Re: when a fraud is a sale, Re: Rubber hose attack
In a message dated 11/5/01 10:55:39 AM, [EMAIL PROTECTED] writes: in the account-based financial transaction ... the requestor is the card-holder/consumer and the authorization or service entity is the card-holder's financial institution. I think you have nailed it on the head. When authentication is viewed as the first link in the chain instead of identification. The problem with all authentication technologies in use today from biometrics to PKI to digital certs, all finesse the identification process and push it off to some trusted third party...all without clearly defining what that third party must bring to the table. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: when a fraud is a sale, Re: Rubber hose attack
In a message dated 11/5/01 11:28:57 AM, [EMAIL PROTECTED] writes: then you can only 'authenticate' between entities that share some fairly complex secret information. Anything else can be spoofed pretty easily. The information does not have to be secret at all. It can be open, but not capable of being duplicated. Could any of your friends fool your mother that they were you? John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Rubber hose attack
In a message dated 11/2/01 8:46:25 PM, [EMAIL PROTECTED] writes: the following from a thread on some of the fees related to fraud issues at Again, this is only a very small part of the problem. The Inspector General's office reports that the average identity fraud in the Social Security Administration costs over $100,000. Texas Medicaid loses approximately 25% of its $4 billion budget to fraud. The ABA reports that the average cost of each credit card fraud for the issuer exceeds $3500. Each incident of identity fraud in recruiting costs DOD over $500,000. John Ellingson CEO Edentification, Inc. 608.833.6261 # || || - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Rubber hose attack
In a message dated 11/1/01 11:09:21 AM, [EMAIL PROTECTED] writes: It appears that a lot of work has to be done and a lot of money spent before even a small amount of trust in an individual's proof of identity (on a world- or Internet-wide scale) can be established. Not really. The problem that we fact today is that the identity information cat is out of the bag. Anyone can accurately assume anyone else's identity. The use of best match logic, out of wallet information, etc., all work if everyone is willing to follow the rules. However, the fact that identity fraud is growing at near 100% rates in the face of these approaches belies the efficacy of those strategies. All any of the authentication technologies can do is confirm that this is probably the same user it was last time. Authentication technologies are agnostic as to any particular identity. All assume the underlying principle that one identity equals one person. This assumption is not only not true, it is dangerous. We are all aware of insta nces in which one person was using many identities and we are equally aware of instances in which many individuals are using one identity. In both of these instances authentication fails, unless the correct single identity is associated with the authentication methodology at the outset. There is no barrier from me attaching my finger image to Bill Gates' identity. John Ellingson CEO Edentification, Inc. 608.833.6261 # || || - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fw: [ISN] Commentary: The Threat Of Microsofts .Net
In a message dated 10/31/01 3:09:38 PM, [EMAIL PROTECTED] writes: but do not PKI, encryption, [and] digital certificates, de- pending on their use, actually help to PROVE one's identity through reliable, trusted, or otherwise authoritative third parties? In closed systems, yes. However, even in those environments there is a substantial risk, because there really are no trusted, or otherwise authoritative third parties, short of a full blown background check. Approximately 80% of all attacks are from those trusted insiders. Remember 100% of embezzlers are trusted implicitly. In a world of digital strangers the concept almost loses its meaning. I've been around this business for nearly 20 years and I'm not sure who you could really classify as a trusted third party. John Ellingson CEO Edentification, Inc. 608.833.6261 # || || - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]