[cryptography] PKI "fixes" that don't fix PKI (part III)
smb at cs.columbia.edu
Sat Sep 10 11:07:38 EDT 2011
> Sorry, that doesn't work. Afaik, there is practically zero evidence of Internet interception of credit cards.
This makes no sense whatsoever. Credit card numbers are *universally*
encrypted; of course there's no interception of them.
In 1993, there was interception of passwords on the Internet. This is
technically difficult, since if you were using telnet -- probably the
most common form of remote login via password then -- every character
would be in a separate packet; additionally, there was little context to
say where the login/password string would start. By contrast, credit
card numbers sent via http are easy. A card number is probably in a
single packet, and is a self-checking string: 15 or 16 consecutive
digits (since most web programmers seem to be too lazy to strip out
embedded blanks or dashes, even though that's the easy and natural way
to type a card number), where one of the digits is a check digit on the
others. If you see such a string, grab the packet; you'll probably find
the expiration date and CVV in it as well. I don't even have to use the
likely variable names in uploaded forms.
Sure, it's easier to harvest in bulk by hacking a web site, or by
seeding self-propagating malware that logs keystrokes. But if
eavesdropping works -- and it has in enough other cases -- it would have
been used. The *only* reason it isn't used against credit card numbers
has been SSL.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography