Amex Blue was a market success in the sense that its ROI exceeded
expectations, rational and otherwise. It yielded thousands of new
accounts at a cost of acquisition far less than average, even when
taking into account the Windows driver support calls and the discarded
readers. That said, you
David Alexander Molnar [EMAIL PROTECTED] writes:
On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably
| Jerrold Leichter [EMAIL PROTECTED] writes:
| In doing this calculation, be careful about the assumptions you make
| about how effective the countermeasures will be. The new systems
| may be more secure, but people will eventually come up with ways to
| break them. The history of security
I think the failure of Amex Blue is due to poor timing and the
requirement for hardware on the end-user's PC. At the time of it's
introduction ecommerce and online banking were just getting started and
consumers were more worried about whether the store was real or not than
having their card
Perry E. Metzger wrote:
Why does the clerk at Blockbuster want to see your driver's license?
Because his management has been told, by their bank, that if they do
not attempt to verify the identity of credit card users they will risk
their business relationship with the bank. Credit card fraud
Perry E. Metzger wrote:
If you have a sufficiently good token, you may no longer need to have
identification information presented to the merchant, even by the
token, to reduce misuse. It is true that the issuer will still know
what transactions took place. However, you have at least reduced
Perry E. Metzger wrote:
Far better would be to have a token with a display attached to the
PC. The token will display a requested transaction to the user and
only sign it if the user agrees. Because the token is a trusted piece
of hardware that the user cannot install software on, it provides
Steven M. Bellovin wrote:
There's been a lot of discussion about how to strengthen cryptography
and authentication, to get away from problems of phishing, pharming,
etc. But such approaches can take you only so far, as this link
indicates:
http://www.lurhq.com/grams.html
Briefly, it's a
Adam Shostack wrote:
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|
| A system in which the credit card was replaced by a small, calculator
| style token with a smartcard style connector could effectively
| eliminate most of the in person
I think the difference now is the number of vendors entering the market,
the variety of solutions ( and their relative security), and demand
outside of Europe. When we started in mid-2001, we were looking at the
existing hardware guys and that is it. Now there a handful of
venture-backed
* David Alexander Molnar:
Actually, smart cards are here today. My local movie theatre in Berkeley,
California is participating in a trial for MasterCard PayPass. There is
a little antenna at the window; apparently you can just wave your card at
the antena to pay for tickets. I haven't
* Perry E. Metzger:
Nick Owen [EMAIL PROTECTED] writes:
It would seem simple to thwart such a trojan with strong authentication
simply by requiring a second one-time passcode to validate the
transaction itself in addition to the session.
Far better would be to have a token with a display
Take a look at Boojum Mobile -- it is
precisely the idea of using the cell
phone as an out-of-band chanel for an
in-band transaction.
http://www.boojummobile.com
In the foreseeable future, this approach won't stop fraudulent
transactions because the one-time password does not depend on the
On Sun, 10 Jul 2005, Amir Herzberg wrote:
But... crypto and authentication, imho, are the best tools to prevent
such malware from being installed.
I disagree. Limited authority is the best way to prevent such malware
from being installed (and, if installed, from causing harm).
The premise
[EMAIL PROTECTED] writes:
Take a look at Boojum Mobile -- it is precisely the idea of using the cell
phone as an out-of-band chanel for an in-band transaction.
http://www.boojummobile.com
Banks here have been using it to authenticate higher-value electronic
transactions as well. The way it
Nick Owen wrote:
I think that the cost of two-factor authentication will plummet in the
face of the volumes offered by e-banking. Also, the more uses for the
token, the more shared the costs will be. The question to me is will
the FIs go with a anything beyond secure cookies, IP address
On Saturday 09 July 2005 23:31, [EMAIL PROTECTED] wrote:
Nick Owen writes:
| I think that the cost of two-factor authentication will plummet in the
| face of the volumes offered by e-banking.
