* Hal Finney: > Only now are we belatedly beginning to pay the price for that decision. > If anything, it's surprising that it has taken this long. If phishing > scams had sprung up five years ago it's possible that SET would have > had a fighting chance to survive.
Wouldn't typical phishing attacks just read like: | We have upgraded our e-commerce server software. In order to use | your PayPal account after August 1, 2004, you have to upgrade your | Elecontric Wallet. This upgrade is free. Download it from: | | <http://www.example.com/downloads/set_upgrade.exe> > I predict that we will eventually move to a SET-like system; not > necessarily that exact protocol, but something based on cryptographic > authorizations for online purchases rather than the card number based > systems in use today. I talked to a financial services provider recently, and they were scared when I proposed that. It brings back horrible memories. To them, the avent of Java-less SSL banking was a real breakthrough. It seems that end-user support issues have plummeted. Even some form of pre-registration of banking sites seems infeasible. In Germany, we have a standard called HBCI which supports smart cards and signed transactions (providing, in theory, end-to-end verifiability), but support overhead seems to be much larger. There still remains the issue that you can provide a good visual approximation to any peace of software just by using JavaScript and HTML. I fear that too many users would fall for that. 8-( > In considering such solutions, it is important to distinguish threat > models. Phishing is so harmful because it succeeds without even breaking > in to users' computers. But is it so harmful? How much money is lost in a typical phishing attack against a large US bank, or PayPal? (I mean direct losses due to partially rolled back transactions, not indirect losses because of bad press or customer feeling insecure.) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]