Re: Citibank e-mail looks phishy

Anne & Lynn Wheeler Thu, 16 Nov 2006 14:03:12 -0800

Anne & Lynn Wheeler wrote:

some of the straight-forward ones can also happen because ofinfrastructure and/or paradigm changes ... and there wasn't any forwardthinking.
recent thread today in sci.crypt
http://www.garlic.com/~lynn/2006u.html#40 New attack on the financial PIN 
processing
http://www.garlic.com/~lynn/2006u.html#43 New attack on the financial PIN 
processing


past posts in this thread
http://www.garlic.com/~lynn/aadsm26.htm#3 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#4 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#5 ATMs harcked using MP3 player

couple more in sci.crypt thread:
http://www.garlic.com/~lynn/2006u.html#47 New attack on the financial PIN 
processing
http://www.garlic.com/~lynn/2006u.html#48 New attack on the financial PIN 
processing

elsewhere in the "PIN processing" thread somebody mentions that ATM standards 
require encryption for the PIN but not the rest of the message. This could be considered 
sufficient prior to the introduction of signature-debit ... since up until that time all 
debit transactions required the associated PIN.

However, the introduction of signature-debit makes the rest of the 
(unencrypted) message attractive targets, since attackers can skim the 
information and create counterfeit cards and use them in (PINless) 
signature-debit transactions.

or can you say security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61

or using the "naked payments" metaphor, consistent requirement for a debit 
transaction to have a PIN ... and the PIN was given at least some level of protection ... 
would imply that the payment transaction had some degree of armoring ... which eliminated 
the rest of the transaction as useful to the attacker (and therefor didn't need 
encryption since it wasn't sufficient to perform fraudulent transactions). With the 
introduction of signature-debit, it removes the transaction armoring and creates a 
vulnerability for the rest of the transaction information (the armoring of the 
transaction information was removed, leaving it naked and exposed, making the information 
vulnerable to skimming, harvesting, data breach, etc attacks).

as mentioned in numerous times in the past, the x9a10 financial standard 
working group was given the requirement to preserve the integrity of the 
integrity of the financial infrastructure for all retail payments
http://www.garlic.com/~lynn/x959.html#x959
http://www.garic.com/~lynn/subpubkey.html#x959

part of the of the standard was to specify an environment were the transactions were 
always consistently "armored" and never left naked and vulnerable. misc. past 
posts mentioning
the naked payment/transaction metaphor
http://www.garlic.com/~lynn/aadsm24.htm#5 New ISO standard aims to ensure the 
security of financial transactions on the Internet
http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go 
naked
http://www.garlic.com/~lynn/aadsm24.htm#12 Naked Payments IV - let's all go 
naked
http://www.garlic.com/~lynn/aadsm24.htm#14 Naked Payments IV - let's all go 
naked
http://www.garlic.com/~lynn/aadsm24.htm#22 Naked Payments IV - let's all go 
naked
http://www.garlic.com/~lynn/aadsm24.htm#26 Naked Payments IV - let's all go 
naked
http://www.garlic.com/~lynn/aadsm24.htm#30 DDA cards may address the UK 
Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#31 DDA cards may address the UK 
Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK 
Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#38 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#41 Naked Payments IV - let's all go 
naked
http://www.garlic.com/~lynn/aadsm24.htm#42 Naked Payments II - uncovering 
alternates, merchants v. issuers, Brits bungle the risk, and just what are MBAs 
good for?
http://www.garlic.com/~lynn/aadsm24.htm#46 More Brittle Security -- Agriculture
http://www.garlic.com/~lynn/aadsm25.htm#20 Identity v. anonymity -- that is not 
the question
http://www.garlic.com/~lynn/aadsm25.htm#28 WESII - Programme - Economics of 
Securing the Information Infrastructure
http://www.garlic.com/~lynn/2006m.html#15 OpenSSL Hacks
http://www.garlic.com/~lynn/2006m.html#24 OT - J B Hunt
http://www.garlic.com/~lynn/2006o.html#35 the personal data theft pandemic 
continues
http://www.garlic.com/~lynn/2006o.html#37 the personal data theft pandemic 
continues
http://www.garlic.com/~lynn/2006o.html#40 the personal data theft pandemic 
continues
http://www.garlic.com/~lynn/2006t.html#40 Encryption and authentication

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Citibank e-mail looks phishy

Reply via email to