>Wasn't there a paper on the underground economy that investigated such >things by monitoring drop zones? And they found CC numbers, I thought? I >could be wrong. I can't remember the title, but Thorsten Holz was one of >the authors (no, not a relative of mine).
"Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones," by Thorsten Holz, et al., Dec 2008. I read that and asked around. There is indeed some PC malware that collects card numbers along with other stuff, but it still seems to be far from a priority. In that paper, which is now three years old, their underground market table lists 10,775 bank accounts, 78,359 Full identities, 149,000 email passwords, and only 5682 credit cards. I asked around, eastern European gangs have vast numbers of stolen card numbers in inventory, one estimate was 1/4 of all North American cards. Plain card numbers are useless, you need at least expiration date, preferably also cardholder's name and adddress and the CVV code, which would be easier to collect from a compromised web browser where it can look at the fieldnames, but even better from a payment processor hat has all that in spades. So, anyway, really, there's no reason to believe that TLS on individual web sessions has any effect on stolen credit cards or other credentials. It's way easier to steal them other ways than to try to reconstruct them from packet streams. Re dealing with phishing, I don't see any plausible solutions that don't involve non-programmable hardware, e.g., a dongle with a little screen that sets up its own secure session back to the bank and displays a summary of the transaction with a verification code you type in. R's, John _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
