Combining several replies into one... Nicolas Williams <[EMAIL PROTECTED]> writes: >On Mon, Sep 22, 2008 at 08:59:25PM -1000, James A. Donald wrote: >> The major obstacle is that the government would want a strong binding >> between sim cards and true names, which is no more practical than a >> strong binding between physical keys and true names. > >I've a hard time believing that this is the major obstacle. >[...] >First, there's a business model problem. Every one wants in: the cell phone >manufacturer, the software developer, the network operators, and the banks. >With everyone wanting a cut of every transaction done through cell phones the >result would likely be too expensive to compete with credit cards, even after >accounting for the cost of credit card fraud.
In my experience that's the brontosaurus in the room. There are vendors out there that'll do cellphone auth (basic SMS-based out-of-band transaction authorisation), the technology's in place, the problem is that once everyone has taken their cut it's no longer economical. To some extent the technology still sucks quite a bit (e.g. RSA's SMS-based system takes the bank-side information "Request authorisation for transfer of $10,000 from your bank account to the bank account of J.Random Retailer" and turns it into "Enter the following PIN to unlock all further debits from your account until it's empty"), but we're getting there. The killer is the cost involved. Access to the mobile networks is expensive enough that I've seen solutions in some countries like buying SMS capacity in bulk from foreign providers (it's cheaper to send the texts from a provider on the other side of the world than to do it locally) to the extreme step of setting up (or perhaps buying up) your own cellular network. "James A. Donald" <[EMAIL PROTECTED]> writes: >There is always the give-your-password-over-the-phone attack, but the fact >that phishers seeking WoW gold actually have to use the give-your-password- >over-the-phone attack against WoW players shows the potency of a deliberately >non standard, difficult to forge, user interface. Can you describe the WoW interface? It sounds like they've taken advantage of the greenfields approach and built something different that's secure from the start, but I'm not familiar with how it works. >We need a similarly concise yet precise statement of what is wrong with the >sort of things we are now doing - a list of principles of cryptography that >working systems exemplify, and failed systems violate. It's already been done, in situation-specific ways: Marcus Ranum's Six Dumbest Ideas in Computer Security, http://www.ranum.com/security/computer_security/editorials/dumb/index.html Microsoft/Scott Culp's Ten Immutable Laws of Security, http://technet.microsoft.com/en-us/library/cc722487.aspx My own Ten Inescapable Truths of Security UI, http://www.cs.auckland.ac.nz/~pgut001/pubs/stupid.pdf (last three slides) IanG <[EMAIL PROTECTED]> writes: >I think if there is a lot of money in it, there are some innovative solutions >to making the obvious advice easier. I particularly like the Dutch central >bank's approach here: > >https://financialcryptography.com/mt/archives/001059.html ... if you can stand the clickfest that's required to get there with FF3 (sigh). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
