authentication and authorization

Ian Grigg iang at systemics.com
Mon Jul 5 19:49:09 EDT 2004 

John Denker wrote:
[identity theft v. phishing?]
> That's true but unhelpful.  In a typical dictionary you will
> find that words such as

Identity theft is a fairly well established
definition / crime.  Last I heard it was the
number one complaint at the US FTC.

Leaving that aside, the reason that phishing
is lumped in there is that it is *like* id
theft, rather than being id theft.  Just like
as many have pointed out that phishing is
*like* spam, and now we are dealing with the
fact that it is not spam.

...

> But I don't approve of the rest of his paragraph:
> 
>  >>> So the reality of it is, the predeliction with
>  >>> identity being the root key to all power is the
>  >>> way society is heading. I don't like it, but
>  >>> I'm not in a position to stop the world turning.
 >
> First of all, not everything is heading the wrong way.
> The Apache server has for eons had privilege separation
> features.  The openssh daemon acquired such features
> recently.  As far as I can see, the trend (in the open
> software world at least) is in the right direction.

You are quoting a couple of "obscure Internet
systems" as evidence that society isn't moving
in the direction I indicated?

Yet, every day the papers are filled with the
progress the government is making on moving to
an identity-based system of control and commerce.

National drivers licences, foreigners being hit
with biometrics, etc etc.  Next time I cross the
borders, I probably have to be fingerprinted.

How many banks are introducing these obscure
features?  How many know what a capability is?
How to do a transactional security system, rather
than an identity system?

My claim seems unweakened as yet...


> I don't know whether to laugh or cry when I think about how
> phishing works, e.g.
> http://www.esmartcorp.com/Hacker%20Articles/ar_Watch%20a%20hacker%20work%20the%20system.htm 
> 
> The so-called "ID" is doing all sorts of things it shouldn't
> and not doing the things it should.  The attacker has to
> prove he knows my home address, but does not have to prove
> he is physically at that address (or any other physical place)
> ... so he doesn't risk arrest.

Curious - now that's a different phishing, but I
suppose it is close enough.  Need to think about
that one, I wouldn't call it phishing, just yet.
I'd call it invoice fraud, at first blush.

What I'd call phishing is this - mass mailings
to people about their bank accounts, collection
of the data, and then using the account details
to wire money out.

I guess we need some phishing experts to tell us
the real full definition.

> Earlier Ian G. wrote:
> 
>  >>> the security experts have shot their wad.

> It doesn't even take a "security expert" to figure out easy
> ways of making the current system less ridiculous.

It's not at issue whether you can or you can't -
what I was asserting is that no-one is asking you
(or me or anyone else).  Instead, cartels are being
formed, "solutions" being sold, congressmen lobbied,
etc, etc, and the real issues are being unaddressed.

...
> which is consistent with what I've been saying.  I don't
> think people have tried and failed to solve the phishing
> problem --- au contraire, I think they've hardly tried.

I agree with that.

[1Gbux]
> If the industry devoted even a fraction of that sum to
> anti-scam activities, they could greatly reduce the losses.

Yes, but it won't.  This is the question - why not?

Here's the question:

http://www.financialcryptography.com/mt/archives/000169.html

And here's *an* answer:

http://www.financialcryptography.com/mt/archives/000174.html

> I've been to the Anti-Phishing Working Group site, e.g.
>   http://www.antiphishing.org/resources.html
> They have nice charts on the amount of phishing observed
> as a function of time.  But I haven't been able to find
> any hard information about what they are actually doing
> to address the problem.  The email forwarded by Dan Geer
> was similarly vaporous.

I'm afraid I agree.  The purpose seems to be to
create a cartel, suck in some fees, and ... do
some stuff.  As the fees base ensures that only
corporations join, only those with solutions to
sell have an incentive to join.  So in a while
you'll see that they have a list of preferred
solutions.  None of which will address the
problem, but they'll sure make you feel safe
from the size of the price tag.

> Here's an interesting link, describing the application of
> actual cryptology to the problem:
>   http://news.zdnet.co.uk/0,39020330,39159671,00.htm
> IMHO it's at a remarkable place in the price/performance
> space:  neither the cheapest quick&dirty solution, nor the
> ultimate high performance solution.  At least it refutes
> the assertion about security experts' wads having been
> shot.  This is one of the first signs I've seen that real
> security experts have even set foot in this theater of
> operations, let alone shot anything.

That's a standard solution in mainland Europe
for accessing online accounts.

I'm not sure how it addresses phishing (of the
sort that I know) as the MITM just sits in the
middle and passes the query and response back
and forth, no?

Those tokens just prove that the token is on
the other end of the line.  So the password
and username wasn't stolen last week.  They
rely on the assumption that secure browsing
cannot be MITM'd, but phishing shows that
secure browsing can be MITM's.  Now, I've not
heard of anyone bothering to do a live, dynamic
MITM using phishing, but it's only a matter of
risk & reward.

(Perversely, the solution to this MITM is to
use the SSC - self-signed certs.)

Also, bear in mind that it needs both each
merchant and the consumer to adopt the system.
Pretty high barrier, really, I wouldn't hold
out too much hope.

iang



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list