Despite recent announcements that Internet commerce is "safe," First Virtual Holdings claims that it has found a security flaw in software programs that encrypt credit card numbers and transmit them over the Internet.
The flaw demonstrates the vulnerability of technologies such as Netscape's SSL and companies including MasterCard and Visa, according to First Virtual officials.
Two engineers at the company found the weakness during a testing of security systems on the Net. They have since produced a program to automate the attack and have demonstrated it to government agencies and Internet security groups.
"A lot of the holes we found are irrelevant to the average user, but what's unique here is the potential for large-scale automation," said Nathaniel Borenstein, chief scientist of First Virtual. "We're talking about software with a potential of finding large amounts of credit card numbers without a trace and it doesn't require a very good criminial to figure it out," he added.
The program attaches itself to the keyboard driver, monitors all keystrokes, and catches the numbers before they can be encrypted, officials said. The software is programmed to look specifically for credit card numbers.
Borenstein said he expects online commerce to grow and offered some advice to potential users. "I wouldn't be too worried at the consumer level, but if you don't want your credit card number stolen, I wouldn't type it in."