At 12:26 PM 7/1/2004, John Denker wrote:
The object of phishing is to perpetrate so-called "identity
theft", so I must begin by objecting to that concept on two
different grounds.

there are two sides of this .... some amount of crime statistics call it ID-theft .... which plausibly could be either identity or identification ... but in general involves situation where criminal is impersonating you to one degree or another to perform some fraudulent action.


there has been some attempt to distinguish impersonation events between fraudulently extracting money from existing accounts and fraudulently creating new accounts in your name.

practically, objecting to the label id-theft may be like objecting to the label suicide bomber.

in general, the problem is using any kind of static data for authentication. it applies to name, birthdate, mother's maiden name, pins, passwords, account numbers .... any kind of static data. it worked for a long time ... but it was based on assumption that it had characteristics of 1) shared-secret and 2) used uniquely, different static data in different security domains.

the growth of electronic environments has drastically affected this in lots of ways (invalidating the core assumptions that was behind the use of such static data for authentication, it wasn't that static data didn't work ... but it worked well only as long as the underlying assumptions were valid):

1) drastic increase in number of different electronic environments requiring unique shared secrets ..... basic human factors making it impossible to process unique shared secret for every possible (scores of unique) environment

2) drastic increase in number of different electronic environments ... drastically increasing the number of places that shared secrets are being used ... which increasing the places that shared secrets can be harvested (for criminal purposes)

3) drastic increase in electronic environments that contain information about individuals ... drastically increasing the number of places that personal information can be harvested (of the type that is likely to be used in shared-secret, static authentication information) for criminal purposes.

minor reference to the account based scenario .... security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61


and then there is the whole thing about frequent confusion of identification and authentication:
http://www.garlic.com/~lynn/aepay3.htm#mcomm (my) misc. additional comments on X9.59 issues.
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aadsm9.htm#pkcs12b A PKI Question: PKCS11-> PKCS12
http://www.garlic.com/~lynn/aadsm14.htm#40 The real problem that https has conspicuously failed to fix
http://www.garlic.com/~lynn/aadsm14.htm#41 certificates & the alternative view
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#16 PKI International Consortium
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/2003j.html#47 The Tao Of Backup: End of postings




Anne & Lynn Wheeler http://www.garlic.com/~lynn/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to