[906] in cryptography@c2.net mail archive
RE: FBI: Hacker sold 100,000 credit card numbers
daemon@ATHENA.MIT.EDU (A. Padgett Peterson P.E. Informati)
Tue May 27 12:46:17 1997
Date: Sat, 24 May 1997 12:55:12 -0400 (EDT)
From: "A. Padgett Peterson P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
To: smith@securecomputing.com
CC: cryptography@c2.net
>2) In this particular case the perpetrator applied Rule #1 of
>Cryptanalysis: he sought out the plaintext and stole it before it was
>encrypted. The feeble "C2" security of COTS computing systems remains a
>huge weakness in e-commerce systems.
Just a minor quibble - from the wording of the article, I suspect the
capture took place on the other end and *after* the info was decrypted
(between the commerce server and the individual merchants). Still capture
of 100,000 cc numbers is a significant number for any ISP to be handling over
a short period.
However, it is my understanding that SET is designed to eliminate cleartext
credit card number transmission at any point including internally at most
merchants. This is certainly possible and would change the Internet security
posture from less than a telephone/voice transaction to considerably greater
than that.
Warmly,
Padgett
