Using crypto against Phishing, Spoofing and Spamming...
Florian Weimer
fw at deneb.enyo.de
Sat Jul 10 12:46:03 EDT 2004
* Hal Finney:
> Only now are we belatedly beginning to pay the price for that decision.
> If anything, it's surprising that it has taken this long. If phishing
> scams had sprung up five years ago it's possible that SET would have
> had a fighting chance to survive.
Wouldn't typical phishing attacks just read like:
| We have upgraded our e-commerce server software. In order to use
| your PayPal account after August 1, 2004, you have to upgrade your
| Elecontric Wallet. This upgrade is free. Download it from:
|
| <http://www.example.com/downloads/set_upgrade.exe>
> I predict that we will eventually move to a SET-like system; not
> necessarily that exact protocol, but something based on cryptographic
> authorizations for online purchases rather than the card number based
> systems in use today.
I talked to a financial services provider recently, and they were
scared when I proposed that. It brings back horrible memories. To
them, the avent of Java-less SSL banking was a real breakthrough. It
seems that end-user support issues have plummeted.
Even some form of pre-registration of banking sites seems infeasible.
In Germany, we have a standard called HBCI which supports smart cards
and signed transactions (providing, in theory, end-to-end
verifiability), but support overhead seems to be much larger.
There still remains the issue that you can provide a good visual
approximation to any peace of software just by using JavaScript and
HTML. I fear that too many users would fall for that. 8-(
> In considering such solutions, it is important to distinguish threat
> models. Phishing is so harmful because it succeeds without even breaking
> in to users' computers.
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal? (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list