Citibank e-mail looks phishy
Anne & Lynn Wheeler
lynn at garlic.com
Thu Nov 16 09:45:08 EST 2006
Anne & Lynn Wheeler wrote:
> some of the straight-forward ones can also happen because of
> infrastructure and/or paradigm changes ... and there wasn't any forward
> thinking.
>
> recent thread today in sci.crypt
> http://www.garlic.com/~lynn/2006u.html#40 New attack on the financial PIN processing
> http://www.garlic.com/~lynn/2006u.html#43 New attack on the financial PIN processing
past posts in this thread
http://www.garlic.com/~lynn/aadsm26.htm#3 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#4 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#5 ATMs harcked using MP3 player
couple more in sci.crypt thread:
http://www.garlic.com/~lynn/2006u.html#47 New attack on the financial PIN processing
http://www.garlic.com/~lynn/2006u.html#48 New attack on the financial PIN processing
elsewhere in the "PIN processing" thread somebody mentions that ATM standards require encryption for the PIN but not the rest of the message. This could be considered sufficient prior to the introduction of signature-debit ... since up until that time all debit transactions required the associated PIN.
However, the introduction of signature-debit makes the rest of the (unencrypted) message attractive targets, since attackers can skim the information and create counterfeit cards and use them in (PINless) signature-debit transactions.
or can you say security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
or using the "naked payments" metaphor, consistent requirement for a debit transaction to have a PIN ... and the PIN was given at least some level of protection ... would imply that the payment transaction had some degree of armoring ... which eliminated the rest of the transaction as useful to the attacker (and therefor didn't need encryption since it wasn't sufficient to perform fraudulent transactions). With the introduction of signature-debit, it removes the transaction armoring and creates a vulnerability for the rest of the transaction information (the armoring of the transaction information was removed, leaving it naked and exposed, making the information vulnerable to skimming, harvesting, data breach, etc attacks).
as mentioned in numerous times in the past, the x9a10 financial standard working group was given the requirement to preserve the integrity of the integrity of the financial infrastructure for all retail payments
http://www.garlic.com/~lynn/x959.html#x959
http://www.garic.com/~lynn/subpubkey.html#x959
part of the of the standard was to specify an environment were the transactions were always consistently "armored" and never left naked and vulnerable. misc. past posts mentioning
the naked payment/transaction metaphor
http://www.garlic.com/~lynn/aadsm24.htm#5 New ISO standard aims to ensure the security of financial transactions on the Internet
http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#12 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#14 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#22 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#26 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#30 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#31 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#38 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#41 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#42 Naked Payments II - uncovering alternates, merchants v. issuers, Brits bungle the risk, and just what are MBAs good for?
http://www.garlic.com/~lynn/aadsm24.htm#46 More Brittle Security -- Agriculture
http://www.garlic.com/~lynn/aadsm25.htm#20 Identity v. anonymity -- that is not the question
http://www.garlic.com/~lynn/aadsm25.htm#28 WESII - Programme - Economics of Securing the Information Infrastructure
http://www.garlic.com/~lynn/2006m.html#15 OpenSSL Hacks
http://www.garlic.com/~lynn/2006m.html#24 OT - J B Hunt
http://www.garlic.com/~lynn/2006o.html#35 the personal data theft pandemic continues
http://www.garlic.com/~lynn/2006o.html#37 the personal data theft pandemic continues
http://www.garlic.com/~lynn/2006o.html#40 the personal data theft pandemic continues
http://www.garlic.com/~lynn/2006t.html#40 Encryption and authentication
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list