[Clickable Map] [Text Index] [Home Page]
February 7, 1996
SAN DIEGO -- First Virtual Holdings, Inc. (http://www.fv.com), has successfully demonstrated an automated program that reveals a major flaw in the security of software-based credit card encryption schemes for Internet commerce by capturing credit card numbers and other sensitive information at the keyboard, before it can be encrypted.
Lee Stein, president and chief executive of First Virtual, which introduced the world's first fully operational Internet payment system in October 1994, said the program demonstrates the vulnerability of programs from Netscape, CyberCash, Microsoft, credit card companies and others seeking to provide secure credit card transactions on the Internet.
"In looking at reportedly secure electronic commerce systems, we found major holes," Stein said. "First Virtual specifically tested the program using two of the most widely publicized mechanisms for commerce: Netscape and CyberCash. Both prove vulnerable to a pre-encryption attack."
First Virtual scientists identified the pre-encryption flaw during their ongoing testing of security systems on the Internet. They created a research program to automate the attack, then began demonstrating it to government agencies and Internet security groups.
The automated program combines some well-known attacks in a new way to specifically target and capture credit card numbers as they are typed on the keyboard. Sensitive information -- credit card numbers or passwords -- can be intercepted before it ever gets encrypted. The process can be automated, which creates the potential for widespread attacks.
Existence of the program and the flaw it attacks were revealed publicly on Monday, January 29, in a news story in the San Jose Mercury News. First Virtual posted background information on its World Wide Web site (http://www.fv.com) and began alerting credit card companies and banks about the flaw by facsimile and e-mail.
"We felt it was important to raise the issue because of what we believe is a false sense of security sometimes surrounding credit card encryption," said Stein. "We have a strong vested interest in seeing Internet commerce succeed. What would happen if Internet commerce comes into common use on the basis of mechanisms that are fundamentally flawed?"
Announcement of the program and identification of the flaw in the system generated a rapid and heated response from the Internet, cryptography, computing and banking industries. First Virtual received more than 1,000 direct responses from all over the world within the first 96 hours after the news appeared publicly, some from major Internet companies.
For example, Jeff Weinstein of Netscape Communications acknowledged to one news group the limitations of using his company's SSL technology for credit card encryption: "I want it to be clear what our product can and can not do. For example, SSL can only protect data in transit between two machines. If either machine is compromised then the data can be stolen at that end. Our product does not attempt to secure the user's machine, and can not operate securely on an insecure machine."
Visa and MasterCard announced on Wednesday that they are teaming up to devise a technical standard that will make credit card purchases over the Internet safe from cyber-thieves. But the announcement didn't deal with the pre-encryption issues raised by FV.
"First Virtual hopes knowledge of this attack will lead Visa and MasterCard to carefully study the weakness of credit card encryption and seek solutions," Stein said. "There is a high level of concern by everyone involved in electronic commerce that something needs to be done. This was reinforced within the first week existence of the program became public knowledge. Scientists from throughout the Internet community responded with more than 50 proposed solutions. None can be demonstrated or easily implemented at this time. But the research momentum is now moving in the right direction."
Nathaniel Borenstein, Ph.D., chief scientist, said the First Virtual research program attacks four major vulnerabilities in most current systems: consumer machines are highly vulnerable to viruses and Trojan Horse programs; operating systems can be circumvented by keystroke sniffers; credit card numbers are easily recognized and captured because of the short data stream and regular data format; and these small amounts of data can be easily transmitted over the Internet without a trace.
"The First Virtual program exposes these four vulnerabilities to a fully- automated attack that could allow a single criminal to steal an unlimited number of credit card numbers," said Borenstein. "This creates problems for consumers, the credit card companies and especially the banks, which would ultimately bear the greatest liabilities."
Initial reactions to the announcement were often vitriolic, questioning First Virtual's possible motives and the manner of its announcement. After several days of flaming, the on-line debates began focusing more on the issues. There was general agreement that an automated sniffer attack posed a threat to certain forms of electronic commerce. There were huge disagreements on the severity of the threat and who would suffer. Messages, both pro and con, have been posted on the First Virtual web site.
"Security experts in the banking industry began verifying that keyboard sniffer and video sniffer attacks are primarily a threat to banks," Stein said. "They pointed out that variations of the attacks could also work on home banking products or any other financial product where sensitive information is typed onto a keyboard. Having been alerted to the vulnerabilities, leaders in the banking industry quickly started calling for cooperation in the development of solutions by everyone who is interested in seeing electronic commerce and electronic banking succeed."
Kawika Daguio, federal representative for the American Bankers Association, Washington, D.C., said the threat is not only to credit cards.
"It (the threat) reflects the fundamental insecurity of the computers that our customers are using to do electronic commerce and electronic banking," Daguio said. "It's a huge problem for the banking industry. It will be a problem for everyone else in the future. If electronic commerce and electronic banking doesn't work for the banks, it's not going to happen. Many people have known this type of attack was possible. Now, it's time to deal with it."
CyberCash, Inc., however, claimed it wasn't vulnerable to the attack. Magdalena Yesil, vice president, was quoted in the American Banker as saying the company's payment system has a "very strong checksum capability that will be aware of any interaction prior to the keystrokes hitting our software."
Borenstein, chief scientist, said the pre-encryption program intercepts the keystrokes before they get to the so-called secure software that encrypts them. A demonstration showed CyberCash was vulnerable to an automated pre-encryption attack and the checksum capability provided no protection against attacks of this kind.
"As a result of our research, we now believe that the so-called 'secure browsers' and other payment systems are vulnerable to attack," he said. "It is simply not safe to send a credit card number over the Internet at this time. Encryption by itself isn't the solution to secure electronic commerce. Until end-to-end solutions are created, the potential exists for massive credit card fraud, damage to the banking industry and loss of consumer confidence in the future of global electronic commerce."
The on-line debate has been generally concerned, enlightened and intelligent.
"First Virtual is very gratified with the many responsible and reasonable arguments, comments and technical insights it has received in the past few days from major corporations, banks and universities," Stein said. "It indicates that we can work together to ensure that Internet commerce is based on genuinely safe mechanisms."
First Virtual Holdings introduced the world's first Internet payment system in October 1994 to enable anyone with e-mail and access to the Internet to conduct transactions on-line without encryption, special software or equipment after registering for their unique FV Virtual PIN. Purchases are made on-line with the Virtual PIN. The First Virtual system confirms each transaction and initiates settlement off-line through a high-speed, secure link to processing agents, banks and credit cards. Credit card information never goes over the Internet. Information on FV and its payment systems and services is available over the Internet through both firstname.lastname@example.org and the World Wide Web, http://www.fv.com. Technical details on the flaw can be found at http://www.fv.com/ccdanger.