[Cryptography] phishing, was Encryption opinion

[John Levine]

>> No, the phish site does not communicate with the bank, it merely
>> impersonates the bank to steal your credentials.  The phish is not a
>> middle node.  I don't know how to say that any more clearly.
>
>So, what then?  The phish then loses the credentials?  It does crossword
>puzzles with them?

This might be a good time to consider the possibility that the online
crime economy is more complex than you imagine it to be.

My understanding of the term MITM is that it's a real time attack,
with the bad guy rewrites the traffic and simultaneously pretends to
the customer that he's the back, and pretends to the bank that he's
the customer.  While those attacks do exist, usually as MITB, the most
you can steal that way is what's currently in the victim's account,
which for individuals isn't usually very much.

Also, here in the US at least, the transactions you can do from
individuals' online banking via MITM can all be reversed.  In
particular, international wire transfers are rarely available, and
when they are, they require out of band authentication.  That's why
the MITB attacks you see are always on businesses that do have the
ability to send $50,000 or $100,000 international wire transfers.

There's lots of other bad stuff you can do with people's credentials,
particularly if you have a thorough phish that asks them to "verify"
the information used on a credit application.  The bad guy then
impersonates the victim to apply for a loan at another bank, and makes
off with the proceeds.  Nothing MITM about that.

A lot of phishing has nothing to do with money.  One of the more
popular kinds is phishing web mail account credentials which the bad
guys then sell to spammers, in vast quantities.

R's,
John

PS: This has precious little to do with crypto, other than perhaps
arguing about the merits of out of band authentication approaches:

http://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.html