IP: Program shows ease of stealing credit information

[Dave Farber <farber () central cis upenn edu>]

This is part 1 of two items on this subject. I will be happy to distribute
other opinions.


Dave


Program shows ease
of stealing credit information


Published: Jan. 29, 1996


BY SIMSON L. GARFINKEL
Special to the Mercury News


First Virtual Holdings has developed a rogue computer program that steals
credit card numbers from unsuspecting users.


The program demonstrates that using personal computers to send sensitive
financial information over the Internet with encryption
may be flawed because there is no way to control the computer running the
encryption program.


The program, which currently has no name, was not designed to perpetrate
credit fraud. Instead, it was developed to prove that
encryption alone is not the solution to guaranteeing financial security in
the age of networked computers.


''We wrote it because of our concern that everyone was ignoring what we
consider a very obvious flaw in the encryption of
credit cards,'' said Lee Stein, First Virtual's president and chairman.
''We wanted to prove that software encryption of credit
cards is great from point to point, but (today's software systems) can't
start at the end points because they can't start on the
keyboard.''


Strike against Netscape


First Virtual's program is also a direct attack against the security
promised by Netscape Communications Corp.'s popular
Netscape Navigator, a program for browsing the World Wide Web. Netscape's
products use sophisticated encryption to protect
credit card numbers sent over the Internet.


But First Virtual's program purports that merely encrypting information
before it travels over a computer network isn't enough to
ensure the information is kept secret.


The First Virtual program poses as a screen saver. It constantly monitors
the keyboard, waiting for the user to type a complete
credit card number. When such a number is typed, the program activates,
playing sinister music and displaying a window
showing the credit card number and an icon for the kind of credit card that
is currently being used.


''There is no reason why one could not write a program to monitor
keystrokes, look for numbers which look like credit card
numbers, and send them out over the Internet to some party unknown to the
person (entering) the credit card number,'' said Matt
Bishop, a professor of computer security at the University of California, Davis.


Program showcased


First Virtual has demonstrated its program for the U.S. Treasury, the
National Institute of Standards and Technology, the
National Security Agency, and the White House.


''One of the things we've heard from people inside the government were
comments along the line, "We thought that only NSA
knew how to do this,' '' said Nathaniel Borenstein, First Virtual's chief
scientist.


Borenstein said the First Virtual program differs from an actual program
that would be used to attack consumers in four
important ways.


''One, it doesn't install itself automatically,'' he said. ''Two, it
doesn't run in secret. Three, when it finds things, it doesn't steal
them -- that is, send them out over the Internet.''


Finally, said Borenstein, ''it is easy to uninstall.''


But if an attacker was truly interested in capturing large numbers of
credit cards, such a rogue program could be hidden in a
popular piece of shareware and distributed on the Internet. The program
could lie dormant on people's computers for weeks or
months. And the credit card numbers could be transmitted widely on the
Internet, further allowing the attacker to escape
detection.


Some security measures


Currently, banks have developed sophisticated systems for detecting a large
amount of fraud on a single credit card, but
generally are unable to detect and stop single instances of fraud on a
large number of credit cards.


''If this little goody were installed on lots of machines, there would be
the potential to (obtain) lots of credit cards,'' said Bishop.
''Presumably the (banks) would reverse charges on lots of fraudulent
transactions, but it would still be a very serious problem.''


Others familiar with the banking industry agree.


''I have seen it, and I've seen things like it before,'' said Kawika
Daguio, federal representative for operations, retail banking
and risk management for the American Bankers Association. ''It is a classic
attack.


''The safest way to buy things over the Net is still to make the payments
out of hand,'' Daguio said. ''You can call up someone
and give them your credit card number over the phone or mail them a
payment. That is the most secure way of doing it today.''


As for the program's name, First Virtual is having a contest, with a prize
of $1,000 for the person who suggests the best one.
Some names that have been submitted include ''card shark,'' ''predetator,''
''pick-pocket'' and ''cyber-crash.''


Anyone interested in submitting names to the contest can send e-mail.