[cryptography] PKI "fixes" that don't fix PKI (part III)

Steven Bellovin smb at cs.columbia.edu
Sat Sep 10 11:07:38 EDT 2011

> Sorry, that doesn't work. Afaik, there is practically zero evidence of Internet interception of credit cards. 

This makes no sense whatsoever.  Credit card numbers are *universally*
encrypted; of course there's no interception of them.

In 1993, there was interception of passwords on the Internet.  This is
technically difficult, since if you were using telnet -- probably the
most common form of remote login via password then -- every character
would be in a separate packet; additionally, there was little context to
say where the login/password string would start.  By contrast, credit
card numbers sent via http are easy.  A card number is probably in a
single packet, and is a self-checking string: 15 or 16 consecutive
digits (since most web programmers seem to be too lazy to strip out
embedded blanks or dashes, even though that's the easy and natural way
to type a card number), where one of the digits is a check digit on the
others.  If you see such a string, grab the packet; you'll probably find
the expiration date and CVV in it as well.  I don't even have to use the
likely variable names in uploaded forms.

Sure, it's easier to harvest in bulk by hacking a web site, or by
seeding self-propagating malware that logs keystrokes.  But if
eavesdropping works -- and it has in enough other cases -- it would have
been used.  The *only* reason it isn't used against credit card numbers
has been SSL.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list