But is it so harmful? How much money is lost in a typical phishing attack against a large US bank, or PayPal? (I mean direct losses due to partially rolled back transactions, not indirect losses because of bad press or customer feeling insecure.)
misc. recent selections
Online Phishing Scams Exploding http://itmanagement.earthweb.com/secu/article.php/3382341 Business faces growing loss from identity theft http://www.vnunet.com/news/1156655 Firms hit hard by identity theft http://www.boston.com/business/technology/articles/2004/07/14/firms_hit_hard_by_identity_theft/ ID theft costing UK billions in taxes http://news.zdnet.co.uk/0,39020330,39160532,00.htm ATM skimmers go hi-tech down under http://www.finextra.com/fullstory.asp?id=12184 Phishing will cost financial firms $400m in 2004 http://www.finextra.com/fullstory.asp?id=12173 Worried firms consider email boycott http://www.vnunet.com/news/1156684
=================
social engineering has frequently been talking somebody into giving up some information that then can be used for impersonation in later fraudulent transactions. A "something you have" token of some sort is a lot harder to give-up than shared-secrets for use in "something you know" authentication. A private key that never leaves the hardware token can't be given up because even the owner doesn't know it. also, conjecture is that it is a lot harder to convince general public to mail off some physical object compared to getting them to divulge some information.
hardware tokens don't eliminate social engineering attacks where the victim is talked into performing some transaction on behalf of the attacker ... but they would tend to address the whole vulnerability landscape related to "something you know" shared-secret authentication paradigms.
one of the cost issues with technology for server reputation is that it typically applies to servers that the consumer is visiting for the first time (or visits extremely rarely). the consumer pretty much ignores repetitive information for sites that they visit frequently. it has been that something like ninety percent (or better) of internet transactions are done by the frequently visited sites. so the cost issue is that the reputation technologies basically tend to apply to the millions of low-volume and/or low-revenue sites (in aggregate accounting for 10 percent or less of all transactions) ... which aren't looking to spend a lot of money on such technologies.
it is somewhat like the better business bureau use .... people will tend to contact the better business bureau before they deal with some vendor for the first time .... but they aren't likely to contact the better business bureau each time they deal with a vendor that they have extensive repeat business with. it at least some scenarios ....
an alternative to the business logo .... is a better business bureau or gov. licensing logo on a website .... that provides click-thru to the official site .... where the consumer can review complaints and/or history about the business in question. i believe that this is somewhat the ebay model ... where past transaction history reputation of individuals can be checked.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]