Hi John,

thanks for your reply!

John Denker wrote:

The object of phishing is to perpetrate so-called "identity
theft", so I must begin by objecting to that concept on two
different grounds.

1) For starters, "identity theft" is a misnomer.  My identity
is my identity, and cannot be stolen.

I think I'd echo Lynn's comments - it's the label in use, so we might as well get used to it. In fact, the more I think of it, the more I realise that a desire to get the right terms in place might be part of the answer to the original question!

You are right that it's important to separate out
the two cases: the theft of the immediate account
(and money therein) which is more what phishing is,
from the acquisition of identity data in order to
open new places to steal from (credit ... see my
rant&comments on why this is an American issue and
hence may have escaped the rest of the world's attention:


2) Even more importantly, the whole focus on _identity_ is
pernicious.  For the vast majority of cases in which people
claim to want ID, the purpose would be better served by
something else, such as _authorization_.  For example,
when I walk into a seedy bar in a foreign country, they can
reasonably ask for proof that I am authorized to do so,
which in most cases boils down to proof of age.  They do
*not* need proof of my car-driving privileges, they do not
need my real name, they do not need my home address, and
they really, really, don't need some "ID" number that some
foolish bank might mistake for sufficient authorization to
withdraw large sums of money from my account.  They really,
really, reeeally don't need other information such as what
SCI clearances I hold, what third-country visas I hold, my
medical history, et cetera.  I could cite many additional
colorful examples, but you get the idea:  The more info is
linked to my "ID" (either by writing it on the "ID" card or
by linking databases via "ID" number) the _less_ secure
everything becomes.  Power-hungry governments and power-
hungry corporations desire such linkage, because it makes
me easier to exploit ... but any claim that such linkable
"ID" is needed for _security_ is diametrically untrue.

Again, I see here an answer to why it is the security industry is being ignored - all that above is well and good in theory, but it doesn't translate as easily to practice. I mean, as a hypothetical test - just how do you deliver some form of privileges system that allows one person to know my age, and another to know my sex, and another to know my drinking problems?

That's not really a solved *cheap* problem, is it?

So the reality of it is, the predeliction with
identity being the root key to all power is the
way society is heading.  I don't like it, but
I'm not in a position to stop the world turning.


Returning to:

 > .... For the first
 > time we are facing a real, difficult security
 > problem.  And the security experts have shot
 > their wad.

I think a better description is that banks long ago
deployed a system that was laughably insecure.  (They got
away with it for years ... but that's irrelevant.)  Now
that there is widespread breakage, they act surprised, but
none of this should have come as a surprise to anybody,
expert or otherwise.

I think the security industry must at least acknowledge their part in this. For a decade now we as a field have been telling everyone that secure browsing with SSL and CA-signed certs and all that stuff is ... secure.

What was that quote?  "The Netscape and Microsoft
Secure E-Commerce System" ??

In fact, we're still saying it, and mentally,
about half the field refuses to believe that
the "secure browsing" security model has been
breached.  The issue runs very deep, and a
lot of sacred cows have to be slaughtered
before this one will be resolved.

I mean, we could just go on ignoring it, but
that might explain why we are being ignored?

Now banks and their customers are paying the price.  As
soon as the price to the banks gets a little higher, they
will deploy a more-secure payment authorization scheme,
and the problem will go away.

Well, it is true, in a sense, that as the problem gets more expensive, there is more incentive to fix it. So far the banks have fiddled at the edges with server based stuff. But that can't help them much. About the only thing that can help them directly is if they lock out other IP numbers but that's a difficult one.

The issue is one for the client side to solve.
The user is the one who is being enticed with
the dodgy link.  So it's one of these three
agents:  user, mailer, browser.

(Note that I didn't say "ID" scheme.  I don't care who
knows my SSN and other "ID" numbers ... so long as they
cannot use them to steal stuff.  And as soon as there
is no value in knowing "ID" numbers, people will stop
phishing for them.)

I think if we re-characterise phishing as the part of identity theft where accounts are stolen directly, we might have more of an acceptable compromise on the lingo.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to