Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Albert-Lunde@nwu.edu ((Albert-Lunde@nwu.edu))
Fri, 2 Feb 1996 08:20:03 -0800

&lt;i&gt;&amp;gt; This misses the point, which is the automated nature of the attack we&lt;/i&gt;
&lt;i&gt;&amp;gt; have described -- the approach you describe works fine by hand, but will&lt;/i&gt;
&lt;i&gt;&amp;gt; fall apart when automated. What protects us most here, actually, is the&lt;/i&gt;
&lt;i&gt;&amp;gt; heterogeneous nature of email. People have so many different mail tools&lt;/i&gt;
&lt;i&gt;&amp;gt; that it is essentially impossible for an automated attack to be sure of&lt;/i&gt;
&lt;i&gt;&amp;gt; intercepting the user's email. If even 1% get through, the fraud will&lt;/i&gt;
&lt;i&gt;&amp;gt; be noticed and FV will be taking action. This is in marked contrast to&lt;/i&gt;

I think First Virtual is overstating their case here. It is true that mail
is the most widespread and thus most heterogenious application. However,
in the population of users that First Virtual claims can be targeted by
the attack they outline: essentially Mac and PC users with WWW access
via a live net connection, it is uniform enough to attack. On each
platform, all TCP connections go thru one API: Mac/TCP or Winsock.
Internet e-mail is sent out to port 25 on the remote server, and the
SMTP protocol has no security features in its generally used form.

The skills to write a virus/trojan horse that intercepts keystrokes
or that snoops on any other API are much the same. I don't see any
reason why one could not write software to send copies of all outbound
mail to a second destination just as well as one could trap and
send keystrokes.

(It doesn't take a genius to do this stuff, but the majority of people
who can do it from scratch have better things to do.)

Now, there are many e-mail environments where this wouldn't work. But
in those cases the keyboard sniffer would face similar problems in
performing and reporting its evil deeds.

First virtual's strongest claim to secuitity at this point seems to
be that they give the purchaser an opportunity to repudiate the
transaction via e-mail.

It occurs to me that a more clever trojan could "lose" incoming
messages from first virtual after doing a forged transaction.

This attack could work against a POP/SMTP mailer like Eudora
or various other popular software. It's a lot more complicated,
but it rather like the steps up of complexity that we've seen
develop over time in PC viruses.

First Virtual asks why people don't spend more time advertising
"known" attacks. There is no such thing as absolute security: at
any point in the past half-dozen years, the "white hats" have been
busy keeping up to or ahead of the "black hats". We have to spend
our efforts on the most plausible attacks.

I'd also point out that existing anti-virus technology can detect
dozens or hundreds of PC viruses in action. Scanning for a few more
trojan horses is feasible. It's a lot more tricky to remove the
risks of packet sniffing on the net, because more systems are involved.

----
***This week's sponsors***

Web Digest for Marketers $pecials for WDFM'ers &amp;lt;&lt;a href="<a href="<a href="http://wdfm2.com/wdfm/imlist">http://wdfm2.com/wdfm/imlist</a>">http://wdfm2.com/wdfm/imlist</a>"&gt;http://wdfm2.com/wdfm/imlist&lt;/a&gt;&amp;gt;

Decisive makes surveying by e-mail &amp;amp; Internet easy!
&amp;lt;&lt;a href="<a href="<a href="http://www.decisive.com">http://www.decisive.com</a>">http://www.decisive.com</a>"&gt;http://www.decisive.com&lt;/a&gt;&amp;gt;

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: s.hunt@nature.com: "The Dreaded Mailshot"
Previous message: &lt;gert@itst.co.za&gt;: "ROI on $1.3million."

Return to top-level of current discussion

Return to Internet Marketing Home Page

Post a message to this group by filling in the form below.