John Denker wrote:
[identity theft v. phishing?]
That's true but unhelpful.  In a typical dictionary you will
find that words such as

Identity theft is a fairly well established definition / crime. Last I heard it was the number one complaint at the US FTC.

Leaving that aside, the reason that phishing
is lumped in there is that it is *like* id
theft, rather than being id theft.  Just like
as many have pointed out that phishing is
*like* spam, and now we are dealing with the
fact that it is not spam.


But I don't approve of the rest of his paragraph:

 >>> So the reality of it is, the predeliction with
 >>> identity being the root key to all power is the
 >>> way society is heading. I don't like it, but
 >>> I'm not in a position to stop the world turning.
First of all, not everything is heading the wrong way.
The Apache server has for eons had privilege separation
features.  The openssh daemon acquired such features
recently.  As far as I can see, the trend (in the open
software world at least) is in the right direction.

You are quoting a couple of "obscure Internet systems" as evidence that society isn't moving in the direction I indicated?

Yet, every day the papers are filled with the
progress the government is making on moving to
an identity-based system of control and commerce.

National drivers licences, foreigners being hit
with biometrics, etc etc.  Next time I cross the
borders, I probably have to be fingerprinted.

How many banks are introducing these obscure
features?  How many know what a capability is?
How to do a transactional security system, rather
than an identity system?

My claim seems unweakened as yet...

I don't know whether to laugh or cry when I think about how
phishing works, e.g.

The so-called "ID" is doing all sorts of things it shouldn't
and not doing the things it should.  The attacker has to
prove he knows my home address, but does not have to prove
he is physically at that address (or any other physical place)
... so he doesn't risk arrest.

Curious - now that's a different phishing, but I suppose it is close enough. Need to think about that one, I wouldn't call it phishing, just yet. I'd call it invoice fraud, at first blush.

What I'd call phishing is this - mass mailings
to people about their bank accounts, collection
of the data, and then using the account details
to wire money out.

I guess we need some phishing experts to tell us
the real full definition.

Earlier Ian G. wrote:

>>> the security experts have shot their wad.

It doesn't even take a "security expert" to figure out easy
ways of making the current system less ridiculous.

It's not at issue whether you can or you can't - what I was asserting is that no-one is asking you (or me or anyone else). Instead, cartels are being formed, "solutions" being sold, congressmen lobbied, etc, etc, and the real issues are being unaddressed.

which is consistent with what I've been saying.  I don't
think people have tried and failed to solve the phishing
problem --- au contraire, I think they've hardly tried.

I agree with that.

If the industry devoted even a fraction of that sum to
anti-scam activities, they could greatly reduce the losses.

Yes, but it won't. This is the question - why not?

Here's the question:

And here's *an* answer:

I've been to the Anti-Phishing Working Group site, e.g.
They have nice charts on the amount of phishing observed
as a function of time.  But I haven't been able to find
any hard information about what they are actually doing
to address the problem.  The email forwarded by Dan Geer
was similarly vaporous.

I'm afraid I agree. The purpose seems to be to create a cartel, suck in some fees, and ... do some stuff. As the fees base ensures that only corporations join, only those with solutions to sell have an incentive to join. So in a while you'll see that they have a list of preferred solutions. None of which will address the problem, but they'll sure make you feel safe from the size of the price tag.

Here's an interesting link, describing the application of
actual cryptology to the problem:,39020330,39159671,00.htm
IMHO it's at a remarkable place in the price/performance
space:  neither the cheapest quick&dirty solution, nor the
ultimate high performance solution.  At least it refutes
the assertion about security experts' wads having been
shot.  This is one of the first signs I've seen that real
security experts have even set foot in this theater of
operations, let alone shot anything.

That's a standard solution in mainland Europe for accessing online accounts.

I'm not sure how it addresses phishing (of the
sort that I know) as the MITM just sits in the
middle and passes the query and response back
and forth, no?

Those tokens just prove that the token is on
the other end of the line.  So the password
and username wasn't stolen last week.  They
rely on the assumption that secure browsing
cannot be MITM'd, but phishing shows that
secure browsing can be MITM's.  Now, I've not
heard of anyone bothering to do a live, dynamic
MITM using phishing, but it's only a matter of
risk & reward.

(Perversely, the solution to this MITM is to
use the SSC - self-signed certs.)

Also, bear in mind that it needs both each
merchant and the consumer to adopt the system.
Pretty high barrier, really, I wouldn't hold
out too much hope.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to