John Denker wrote: [identity theft v. phishing?]
That's true but unhelpful. In a typical dictionary you will find that words such as
Identity theft is a fairly well established definition / crime. Last I heard it was the number one complaint at the US FTC.
Leaving that aside, the reason that phishing is lumped in there is that it is *like* id theft, rather than being id theft. Just like as many have pointed out that phishing is *like* spam, and now we are dealing with the fact that it is not spam.
...
>But I don't approve of the rest of his paragraph:
>>> So the reality of it is, the predeliction with >>> identity being the root key to all power is the >>> way society is heading. I don't like it, but >>> I'm not in a position to stop the world turning.
First of all, not everything is heading the wrong way. The Apache server has for eons had privilege separation features. The openssh daemon acquired such features recently. As far as I can see, the trend (in the open software world at least) is in the right direction.
You are quoting a couple of "obscure Internet systems" as evidence that society isn't moving in the direction I indicated?
Yet, every day the papers are filled with the progress the government is making on moving to an identity-based system of control and commerce.
National drivers licences, foreigners being hit with biometrics, etc etc. Next time I cross the borders, I probably have to be fingerprinted.
How many banks are introducing these obscure features? How many know what a capability is? How to do a transactional security system, rather than an identity system?
My claim seems unweakened as yet...
I don't know whether to laugh or cry when I think about how
phishing works, e.g.
http://www.esmartcorp.com/Hacker%20Articles/ar_Watch%20a%20hacker%20work%20the%20system.htm
The so-called "ID" is doing all sorts of things it shouldn't and not doing the things it should. The attacker has to prove he knows my home address, but does not have to prove he is physically at that address (or any other physical place) ... so he doesn't risk arrest.
Curious - now that's a different phishing, but I suppose it is close enough. Need to think about that one, I wouldn't call it phishing, just yet. I'd call it invoice fraud, at first blush.
What I'd call phishing is this - mass mailings to people about their bank accounts, collection of the data, and then using the account details to wire money out.
I guess we need some phishing experts to tell us the real full definition.
Earlier Ian G. wrote:
>>> the security experts have shot their wad.
It doesn't even take a "security expert" to figure out easy ways of making the current system less ridiculous.
It's not at issue whether you can or you can't - what I was asserting is that no-one is asking you (or me or anyone else). Instead, cartels are being formed, "solutions" being sold, congressmen lobbied, etc, etc, and the real issues are being unaddressed.
...
which is consistent with what I've been saying. I don't think people have tried and failed to solve the phishing problem --- au contraire, I think they've hardly tried.
I agree with that.
[1Gbux]
If the industry devoted even a fraction of that sum to anti-scam activities, they could greatly reduce the losses.
Yes, but it won't. This is the question - why not?
Here's the question:
http://www.financialcryptography.com/mt/archives/000169.html
And here's *an* answer:
http://www.financialcryptography.com/mt/archives/000174.html
I've been to the Anti-Phishing Working Group site, e.g. http://www.antiphishing.org/resources.html They have nice charts on the amount of phishing observed as a function of time. But I haven't been able to find any hard information about what they are actually doing to address the problem. The email forwarded by Dan Geer was similarly vaporous.
I'm afraid I agree. The purpose seems to be to create a cartel, suck in some fees, and ... do some stuff. As the fees base ensures that only corporations join, only those with solutions to sell have an incentive to join. So in a while you'll see that they have a list of preferred solutions. None of which will address the problem, but they'll sure make you feel safe from the size of the price tag.
Here's an interesting link, describing the application of actual cryptology to the problem: http://news.zdnet.co.uk/0,39020330,39159671,00.htm IMHO it's at a remarkable place in the price/performance space: neither the cheapest quick&dirty solution, nor the ultimate high performance solution. At least it refutes the assertion about security experts' wads having been shot. This is one of the first signs I've seen that real security experts have even set foot in this theater of operations, let alone shot anything.
That's a standard solution in mainland Europe for accessing online accounts.
I'm not sure how it addresses phishing (of the sort that I know) as the MITM just sits in the middle and passes the query and response back and forth, no?
Those tokens just prove that the token is on the other end of the line. So the password and username wasn't stolen last week. They rely on the assumption that secure browsing cannot be MITM'd, but phishing shows that secure browsing can be MITM's. Now, I've not heard of anyone bothering to do a live, dynamic MITM using phishing, but it's only a matter of risk & reward.
(Perversely, the solution to this MITM is to use the SSC - self-signed certs.)
Also, bear in mind that it needs both each merchant and the consumer to adopt the system. Pretty high barrier, really, I wouldn't hold out too much hope.
iang
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
