Credit Cards on the Net: MasterCard, VISA Agree; First Virtual Attacks

[13 February 1996] Healing an earlier split, MasterCard and Visa announced on February 1 that they have agreed on a technical standard to allow secure credit card purchases over the Internet. The specifications for the standard, called Secure Electronic Transactions (SET), are to be released in mid-February on the Visa and MasterCard web sites. Services based on the specification are planned to be available in late 1996. Participants in the effort with MasterCard and Visa are: GTE, IBM, Microsoft, Netscape Communications Corp., SAIC, Terisa Systems and Verisign. SET will be based on specially developed encryption technology from RSA Data Security.

As of 13 February, the specifications were not in evidence at either site. In fact, the Visa site still included a press release from June 1995 announcing that Visa and MasterCard were to cooperatively develop specifications that would be released in September 1995 leading to service in early 1996.

Perhaps anticipating the 1 February announcement, First Virtual Holdings (FVH) announced in late January that it had developed a computer program that could capture credit card numbers from unsuspecting computer users prior to any software encryption and transmit them surreptitiously to a third party via the Internet. FVH [home page] supports Internet electronic commerce through a scheme that avoids cryptography, transmitting a customer's credit card information via a separate telephone call. According to information released by First Virtual, the program is designed to monitor user's keystrokes, recognize sequences that appear to be credit card numbers (based on their known structure and redundancy), and transmit the numbers tracelessly across the Internet. It could be distributed as a virus or Trojan horse. Although FVH acknowledged that the elements of this attack are well known, it claimed that the synthesis of the elements was new.

Although this attack may not seem particularly innovative to Cipher readers, the announcement naturally evoked a flood of e-mail responses from people interested in cryptography generally and from those with competing commercial interests. Cipher readers interested in details from FVH's point of view should visit their web page: Olin Sibert provides a thoughtful commentary in the Risks forum, Vol. 17, Issue 69 (Feb. 7),(see URL: which seems not to have found its way into the compendium of e-mail responses available at FVH's site.