<i>> I am not a programmer, but the procedure they described seemed so</i>
<i>> simplistic that my first thought was, well why not split the CC number.</i>
<i>> Why not use PIN numbers like is already done for CC cash advances? If</i>
<i>> non-technical brains like mine could come up with immediate solutions, I'm</i>
<i>> sure a real techno-whiz could whip something up in a heartbeat.</i>
Anything that is extremely regular is equally vulnerable, and can be
similarly targeted if it comes into widespread use. A more
sophisticated version of this defense involves non-keyboard entry, but
that's also problematic. From our latest FAQ:
Q11. CAN THE PROBLEM BE FIXED WITH A NON-KEYBOARD INTERFACE?
A. Several people have suggested that this problem could be fixed by
avoiding the keyboard, e.g. by putting up a graphical "calculator"
keypad and letting people input their card numbers that way. While this
avoids detection by our current program, it is still vulnerable to the
same general style of "snooping" attack. If such a program came into
widespread use, criminals would have sufficient incentive to analyze
mouse clicks and screen images to detect this card number input
mechanism, too. It would be a bit harder, but still not too hard
fundamentally, because of the regularity of the input data.
A stronger defense would include a randomized input mechanism. However,
this would also cause the programs to suffer significantly in their
usability. Ease of use is one of the biggest selling points of the
people advocating the software encryption of credit card numbers,
however. Making the card number input process completely random is very
likely to eliminate this advantage.
<i>> I would agree wholeheartedly with Leo here and add that even as an</i>
<i>> immediate workaround to the problem FV raise, the old standard of splitting</i>
<i>> the credit card number over 2 (or 3, or 4 etc.) mail messages (or</i>
<i>> equivalent) would suffice.</i>
In some regards, it would, although a slightly more sophisticated
approach might catch that, too. The problem is, there are many people
pushing for a standard approach in which people just type the credit
card numbers into a "secure" web page. THAT is the approach that we're
calling fatally flawed. The approach you've outlined is much more
defensible, but also less consumer-friendly, a classic tradeoff.
<i>> First of all, FV's whole announcement misses the point of their own</i>
<i>> announcement. If I can run a sniffer on your machine, I could almost as</i>
<i>> easily grab your login name and password (either by you typing or by</i>
<i>> examining certain files where certain information is known to be stored --</i>
<i>> like CompuServe Prefs files, etc.). So I could easily falsify a First</i>
<i>> Virtual transaction, by doing the transaction remotely, then logging into</i>
<i>> your email and saying "yes" to the email that First Virtual sends to</i>
<i>> confirm the transaction. i can delete that email and we're all set. It's</i>
<i>> possible this falsified event wouldn't be discovered until the next credit</i>
<i>> card bill the user gets, which, because First Virtual does aggregation,</i>
<i>> doesn't contain the company or charges broken out. (With other systems, at</i>
<i>> least you know what company the charge was placed from.)</i>
This misses the point, which is the automated nature of the attack we
have described -- the approach you describe works fine by hand, but will
fall apart when automated. What protects us most here, actually, is the
heterogeneous nature of email. People have so many different mail tools
that it is essentially impossible for an automated attack to be sure of
intercepting the user's email. If even 1% get through, the fraud will
be noticed and FV will be taking action. This is in marked contrast to
the theft of credit cards, which can be done silently and cleanly,
because it's a one-step process. Also from our latest FAQ:
Q13. ISN'T FV EQUALLY VULNERABLE TO THIS SORT OF ATTACK?
A. No, we don't think so. First Virtual's Internet Payment Systems
never places the consumer's credit card number on the Internet.
Instead, the consumer provides it to us by telephone when the account is
opened. After that, all purchases are made using a "Virtual PIN".
Virtual PINs are essentially Internet aliases for underlying payment
mechanisms such as credit card numbers, but with several kinds of added
security. Virtual PINs are free-form text, with no recognizable
pattern, which makes them much harder to detect with the kind of attack
we have just demonstrated. Moreover, Virtual PINs are only usable in
conjunction with First Virtual's unique email verification process. No
payment is made until the consumer confirms an email query, which means
that defrauding First Virtual is a multi-step process that is extremely
difficult to automate and much more likely to leave traces of the
attempt. (For more details, we recommend our paper, "Perils and
Pitfalls of Practical CyberCommerce", available via ftp from
&lt;a href="<a href="<a href="ftp://ftp.fv.com/pub/nsb/fv-austin.txt">ftp://ftp.fv.com/pub/nsb/fv-austin.txt</a>">ftp://ftp.fv.com/pub/nsb/fv-austin.txt</a>"&gt;ftp://ftp.fv.com/pub/nsb/fv-austin.txt&lt;/a&gt;.)
