FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

[Weld Pond]

Nathaniel Borenstein <nsb at nsb.fv.com> wrote:
>> Programs needing secure entry create a "secure entry field" which is
>> really just an imagemap with the digits (and alphas if required) placed
>> randomly about.  The user then uses the mouse to click on these numerals.
>> Ideally the graphics that represent the numerals would be drawn from a
>> random pool and are misformed to thwart any OCR attempts. The graphics 
could
>> be made even more difficult to OCR by mixing in words and pictures to
>> represent the numbers. 
>If any particular program for doing this came into widespread use, we
>could engineer an attack, similar to our keystroke attack, based on the
> specific properties of the approach used.

You could try but I don't think you would succeed.  I have problems doing 
OCR on faxes with a top of the line OCR program.  Don't tell me your 
trojan horse is going to be able to OCR images that are designed to be 
hard to OCR.

Here is an example of an imagemap for secure number entry.

http://www.l0pht.com/~weld/numbers.html

Since this is inherently a visual thing, I thought I would cook up a 
graphic on the web siince you cannot do this via email easily.

      Weld Pond   -  weld at l0pht.com      -     http://www.l0pht.com/
      L  0  p  h  t    H  e  a  v  y    I  n  d  u  s  t  r  i  e  s         
      Technical archives for the people  -  Bio/Electro/Crypto/Radio

      L0pht Open House 2/3/96 at 8:00pm - Live on irc #l0pht - write
      root at l0pht.com for details.