Just when bankers may be thinking it is safe to go on-line, First Virtual Holdings Inc. says it has evidence of a significant threat to the security of electronic payments over the Internet.
But some in the industry said First Virtual's publicizing of the flaw, which the company claims to have uncovered, is a self-serving attempt to win support for its own security strategy.
Officials of San Diego-based First Virtual - which makes one of several competing systems for clearing Internet payments - went on a national press tour to demonstrate so-called "sniffer" software that can intercept credit card numbers as they are typed on a keyboard.
Disguised as a screen saver or some other sort of seemingly innocuous application, the software can be downloaded into a computer's operating system. There it can pick out credit card numbers and other financial data they are transmitted from the keyboard to the computer itself, and send the information back on-line for criminal purposes.
Because the program is not a computer virus, it operates with great stealth and is unaffected by antivirus techniques, according to First Virtual engineers. They see it as evidence that their formula for electronic payments - relying on secure electronic mail connections away from the Internet - is superior to those that rely on data encryption.
However, not everyone believes that what First Virtual demonstrated poses a significant security threat to Internet transactions.
Officials at Cybercash Inc. said sniffer programs are nothing new, and Cybercash's payment system is designed to detect them.
"We have a very strong check-sum capability that will be aware of any interaction prior to the keystrokes hitting our software," said Magdalena Yesil, vice president of Reston, Va.-based Cybercash.
When necessary, Cybercash's system alerts the network server, which in turn can signal those involved in the transaction.
"I want to say to the banking community that Cybercash is aware of this and has been aware for a long time," Ms. Yesil added.
Regardless of the validity of its claim, First Virtual has brought the on-line security issue to the fore for at least one major trade group, and possibly for regulatory officials.
"People have always known that this specific kind of attack was possible," said Kawika Daguio, a federal representative for the American Bankers Association. "But no one thought that third parties would build software packages that would make it as easy as it apparently is."
The number-snatching program could allow hackers to surreptitiously collect dozens, even hundreds, of credit card account numbers. The First Virtual demo was designed specifically to root out the strings of digits that would signify a credit card or other financial account number (a 14- to 16-digit number preceded by certain letters).
According to Lee Stein, the founder and chief executive for First Virtual, this would make a "widespread totally automated attack possible."
If the fraud actually occurred, existing laws suggest that banks would bear the brunt of the liability, Mr. Daguio said. The companies that create the new-wave payment systems and the consumers who choose to use them would be largely insulated.
Federal Reserve regulations E and Z "cause us to be in a difficult position," Mr. Daguio said. "We don't control how customers use bank cards."
"Banks, or the FDIC, have the biggest pockets, and they're going to get hit," said David J. Farber, a professor of computer science at the University of Pennsylvania and holder of a small equity interest in First Virtual.
