At 03:20 AM 7/18/2004, Enzo Michelangeli wrote:
Can someone explain me how the "phishermen" escape identification and
prosecution? Gaining online access to someone's account allows, at most,
to execute wire transfers to other bank accounts: but in these days
anonymous accounts are not exactly easy
"Enzo Michelangeli" <[EMAIL PROTECTED]> writes:
>Can someone explain me how the "phishermen" escape identification and
>prosecution? Gaining online access to someone's account allows, at most, to
>execute wire transfers to other bank accounts:
Some (a lot of?) large-scale phishing is done by or w
At 01:39 PM 7/21/2004, Ed Gerck wrote:
The PKI model is not tied to any legal jurisdiction and is not a
business process. What is meant then by relying-party (RP) and
RP Reliance in X.509 and PKIX? I hope the text below, from a
work in progress submitted as an IETF ID, helps clarify this issue.
th
Anne & Lynn Wheeler wrote:
> This totally leaves out the relying-party ... which is the
> primary beneficiary of the PKI model from being a part
> of the contractual business process ... which would imply
> little or no legal recourse if something went wrong.
> ...
> The PKI frequently creates a to
At 01:54 PM 7/19/2004, Steven M. Bellovin wrote:
It's also worth remembering that an SSL-like solution -- cryptographically
protecting the transmission of credit card number, instead of digitally
signing a funds transfer authorization linked to some account -- was
more or less the only thing possib
I'm perhaps a bit overly blunt in this message. I apologize for that,
but I don't really know how to be more subtle and still get across my
message.
Ian Grigg <[EMAIL PROTECTED]> writes:
> Steven M. Bellovin wrote:
>>>But, there is precious little to suggest that
>>>credit cards would be sniffed
Steve,
thanks for addressing the issues with some actual
anecdotal evidence. The conclusions still don't
hold, IMHO.
Steven M. Bellovin wrote:
In message <[EMAIL PROTECTED]>, Ian Grigg writes:
Right... It's easy to claim that "it went away"
because we protected against it. Unfortunately,
that's
In message <[EMAIL PROTECTED]>, Ian Grigg writes:
>>
>> Don't be silly. It's not a threat because people generally use
>> SSL. Back in the old days, password capture was a very serious
>> threat. It went away with SSH. It seems to me quite likely that
>> it would be a problem with web browsing in
(Eric Rescorla wrote in response to Ian Grigg)^2:
...
(4) Active attacks against the client. By this I mean
hacking the client, installing a virus, malware,
spyware or whathaveyou. (This is now real, folks.)
(5) Active attacks against the server. Basically,
...
Of course, SSL/SB doesn't
Enzo Michelangeli wrote:
Can someone explain me how the "phishermen" escape identification and
prosecution? Gaining online access to someone's account allows, at most,
to execute wire transfers to other bank accounts: but in these days
anonymous accounts are not exactly easy to get in any country,
Enzo Michelangeli wrote:
Can someone explain me how the "phishermen" escape identification and
prosecution? Gaining online access to someone's account allows, at
most, to execute wire transfers to other bank accounts: but in these
days anonymous accounts are not exactly easy to get in any country,
At 05:55 PM 7/17/2004, Eric Rescorla wrote:
Now, my threat model mostly includes (1), does not really include
(3), and I'm careful not to do things that leave me susceptible
to (2), so SSL does in fact protect against the attacks in my
threat model. I know a number of other people with similar thre
Eric Rescorla wrote:
By (2) I guess you mean a bypass MITM?
I'm not sure what you mean by "bypass". I'm talking about attacks
where the attacker cons you into dereferencing the wrong
URL.
That's what I mean. The normal security checks
ot the system have been bypassed, in this case,
by having the
ent: Sunday, July 18, 2004 1:51 AM
Subject: Re: Using crypto against Phishing, Spoofing and Spamming...
