* Hal Finney:

> Only now are we belatedly beginning to pay the price for that decision.
> If anything, it's surprising that it has taken this long.  If phishing
> scams had sprung up five years ago it's possible that SET would have
> had a fighting chance to survive.

Wouldn't typical phishing attacks just read like:

| We have upgraded our e-commerce server software.  In order to use
| your PayPal account after August 1, 2004, you have to upgrade your
| Elecontric Wallet.  This upgrade is free.  Download it from:
|   <http://www.example.com/downloads/set_upgrade.exe>

> I predict that we will eventually move to a SET-like system; not
> necessarily that exact protocol, but something based on cryptographic
> authorizations for online purchases rather than the card number based
> systems in use today.

I talked to a financial services provider recently, and they were
scared when I proposed that.  It brings back horrible memories.  To
them, the avent of Java-less SSL banking was a real breakthrough.  It
seems that end-user support issues have plummeted.

Even some form of pre-registration of banking sites seems infeasible.
In Germany, we have a standard called HBCI which supports smart cards
and signed transactions (providing, in theory, end-to-end
verifiability), but support overhead seems to be much larger.

There still remains the issue that you can provide a good visual
approximation to any peace of software just by using JavaScript and
HTML.  I fear that too many users would fall for that. 8-(

> In considering such solutions, it is important to distinguish threat
> models.  Phishing is so harmful because it succeeds without even breaking
> in to users' computers.

But is it so harmful?  How much money is lost in a typical phishing
attack against a large US bank, or PayPal?  (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to