IanG <[EMAIL PROTECTED]> writes: >Any evidence of that? [People buying certs using stolen credit cards]
I don't know if anyone tracks the exact count (apart from the 2005 figure of (at least) 450 recorded incidents of secure phishing) but every now and then you get reports of particular ones that stand out, e.g. the Sunbelt discussion of the Gromozon distributors signing their malware, http://www.haloscan.com/comments/alexeck/6460991926610320702/ (the cert purchase was eventually traced back to a victim in Florida)... sorry, I don't catalogue them all, just watch them drift by every now and then and that one came to mind. In fact didn't our esteemed moderator mention running into one of these via spammed email just a few months back? In any case with the assistance of services like http://scanlab.name/ for the ID and any one of the incorporation brokers operating in the US (I particularly like the appropriately-named http://www.startanamericancompany.com/, you can do it for far less via US brokers but then if you're paying with soemone else's credit card cost isn't really an issue) how long do you think it'd take to create an official US corporation that qualifies for an EV cert? I think the main reason we haven't seen more of this is: - There's no need for it, usability evaluation tests have shown that EV certs have no effect on security so there's no point in going to the trouble (cybercrooks are cheapskates). - It's much easier to use an exploit toolkit like MPACK or whatever to hit an EV-certified site for a genuine organisation than it is to bother with your own EV cert. Since an EV cert only says that the CA did a little bit more than almost no checking at all of credentials but doesn't tell you anything about the site, the easiest way to get an EV cert is to use someone else's (AV vendors report peaks of up to 10,000 fresh malware infection sites via legit compromised servers a day, which is bad news for the "only enter your credit card details on sites you trust" education effort). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]