> > At 10:46 AM 7/10/2004, Florian Weimer wrote:
> >
> >> But is it so harmful? How much money is lost in a typical phishing
> >> attack against a large US bank, or
Ian Grigg <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
>> Ian Grigg <[EMAIL PROTECTED]> writes:
>>
>>>Notwithstanding that, I would suggest that the money
>>>already lost is in excess of the amount paid out to
>>>Certificate Authorities for secure ecommerce certificates
>>>(somewhere around
Eric Rescorla wrote:
Ian Grigg <[EMAIL PROTECTED]> writes:
Notwithstanding that, I would suggest that the money
already lost is in excess of the amount paid out to
Certificate Authorities for secure ecommerce certificates
(somewhere around $100 million I guess) to date. As
predicted, the CA-signed
>But is it so harmful? How much money is lost in a typical phishing
>attack against a large US bank, or PayPal?
A lot. According to people at the anti-phishing conference earlier
this year, six-figure losses are common, and seven-figure not unknown.
The kind of phishes we all see, trolling for
Ian Grigg <[EMAIL PROTECTED]> writes:
> Notwithstanding that, I would suggest that the money
> already lost is in excess of the amount paid out to
> Certificate Authorities for secure ecommerce certificates
> (somewhere around $100 million I guess) to date. As
> predicted, the CA-signed certificat
At 10:46 AM 7/10/2004, Florian Weimer wrote:
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal? (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)
I est
At 10:46 AM 7/10/2004, Florian Weimer wrote:
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal? (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)
misc.
At 06:42 AM 7/15/2004, Rich Salz wrote:
it wasn't a CCard transacdtion, my liability under SET was unlimited (at
least until Congress caught up to the technology). Looking at the risk
management aspect, SET was a big loser for the customer.
my earlier responses
http://www.garlic.com/~lynn/aadsm17.
> SET failed due to the complexity of distributing the software and setting
> up the credentials. I think another reason was the go-fast atmosphere of
> the late 90s, where no one wanted to slow down the growth of ecommerce.
> The path of least resistance was simply to bring across the old way of
Ian Grigg wrote:
This indeed is the crux of the weakness of the
SSL/secure browsing/CA system. The concept
called for "all CAs are equal" which is an
assumption that is easily shown to be nonsense.
Exactly. Browsers simply require sites to have a certificate from any
CA. Browswers can't even spec
There still remains the issue that you can provide a good visual
approximation to any peace of software just by using JavaScript and
HTML. I fear that too many users would fall for that. 8-(
We think that the trusted credenatials and logo area will provide some
protection against this as well,
si
Florian Weimer wrote:
There are simply too many of them, and not all of them implement
checks for conflicts. I'm pretty sure I could legally register
"Metzdowd" in Germany for say, restaurant service.
This indeed is the crux of the weakness of the
SSL/secure browsing/CA system. The concept
called
* Hal Finney:
> Only now are we belatedly beginning to pay the price for that decision.
> If anything, it's surprising that it has taken this long. If phishing
> scams had sprung up five years ago it's possible that SET would have
> had a fighting chance to survive.
Wouldn't typical phishing att
* Amir Herzberg:
> Florian Weimer wrote:
>
>> * Amir Herzberg:
>>
>>># Protecting (even) Naïve Web Users, or: Preventing Spoofing and
>>>Establishing Credentials of Web Sites, at
>>>http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
>> The trusted credentials area i
At 10:40 AM 7/7/2004, Hal Finney wrote:
SET failed due to the complexity of distributing the software and setting
up the credentials. I think another reason was the go-fast atmosphere of
the late 90s, where no one wanted to slow down the growth of ecommerce.
The path of least resistance was simply
At 10:40 AM 7/7/2004, Hal Finney wrote:
SET failed due to the complexity of distributing the software and setting
up the credentials. I think another reason was the go-fast atmosphere of
the late 90s, where no one wanted to slow down the growth of ecommerce.
The path of least resistance was simply
There was an early attempt to use cryptography to authenticate online
credit card transactions, the SET protocol pushed by Visa and Mastercard
in the late 1990s. SET would require PC users to download a "digital
wallet" application which would hold cryptographic credentials that
would be used to a
Florian Weimer wrote:
* Amir Herzberg:
# Protecting (even) Naïve Web Users, or: Preventing Spoofing and
Establishing Credentials of Web Sites, at
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
The trusted credentials area is an interesting concept.
Thanks.
Ho
* Amir Herzberg:
> # Protecting (even) Naïve Web Users, or: Preventing Spoofing and
> Establishing Credentials of Web Sites, at
> http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
The trusted credentials area is an interesting concept. However,
experience suggest
32 matches
Mail list logo