[Cryptography] [cryptography] Secure universal message addressing
John Levine
johnl at iecc.com
Mon Apr 18 19:49:46 EDT 2016
>>> The whole idea that you need a way to securely communicate with
>>> someone who you've never had any contact with before is mainly
>>> incoherent.
>>
>> Similarly, the bigger the financial transaction the less likely
>> it is to be between entities that do not know each other. ...
>Yet witness the recent SWIFT Bangladeshi Bank fiasco.
Remember that the security in SWIFT is from the terminals to the
central switch, and nobody claims that was compromised. Bangladesh
does SWIFT transfers all the time, and somehow (possibly an inside
job) hacked the terminal in Bangladesh so they could use it to send
bogus transactions. There was also a fair amount of rather improbable
sounding social engineering -- the log terminal was broken which meant
nobody saw the messages about the transactions, and apparently nobody
found the broken terminal particularly surprising or troubling.
That's not really securely communicating with someone you've never had
contact with before. There's a whole non-crypto issue of how you
recognize bogus transactions inserted into a stream of legit ones.
http://www.bloomberg.com/news/articles/2016-03-18/hackers-stalked-bangladesh-bank-for-two-weeks-before-big-heist
R's,
John
More information about the cryptography
mailing list