&lt;i&gt;&amp;gt; FV has publicly stated they have only 84,000 buyers in their model (with&lt;/i&gt;
&lt;i&gt;&amp;gt; 1,000 added weekly).&lt;/i&gt;
I'm not sure where your numbers come from; we're adding about 4000
weekly, and should cross 100,000 within the next few days.
&lt;i&gt;&amp;gt; Also, to truly play the devil's advocate, if you are able too use someone's&lt;/i&gt;
&lt;i&gt;&amp;gt; First Virtual code and access their email to reply to the FV confirmation,&lt;/i&gt;
&lt;i&gt;&amp;gt; you still don't have access to their credit card number. It's certainly&lt;/i&gt;
&lt;i&gt;&amp;gt; infinitely easier to get a new FV number than it is a credit card number.&lt;/i&gt;
&lt;i&gt;&amp;gt; However, the same potential for generating unauthorized charges exists.&lt;/i&gt;
But if your FV ID is stolen, your credit card is still valid, and
there's a very useful initial clue about the fraud: it was Internet
based. In the attack we outlined, you can use the Internet to steal
card numbers and use them off-net, and nobody need ever know that the
Internet is the attack vector.
&lt;i&gt;&amp;gt; Since FV doesn't seem to track purchases in the way that the credit card&lt;/i&gt;
&lt;i&gt;&amp;gt; companies do -- c.c. companies track patterns and notify consumers if the&lt;/i&gt;
&lt;i&gt;&amp;gt; patterns change abruptly to see if the card has been stolen -- it's&lt;/i&gt;
&lt;i&gt;&amp;gt; possible the losses could be much greater since they're not linked to&lt;/i&gt;
&lt;i&gt;&amp;gt; credit cards directly.&lt;/i&gt;
What makes you think we don't do that? We do some of it, and are always
considering how to do more. Moreover, we inherit a lot of this from the
underlying credit card processing.
&lt;i&gt;&amp;gt; Thirdly, this problem is "well known," in the sense that the problem of&lt;/i&gt;
&lt;i&gt;&amp;gt; securing a system from snooping of all varieties (networks, keystrokes,&lt;/i&gt;
&lt;i&gt;&amp;gt; background jobs) has been widely discussed. The idea that announcing this&lt;/i&gt;
&lt;i&gt;&amp;gt; makes it a "real" problem is only for the media. CyberCash, just to mention&lt;/i&gt;
&lt;i&gt;&amp;gt; one of their biggest competitors and a "for instance," was aware of this&lt;/i&gt;
&lt;i&gt;&amp;gt; problem.&lt;/i&gt;
If they were aware of this problem, why have they A) never mentioned it
in public, and B) done nothing whatsoever to guard against it? Our
attack has been tested on CyberCash and breaks it completely; their
latest client software is totally undefended. If they come out with a
fix for it now, that will certainly make me skeptical of the claim that
they knew about it before!
&lt;i&gt;&amp;gt; In April, according to my sources, credit card issuers will require that&lt;/i&gt;
&lt;i&gt;&amp;gt; merchant banks get and verify the full consumer billing address from the&lt;/i&gt;
&lt;i&gt;&amp;gt; merchant card users to get the smallest chunk of change for processing&lt;/i&gt;
&lt;i&gt;&amp;gt; transactions where the person placing the order isn't physically there&lt;/i&gt;
&lt;i&gt;&amp;gt; (i.e., fax, mail, phone, Internet). This economic incentive coupled with&lt;/i&gt;
&lt;i&gt;&amp;gt; the increased risk makes it perfectly sensible for those of us taking&lt;/i&gt;
&lt;i&gt;&amp;gt; credit cards to require this information.&lt;/i&gt;
Yes, and FV is certainly interested in passing address verification
features on to its merchants as well.
&lt;i&gt;&amp;gt; I can't believe a keystroke snooper would necessarily be able to correctly&lt;/i&gt;
parse out address info, even if it captures all keystrokes.
How about keeping the 100 keystrokes before and after a recognized card
number? Seems to me that will get the address, etc. often enough to
steal one heck of a lot of cards.
But that also misses the point, since the thief won't want to send stuff
to the buyer's address. The real use of this attack would either be in
conjunction with well-established card counterfeiting rings, which are
nowadays limited by the number of valid numbers they can obtain, and by
economic vandals/terrorists.
&lt;i&gt;&amp;gt; If someone manages to install a Trojan Horse in my keyboard driver,&lt;/i&gt;
&lt;i&gt;&amp;gt; I would be worried about alot more than credit card numbers being&lt;/i&gt;
&lt;i&gt;&amp;gt; stolen! If someone steals my credit card number, my maximum liability&lt;/i&gt;
&lt;i&gt;&amp;gt; is $50.&lt;/i&gt;
&lt;i&gt;&amp;gt;From the perspective of a US credit card consumer, you are right. But&lt;/i&gt;
there's a broader perspective. From our FAQ:
Q8. ISN'T THIS ALL IRRELEVANT TO CONSUMERS, WHOSE LIABILITY IS LIMITED
BY LAW TO $50?
