Re: Use cash machines as little as possible
Anne Lynn Wheeler wrote: ONE of Britain's biggest banks is asking customers to use cash machines as little as possible to help combat soaring card fraud. That's odd - given a deliberate policy of encouraging Cash Machine use over the last few years, as Cash Machine costs+fraud still come to less than the running costs of sufficient local branches to allow you to obtain *Your* money back from them when needed - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Question on the state of the security industry
Steve Furlong [EMAIL PROTECTED] writes: On Wed, 2004-06-30 at 06:49, Ian Grigg wrote: Here's my question - is anyone in the security field of any sort of repute being asked about phishing, consulted about solutions, contracted to build? Anything? Nothing here. Spam is the main concern on people's minds, so far as I can tell. I never considered phishing to be much of an issue until about a month ago, when I had a long discussion with someone at a security conference about a scale and type of phishing you never really hear about much. Not small-scale script-kiddie stuff but large-scale phishing run as a standard commercial business, with (literally) everything but 24-hour helpdesks (if you can read Portuguese you may be able to find more info at http://www.nbso.nic.br/). Some of this I've already covered in the Why isn't the Internet secure yet tutorial I mentioned a while back: Trojans that control your DNS to direct you to fake web sites, trojans that grab copies of legit web sites from your browser cache and render them asking for your to re-validate yourself since your session has expired, trojans that intercept data from inside your browser before it gets to the SSL channel, etc etc. This isn't stuff that only newbies will fall for, these are exact copies of the real site that look and act exactly like the real site. This stuff is the scariest security threat I've heard of in (at least) the last couple of years because it's almost impossible to defend against. There is simply no way to protect a user on a standard Windows PC from this type of attack - even if you can afford to give each user a SecurID or crypto challenge-response calculator, that doesn't help you much because the attacker controls the PC. It's like having users stick their bank cards into and give their PIN to a MafiaBank branded ATM, the only way to safely use it is to not use it at all. The only solution I can think of is to use the PC only as a proxy/router and force users to do their online banking via a small terminal (not running Windows) that talks to the PC via the USB port, but it's not really economically viable. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
authentication and authorization (was: Question on the state of the security industry)
At 12:26 PM 7/1/2004, John Denker wrote: The object of phishing is to perpetrate so-called identity theft, so I must begin by objecting to that concept on two different grounds. Subsequent posters have doubted the wisdom of quibbling with the term identity theft. I think the terminology deserves some attention of its own. There is a long-established term, impersonation, which is wholly adequate to describe what is now called identity theft. Is this just a change of fashion? I suggest that there is more to the change. Impersonation as a term focuses attention on the fact that the criminal is deceiving someone in order to gain advantage by claiming to have some valuable characteristics or authorisations in fact belonging not to the criminal but to some other person. The person deceived is the primary victim in contemplation when this terminology is used. Identity theft, by contrast, suggests that the victim is the person impersonated, because his or her identity has been stolen. This way of looking at things implies that the losses which arise out of the impersonation fall on the person impersonated, rather than on the person deceived by the impersonation. Identity theft as a label is attractive to, for example, banks who may wish to suggest that losses must be carried by their customers because they failed to take proper care of their identity. I think the use of the term identity theft should alert us to the risk that victims of crime are trying to pass the blame and the loss to someone else. Regards Nicholas Salkyns, Great Canfield, Takeley, Bishops Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: authentication and authorization (was: Question on the state of the security industry)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Denker Sent: 1 juillet 2004 14:27 To: [EMAIL PROTECTED] Cc: Ian Grigg Subject: Re: authentication and authorization (was: Question on the state of the security industry) 1) For starters, identity theft is a misnomer. My identity is my identity, and cannot be stolen. The current epidemic involves something else, namely theft of an authenticator ... Identity has many meanings. In a typical dictionary you will find several definitions for the word identity. When we are talking about information systems, we usually talk about a digital identity, which has other meanings as well. If you are in the field of psychology, philosophy, or computer science, identity won't mean the same thing. One definition that relates to computer science that I like is the following: the individual characteristics by which a thing or person is recognized or known. A digital identity is usually composed of a set of identifiers (e.g. Unix ID, email address, X.500 DN, etc.) and other information