authentication and authorization

Ian Grigg iang at systemics.com
Fri Jul 2 06:51:37 EDT 2004


Hi John,

thanks for your reply!

John Denker wrote:

> The object of phishing is to perpetrate so-called "identity
> theft", so I must begin by objecting to that concept on two
> different grounds.
> 
> 1) For starters, "identity theft" is a misnomer.  My identity
> is my identity, and cannot be stolen.

I think I'd echo Lynn's comments - it's the label
in use, so we might as well get used to it.  In
fact, the more I think of it, the more I realise
that a desire to get the right terms in place
might be part of the answer to the original question!

You are right that it's important to separate out
the two cases: the theft of the immediate account
(and money therein) which is more what phishing is,
from the acquisition of identity data in order to
open new places to steal from (credit ... see my
rant&comments on why this is an American issue and
hence may have escaped the rest of the world's attention:

http://www.financialcryptography.com/mt/archives/000146.html

> 2) Even more importantly, the whole focus on _identity_ is
> pernicious.  For the vast majority of cases in which people
> claim to want ID, the purpose would be better served by
> something else, such as _authorization_.  For example,
> when I walk into a seedy bar in a foreign country, they can
> reasonably ask for proof that I am authorized to do so,
> which in most cases boils down to proof of age.  They do
> *not* need proof of my car-driving privileges, they do not
> need my real name, they do not need my home address, and
> they really, really, don't need some "ID" number that some
> foolish bank might mistake for sufficient authorization to
> withdraw large sums of money from my account.  They really,
> really, reeeally don't need other information such as what
> SCI clearances I hold, what third-country visas I hold, my
> medical history, et cetera.  I could cite many additional
> colorful examples, but you get the idea:  The more info is
> linked to my "ID" (either by writing it on the "ID" card or
> by linking databases via "ID" number) the _less_ secure
> everything becomes.  Power-hungry governments and power-
> hungry corporations desire such linkage, because it makes
> me easier to exploit ... but any claim that such linkable
> "ID" is needed for _security_ is diametrically untrue.

Again, I see here an answer to why it is the
security industry is being ignored - all that
above is well and good in theory, but it doesn't
translate as easily to practice.  I mean, as a
hypothetical test - just how do you deliver some
form of privileges system that allows one person
to know my age, and another to know my sex, and
another to know my drinking problems?

That's not really a solved *cheap* problem, is it?

So the reality of it is, the predeliction with
identity being the root key to all power is the
way society is heading.  I don't like it, but
I'm not in a position to stop the world turning.

> ===
> 
> Returning to:
> 
>  > .... For the first
>  > time we are facing a real, difficult security
>  > problem.  And the security experts have shot
>  > their wad.
> 
> I think a better description is that banks long ago
> deployed a system that was laughably insecure.  (They got
> away with it for years ... but that's irrelevant.)  Now
> that there is widespread breakage, they act surprised, but
> none of this should have come as a surprise to anybody,
> expert or otherwise.

I think the security industry must at least
acknowledge their part in this.  For a decade
now we as a field have been telling everyone
that secure browsing with SSL and CA-signed
certs and all that stuff is ... secure.

What was that quote?  "The Netscape and Microsoft
Secure E-Commerce System" ??

In fact, we're still saying it, and mentally,
about half the field refuses to believe that
the "secure browsing" security model has been
breached.  The issue runs very deep, and a
lot of sacred cows have to be slaughtered
before this one will be resolved.

I mean, we could just go on ignoring it, but
that might explain why we are being ignored?

> Now banks and their customers are paying the price.  As
> soon as the price to the banks gets a little higher, they
> will deploy a more-secure payment authorization scheme,
> and the problem will go away.

Well, it is true, in a sense, that as the problem
gets more expensive, there is more incentive to
fix it.  So far the banks have fiddled at the
edges with server based stuff.  But that can't
help them much.  About the only thing that can
help them directly is if they lock out other IP
numbers but that's a difficult one.

The issue is one for the client side to solve.
The user is the one who is being enticed with
the dodgy link.  So it's one of these three
agents:  user, mailer, browser.

> (Note that I didn't say "ID" scheme.  I don't care who
> knows my SSN and other "ID" numbers ... so long as they
> cannot use them to steal stuff.  And as soon as there
> is no value in knowing "ID" numbers, people will stop
> phishing for them.)

I think if we re-characterise phishing as the
part of identity theft where accounts are stolen
directly, we might have more of an acceptable
compromise on the lingo.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list