defeat in a large scale
> automated way.
...

Presumably mail from FV asking for confirmation wouldn't be too hard
to search for - I guess one would watch WinSock for connection
to the POP port then grab the password etc, followed by periodically 
checking for new e-mail (without the user's knowledge).


Many people would already have their CC number on the computer somewhere,
in a letter they wrote (and later printed out and posted). If it's a virus,
it doesn't even need a net connection to communicate it back (it can just
remember it and pass it 'home' several infections later).

The real problem ain't the net, but lousy security in home systems.


(Hmm, with the sound cards, couldn't the virus just hypnotise the user....)


Jiri
- --
If you want an answer, please mail to <jirib at cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMQ35nCxV6mvvBgf5AQF6YQQAn4G7Ks+3Tbdc5k5t1Y3H1y6xTYtdQEyS
rpespy10GEqCV1QY7LSHSkqqDDfR3Mdx6dlLIMv+gyay9gz5jFp0IKBweWvNfGDr
iJa7EiE+6sHt9lR0pjDcL9MGca1cdzOvwZYX6wGoC3JPZBmgFbM7YYv/EYum63TH
CwsAkgA2hAk=
=2UHy
-----END PGP SIGNATURE-----






More information about the cypherpunks-legacy mailing list