At 10:46 AM 7/10/2004, Florian Weimer wrote:
But is it so harmful?  How much money is lost in a typical phishing
attack against a large US bank, or PayPal?  (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)

misc. recent selections

Online Phishing Scams Exploding
Business faces growing loss from identity theft
Firms hit hard by identity theft
ID theft costing UK billions in taxes,39020330,39160532,00.htm
ATM skimmers go hi-tech down under
Phishing will cost financial firms $400m in 2004
Worried firms consider email boycott


social engineering has frequently been talking somebody into giving up some information that then can be used for impersonation in later fraudulent transactions. A "something you have" token of some sort is a lot harder to give-up than shared-secrets for use in "something you know" authentication. A private key that never leaves the hardware token can't be given up because even the owner doesn't know it. also, conjecture is that it is a lot harder to convince general public to mail off some physical object compared to getting them to divulge some information.

hardware tokens don't eliminate social engineering attacks where the victim is talked into performing some transaction on behalf of the attacker ... but they would tend to address the whole vulnerability landscape related to "something you know" shared-secret authentication paradigms.

one of the cost issues with technology for server reputation is that it typically applies to servers that the consumer is visiting for the first time (or visits extremely rarely). the consumer pretty much ignores repetitive information for sites that they visit frequently. it has been that something like ninety percent (or better) of internet transactions are done by the frequently visited sites. so the cost issue is that the reputation technologies basically tend to apply to the millions of low-volume and/or low-revenue sites (in aggregate accounting for 10 percent or less of all transactions) ... which aren't looking to spend a lot of money on such technologies.

it is somewhat like the better business bureau use .... people will tend to contact the better business bureau before they deal with some vendor for the first time .... but they aren't likely to contact the better business bureau each time they deal with a vendor that they have extensive repeat business with. it at least some scenarios ....

an alternative to the business logo .... is a better business bureau or gov. licensing logo on a website .... that provides click-thru to the official site .... where the consumer can review complaints and/or history about the business in question. i believe that this is somewhat the ebay model ... where past transaction history reputation of individuals can be checked.

Anne & Lynn Wheeler

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to