A. First of all, this is a very US-centric perspective. While it is
true that consumer liability for credit card fraud is limited to $50 by
US law, consumers in other countries are less protected. Moreover, even
in the United States, debit card users are less protected and carry
considerably more risk, which is important to consider in light of the
increasing popularity of debit cards carrying the same brand name as
major credit cards.
Even for US credit card users, however, this question is very
short-sighted. First of all, having your credit card stolen is no fun
at all, as any victim can attest. It typically involves some major
inconveniences and long conversations with your issuing bank. Moreover,
when such fraud happens, the consumer is protected at the bank's
expense. In the long run, if this happens too often, banks will have no
alternative but to raise their fees substantially. This would certainly
not be in the consumer's interest, which means that it is also not in
the consumer's interest to popularize an Internet commerce mechanism
that facilitates the wide-scale automated theft of credit cards.
&lt;i&gt;&amp;gt; The lesson? Don't give anyone an opportunity to subvert your system&lt;/i&gt;
&lt;i&gt;&amp;gt; software! Only install software from trusted sources, use an effective&lt;/i&gt;
&lt;i&gt;&amp;gt; anti-virus utility, occasionally reinstall your software from known&lt;/i&gt;
&lt;i&gt;&amp;gt; clean media (CD-ROM for example).&lt;/i&gt;
This is a VERY good lesson. Unfortunately, I think it is one that the
Internet consumer is moving further from, not closer to. As the average
sophistication level goes down, the likelihood of widescale system
compromise of this sort can only go up.
&lt;i&gt;&amp;gt; I am rather disappointed in Nat's ploy to discredit his competition.&lt;/i&gt;
&lt;i&gt;&amp;gt; If someone has access to my system software, what is to keep them from&lt;/i&gt;
&lt;i&gt;&amp;gt; writing code which will intercept e-mail messages from First Virtual&lt;/i&gt;
&lt;i&gt;&amp;gt; and automatically generate confirmation messages for unauthorized&lt;/i&gt;
&lt;i&gt;&amp;gt; purchases by the thief?&lt;/i&gt;
As stated above, it's a multi-step process, which makes it harder to get
right in the attack. More important, the heterogeneity of mail systems,
as explained above, makes this process almost impossible to fully
automate, so we'd detect it much sooner than an attack on pure credit
card numbers.
&lt;i&gt;&amp;gt; The primary method of controlling credit card fraud has NEVER centered&lt;/i&gt;
&lt;i&gt;&amp;gt; around concealing the card number. It has always been dealt with by&lt;/i&gt;
&lt;i&gt;&amp;gt; passing and enforcing laws that deal with people who commit the fraud.&lt;/i&gt;
Yes, but fraud detection has long been based almost entirely on pattern
analysis. An attack that yields huge numbers of valid card numbers for
a single criminal IS new, and it allows the criminal to only use each
one a single time, thus drastically complicating his detection and
identification.
&lt;i&gt;&amp;gt; What makes the Internet so different from giving your card number to&lt;/i&gt;
&lt;i&gt;&amp;gt; someone over the phone, or to the waitperson or gas station attendant&lt;/i&gt;
&lt;i&gt;&amp;gt; making close to minimum wage?&lt;/i&gt;
The automated aspect of it. If you could write a robot to monitor many
many gas stations at once, or to listen to many many phone calls at
once, and identify the card numbers from amidst all the other "noise"
with near-perfect accuracy, then it would be very similar. -- Nathaniel
--------
Nathaniel Borenstein &amp;lt;nsb@fv.com&amp;gt;
Chief Scientist, First Virtual Holdings
FAQ &amp;amp; PGP key: nsb+faq@nsb.fv.com
----
***This week's sponsors***
Web Digest for Marketers $pecials for WDFM'ers &amp;lt;&lt;a href="<a href="<a href="http://wdfm2.com/wdfm/imlist">http://wdfm2.com/wdfm/imlist</a>">http://wdfm2.com/wdfm/imlist</a>"&gt;http://wdfm2.com/wdfm/imlist&lt;/a&gt;&amp;gt;
Decisive makes surveying by e-mail &amp;amp; Internet easy!
&amp;lt;&lt;a href="<a href="<a href="http://www.decisive.com">http://www.decisive.com</a>">http://www.decisive.com</a>"&gt;http://www.decisive.com&lt;/a&gt;&amp;gt;
Post a message to this group by filling in the form below.