[49501] in Cypherpunks
Re: FV's blatant double standards
daemon@ATHENA.MIT.EDU (NSB's Portable (via RadioMail))
Thu Feb 8 09:04:38 1996
Date: Thu, 8 Feb 1996 06:03:41 -0800
To: John Pettitt <jpp@software.net>,
simsong@vineyard.net (Simson L. Garfinkel),
rishab@dxm.org (Rishab Aiyer Ghosh), cypherpunks@toad.com,
nit@chron.com
From: "NSB's Portable (via RadioMail)" <nsb@radiomail.net>
Reply-To: Nathaniel Borenstein <nsb@nsb.fv.com> (via RadioMail)
Once again, you're getting closer, but your approach misfires on machines
used by multiple users -- cybercafes, university computing labs, etc. --
because your algorithm really only verifies that SOMEONE sent a VirtualPIN
from this machine and SOMEONE receives mail back from FV on this machine.
This will probably cause us to catch a large-scale attack relatively fast.
And the absolute maximum time to detection is one billing cycle, because
all the fraud will be visibly FV-linked. In contrast, in the credit card
attack we outlined, the card numbers are stolen cleanly, with no link back
to the attack program. If it's built right, the only sign it has happened
will be an increase in the overall rate of credit card fraud, with nothing
to point back at the Internet at all.