Using crypto against Phishing, Spoofing and Spamming...
Anne & Lynn Wheeler
lynn at garlic.com
Sat Jul 17 11:25:41 EDT 2004
At 10:46 AM 7/10/2004, Florian Weimer wrote:
>But is it so harmful? How much money is lost in a typical phishing
>attack against a large US bank, or PayPal? (I mean direct losses due
>to partially rolled back transactions, not indirect losses because of
>bad press or customer feeling insecure.)
misc. recent selections
Online Phishing Scams Exploding
http://itmanagement.earthweb.com/secu/article.php/3382341
Business faces growing loss from identity theft
http://www.vnunet.com/news/1156655
Firms hit hard by identity theft
http://www.boston.com/business/technology/articles/2004/07/14/firms_hit_hard_by_identity_theft/
ID theft costing UK billions in taxes
http://news.zdnet.co.uk/0,39020330,39160532,00.htm
ATM skimmers go hi-tech down under
http://www.finextra.com/fullstory.asp?id=12184
Phishing will cost financial firms $400m in 2004
http://www.finextra.com/fullstory.asp?id=12173
Worried firms consider email boycott
http://www.vnunet.com/news/1156684
=================
social engineering has frequently been talking somebody into giving up some
information that then can be used for impersonation in later fraudulent
transactions. A "something you have" token of some sort is a lot harder to
give-up than shared-secrets for use in "something you know" authentication.
A private key that never leaves the hardware token can't be given up
because even the owner doesn't know it. also, conjecture is that it is a
lot harder to convince general public to mail off some physical object
compared to getting them to divulge some information.
hardware tokens don't eliminate social engineering attacks where the victim
is talked into performing some transaction on behalf of the attacker ...
but they would tend to address the whole vulnerability landscape related to
"something you know" shared-secret authentication paradigms.
one of the cost issues with technology for server reputation is that it
typically applies to servers that the consumer is visiting for the first
time (or visits extremely rarely). the consumer pretty much ignores
repetitive information for sites that they visit frequently. it has been
that something like ninety percent (or better) of internet transactions are
done by the frequently visited sites. so the cost issue is that the
reputation technologies basically tend to apply to the millions of
low-volume and/or low-revenue sites (in aggregate accounting for 10 percent
or less of all transactions) ... which aren't looking to spend a lot of
money on such technologies.
it is somewhat like the better business bureau use .... people will tend to
contact the better business bureau before they deal with some vendor for
the first time .... but they aren't likely to contact the better business
bureau each time they deal with a vendor that they have extensive repeat
business with. it at least some scenarios ....
an alternative to the business logo .... is a better business bureau or
gov. licensing logo on a website .... that provides click-thru to the
official site .... where the consumer can review complaints and/or history
about the business in question. i believe that this is somewhat the ebay
model ... where past transaction history reputation of individuals can be
checked.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list