Would you or anyone here care to analyze
what I am presuming is the market failure
of Amex
Perry Metzger writes:
So, what is to be done? I would propose that the replacement of the
credit card infrastructure is needed. Fraud is prevalent because of a
massive inherent security flaw in the current system, to whit,
the account number is identical to the payment authenticator, and
you
[EMAIL PROTECTED] writes:
Nick Owen writes:
| I think that the cost of two-factor authentication will plummet in the
| face of the volumes offered by e-banking.
Would you or anyone here care to analyze
what I am presuming is the market failure
of Amex Blue in the sense of its chipcard
Florian Weimer [EMAIL PROTECTED] writes:
* Perry E. Metzger:
Nick Owen [EMAIL PROTECTED] writes:
It would seem simple to thwart such a trojan with strong authentication
simply by requiring a second one-time passcode to validate the
transaction itself in addition to the session.
Far better
Guys,
This is just a reminder that the NIST hash workshop (Oct
31-Nov 1 of this year) is still taking submitted talks,
abstracts, etc., until July 15. There are no proceedings,
so there should not be any problem publishing things that
you discuss at this workshop. A major goal of doing this is
another characteristic of the PKI x.509 identity certificate activity
(besides attempting to create mass world-wide confusion regarding the
difference between identification and authentication ... and trying to
get govs. to mandate that x.509 identity certificates, grossly
overloaded with personal
--- begin forwarded text
From: [EMAIL PROTECTED] (Peter Gutmann)
To: [EMAIL PROTECTED]
Subject: Looking for crypto iButton specs
Date: Tue, 12 Jul 2005 00:56:35 +1200
Sender: [EMAIL PROTECTED]
During a recent discussion about secure crypto device bootstrap and
attestation capabilities,
http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm
City National Bank is the latest major US company to admit it has lost
customer data.
The bank says it lost data back-up tapes in April, while they were being
transported to a secure facility by third-party data
Perry E. Metzger wrote:
A system in which the credit card was replaced by a small, calculator
style token with a smartcard style connector could effectively
eliminate most of the in person and over the net fraud we experience,
and thus get rid of large costs in the system and get rid of the
On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably not tomorrow or
next week but in the near
If anyone knows how many people this affected, I'd love to know. (I'm
assuming its their entire customer base)
Adam
On Mon, Jul 11, 2005 at 09:07:45AM -0600, Anne Lynn Wheeler wrote:
|
http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm
|
| City National Bank
Peter Gutmann wrote:
[EMAIL PROTECTED] writes:
Take a look at Boojum Mobile -- it is precisely the idea of using the cell
phone as an out-of-band chanel for an in-band transaction.
http://www.boojummobile.com
Banks here have been using it to authenticate higher-value electronic
Perry E. Metzger wrote:
However, you need both the end to end communication and the hardware
token with built in display and keyboard.
there is two issues for digital signatures ...
1) something you have authentication and
2) proof to the relying party as to the integrity level of the
Florian Weimer wrote:
* David Alexander Molnar:
Actually, smart cards are here today. My local movie theatre in Berkeley,
California is participating in a trial for MasterCard PayPass. There is
a little antenna at the window; apparently you can just wave your card at
the antena to pay for
From: Eu-Jin Goh [EMAIL PROTECTED]
Subject: FRI 15 JULY 1630 HRS : Reflective side-channel cryptanalysis
To: [EMAIL PROTECTED]
Date: Mon, 11 Jul 2005 08:46:19 -0700
- ---
When - FRI 15th July
1630 hrs at Gates 4-B
On Mon, Jul 11, 2005 at 09:37:36PM +, Jason Holt wrote:
I remember the first time a site asked for the number on the back of my
credit card. It was a Walmart or Amazon purchase, and with no warning they
redirected me to some site with a questionable domain. I thought for sure
my
eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several
blind signature schemes, including one widely discussed on the
Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper
seems to show that it is possible for the bank/mint to recognize blind
signatures (i.e.
Jason Holt wrote:
I remember the first time a site asked for the number on the back of
my credit card. It was a Walmart or Amazon purchase, and with no
warning they redirected me to some site with a questionable domain. I
thought for sure my session was being hijacked, and my bank had
34 matches
Mail list logo