PROGRAM SHOWS EASE OF STEALING CREDIT INFO 

By SIMSON L. GARFINKEL 
Special to the Mercury News 

First Virtual Holdings has developed a rogue computer program that steals credit card numbers from unsuspecting users.

The program demonstrates that using personal computers to send sensitive financial information over the Internet with encryption may be flawed because there is no way to control the computer running the encryption program.

The program, which currently has no name, was not designed to perpetrate credit fraud. Instead, it was developed to prove that encryption alone is not the solution to guaranteeing financial security in the age of networked computers.

''We wrote it because of our concern that everyone was ignoring what we consider a very obvious flaw in the encryption of credit cards,'' said Lee Stein, First Virtual's president and chairman. ''We wanted to prove that software encryption of credit cards is great from point to point, but (today's software systems) can't start at the end points because they can't start on the keyboard.''

STRIKE AGAINST NETSCAPE  

First Virtual's program is also a direct attack against the security promised by Netscape Communications Corp.'s popular Netscape Navigator, a program for browsing the World Wide Web. Netscape's products use sophisticated encryption to protect credit card numbers sent over the Internet.

But First Virtual's program purports that merely encrypting information before it travels over a computer network isn't enough to ensure the information is kept secret.

The First Virtual program poses as a screen saver. It constantly monitors the keyboard, waiting for the user to type a complete credit card number. When such a number is typed, the program activates, playing sinister music and displaying a window showing the credit card number and an icon for the kind of credit card that is currently being used.

''There is no reason why one could not write a program to monitor keystrokes, look for numbers which look like credit card numbers, and send them out over the Internet to some party unknown to the person (entering) the credit card number,'' said Matt Bishop, a professor of computer security at the University of California, Davis.

PROGRAM SHOWCASED  

First Virtual has demonstrated its program for the U.S. Treasury, the National Institute of Standards and Technology, the National Security Agency, and the White House.

''One of the things we've heard from people inside the government were comments along the line, 'We thought that only NSA knew how to do this,' '' said Nathaniel Borenstein, First Virtual's chief scientist.

Borenstein said the First Virtual program differs from an actual program that would be used to attack consumers in four important ways.

''One, it doesn't install itself automatically,'' he said. ''Two, it doesn't run in secret. Three, when it finds things, it doesn't steal them -- that is, send them out over the Internet.''

Finally, said Borenstein, ''it is easy to uninstall.''

But if an attacker was truly interested in capturing large numbers of credit cards, such a rogue program could be hidden in a popular piece of shareware and distributed on the Internet. The program could lie dormant on people's computers for weeks or months. And the credit card numbers could be transmitted widely on the Internet, further allowing the attacker to escape detection.

SOME SECURITY MEASURES  

Currently, banks have developed sophisticated systems for detecting a large amount of fraud on a single credit card, but generally are unable to detect and stop single instances of fraud on a large number of credit cards.

''If this little goody were installed on lots of machines, there would be the potential to (obtain) lots of credit cards,'' said Bishop. ''Presumably the (banks) would reverse charges on lots of fraudulent transactions, but it would still be a very serious problem.''

Others familiar with the banking industry agree.

''I have seen it, and I've seen things like it before,'' said Kawika Daguio, federal representative for operations, retail banking and risk management for the American Bankers Association. ''It is a classic attack.

''The safest way to buy things over the Net is still to make the payments out of band,'' Daguio said. ''You can call up someone and give them your credit card number over the phone or mail them a payment. That is the most secure way of doing it today.''

As for the program's name, First Virtual is having a contest, with a prize of $1,000 for the person who suggests the best one. Some names that have been submitted include ''card shark,'' ''predetator,'' ''pick-pocket'' and ''cyber-crash.''

Anyone interested in submitting names to the contest can e-mail nameit@fv.com .-- Simson L. Garfinkel

MERCURY CENTER ID: me07742f


Transmitted:  96-01-29 05:00:48 EST