Traditional PIN Examples

VI. Secure Electronic Commerce as an Industry

C. Examples of Internet Security Breaches in Systems Using Traditional Secret-Key Crypto, Not PKI

Internet Security today is largely based upon traditional secret-key systems, where both sender and recipient have shared knowledge of a single key. Examples: PIN used for logging into a closed system; a credit card number and credit card expiration date. Most of the publicized examples of Internet security breach tend to involve firewall breach or inside employee assistance which compromises the server's database of PIN numbers. At the browser (end-user) end, reports of credit card fraud based on compromised credit card PIN and expiration date are quite common. Less common, but perhaps on the increase, are reports of Internet commercial damage caused by compromise of traditional PINs used to authenticate users at time of login.

July 20, 1999 - Paul Wallich, "How to Steal Millions in Chump Change," Scientific American (Aug 1999) p 32-33, tells how Kenneth and Teresa Taves milked a credit card cyberscam for $45 million before they were caught, exploiting the security weakness inherent in reliance upon traditional credit cards as an Internet payment scheme where goods are intangible and deliverable by e-mail without needing to know a shipping address. The Taves couple set up a series of companies that processed Visa charges for adult web sites and used the credit card numbers from those transactions, and other numbers generated by a simple computer program, to charge cardholders for bogus goods and services. The scheme long evaded detection because the bogus charges were typically limited to $19.95 per month, an amount small enough to evade Visa's fraud detection algorithms, and to be overlooked by many consumers. Moreover: banks typically will reverse charges disputed by cardholders going back only two months; 2 x $19.95 per month is less than the $50 fraud loss threshhold which credit card banks are required to swallow under Regulation Z; most cardholders will not waste much time or money fighting the credit card company over disputes of this size; many of the disputed bogus charges were for pornography which the cardholders claimed (but could not prove) was NOT received, which engendered skepticism on the part of the credit card bank about their cardholders' claims. The scam was most effective outside the U.S. where banks often do not ask for verification of the billing address or in some cases even the expiration date, of the card being used. Some web sites selling intangible electronic goods are purposely non-vigilant about possibly fraudulent credit card numbers used to make small charges, because the chances of chargeback to the merchant are small and the marginal cost of the bits sold almost nil. Someday the inherent risk of trying to authenticate users by shared knowledge of a single secret key (e.g., credit card numbers and expiration dates) will be greatly reduced by authentication schemes based upon cryptographic digital signatures, which do not require the communication of any secret information. If not the currently stalled SET (Secured Electronic Transaction) Protocol, some other scheme whose implementation cost becomes less than the amount of credit card fraud avoided. The cost of credit card fraud is initially borne by the bank under Fed Reserve Regulation Z (and debit card fraud under Fed Reserve Regulation E), but of course ultimately passed back to consumers in the form of higher prices, and greater card costs and interests.

June 24, 1999 - "Electronic Banking Issues - Internet Security and Financial Privacy", Power Point Slides (Needs Microsoft Internet Explorer Browser) for presentation by Charles Merrill, McCarter & English LLP, at the New Jersey League of Community and Savings Banker's 1999 Compliance Seminar, Jamesburg, N.J. Uses hypothetical examples from the banking industry to demonstrate how the existing internet security paradigm (SSL and single key PINs) handles confidentiality, authentication, data integrity and nonrepudiation, and explains how PKI will strengthen these security mechanisms as the existing paradigm proves inadequate to the task.

June 15, 1999 - "Security in Online Trading - Digital Signatures and Encryption," Power Point Slides (Needs Microsoft Internet Explorer Browser) for presentation by Charles Merrill, McCarter & English LLP, at the American Conference Institute Seminar on Securities Trading on the Internet, New York City June 15, 1999. Uses hypothetical examples from the online securities business to demonstrate how the existing internet security paradigm (SSL and single key PINs) handles confidentiality, authentication, data integrity and nonrepudiation, and explains how PKI will strengthen these security mechanisms as the existing paradigm proves inadequate to the task.

April 28, 1999 - "Teen bids away $3.2 million of parents' money - S. Jersey boy finds eBay account password." The Newark NJ Star-Ledger reported (relaying a report in the Ontario National Post) that a 13-year old boy used his parents' auction account (presumably with a single-key PIN or passphrase) with eBay to successfully bid on a $1.2 million medical center in Jacksonville, Fla, a Van Gogh sketch, a 1971 Corvette convertible, and a $400,000 bedroom suite that once belonged to Sir John A. Macdonald, Canada's first prime minister. When the problem was discovered, the account was suspended, and the bids subsequently canceled.

The article didn't state whether the sellers of these items were able to close sales at or near the bidding level of the bidders. If not, the repudiated bid caused the innocent sellers some serious damage. The really interesting additional question is whether the parents were telling the truth when they claimed that the bid made with their password was unauthorized. If authentication of eBay bidders were by PKI instead of a PIN, what would be the result of a suit by the damaged sellers against the parents? What additional facts would you want to know?

June 6, 1998 - National Public Radio news clip about spoofing of the e-mail of the MIT dean to broadcast message about proper female attire at a speech by President Clinton. Courtesy of Tom Melling, Perkins Coie in Seattle.

Spring 1998 - Cavalli, Alexander <TradeWave, CyberGuard Corp>, and Winn, Jane K. <Southern Methodist Univ School of Law>, "Internet Security in the Electric Utility Industry," 38 Jurimetrics 459 (ABA Section of Science & Technology Spring 1998)