associated to an entity (an entity can be an individual, computer machine, service, etc.). Other information may include usage profiles, employee profiles, security profiles, cryptographic keys, passwords, etc. Identity can be stolen in the sense that this information can be copied, revealed to someone, and that someone can use it in order to identify and authenticate himself to a system and get authorization to access resources he wouldn't normally be allowed to. The following document has a nice diagram on the first page of appendix A: http://www.ec3.org/Downloads/2002/id_management.pdf I came up with a similar diagram for a presentation I recently gave, but instead of talking about primary and secondary identifying documents I mention primary and secondary identifying information in general, and I also have an identifiers circle situated beside the bigger circle, containing identifiers that belong to an entity but are not linkable to the entity (talking about nyms and pseudonyms). Recall that there are basically 3 types of authentication: individual authentication (such as via biometrics, where you use primary identifying information to authenticate someone), identity authentication (where the identity may or may not be linkable to an individual), and attribute authentication (where you need reveal nothing more than the possession of a certain attribute, such as can be done with Stefan Brands digital credentials). --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Use cash machines as little as possible
On Sun, 4 Jul 2004, Anne Lynn Wheeler wrote: http://www.thisislondon.com/news/business/articles/timid80044?source= http://www.thisismoney.com/20040704/nm80044.html ONE of Britain's biggest banks is asking customers to use cash machines as little as possible to help combat soaring card fraud. Why on earth do they suggest that using ATM cards in retail stores is safer than using them in an ATM machine? I know about problems with ATM machines in convenience stores, but why is use of ATM machines in bank branches less safe than point-of-sale ATM transactions at a supermarket? -- Viktor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: authentication and authorization
John Denker wrote: [identity theft v. phishing?] That's true but unhelpful. In a typical dictionary you will find that words such as Identity theft is a fairly well established definition / crime. Last I heard it was the number one complaint at the US FTC. Leaving that aside, the reason that phishing is lumped in there is that it is *like* id theft, rather than being id theft. Just like as many have pointed out that phishing is *like* spam, and now we are dealing with the fact that it is not spam. ... But I don't approve of the rest of his paragraph: So the reality of it is, the predeliction with identity being the root key to all power is the way society is heading. I don't like it, but I'm not in a position to stop the world turning. First of all, not everything is heading the wrong way. The Apache server has for eons had privilege separation features. The openssh daemon acquired such features recently. As far as I can see, the trend (in the open software world at least) is in the right direction. You are quoting a couple of obscure Internet systems as evidence that society isn't moving in the direction I indicated? Yet, every day the papers are filled with the progress the government is making on moving to an identity-based system of control and commerce. National drivers licences, foreigners being hit with biometrics, etc etc. Next time I cross the borders, I probably have to be fingerprinted. How many banks are introducing these obscure features? How many know what a capability is? How to do a transactional security system, rather than an identity system? My claim seems unweakened as yet... I don't know whether to laugh or cry when I think about how phishing works, e.g. http://www.esmartcorp.com/Hacker%20Articles/ar_Watch%20a%20hacker%20work%20the%20system.htm The so-called ID is doing all sorts of things it shouldn't and not doing the things it should. The attacker has to prove he knows my home address, but does not have to prove he is physically at that address (or any other physical place) ... so he doesn't risk arrest. Curious - now that's a different phishing, but I suppose it is close enough. Need to think about that one, I wouldn't call it phishing, just yet. I'd call it invoice fraud, at first blush. What I'd call phishing is this - mass mailings to people about their bank accounts, collection of the data, and then using the account details to wire money out. I guess we need some phishing experts to tell us the real full definition. Earlier Ian G. wrote: the security experts have shot their wad. It doesn't even take a security expert to figure out easy ways of making the current system less ridiculous. It's not at issue whether you can or you can't - what I was asserting is that no-one is asking you (or me or anyone else). Instead, cartels are being formed, solutions being sold, congressmen lobbied, etc, etc, and the real issues are being unaddressed. ... which is consistent with what I've been saying. I don't think people have tried and failed to solve the phishing problem --- au contraire, I think they've hardly tried. I agree with that. [1Gbux] If the industry devoted even a fraction of that sum to anti-scam activities, they could greatly reduce the losses. Yes, but it won't. This is the question - why not? Here's the question: http://www.financialcryptography.com/mt/archives/000169.html And here's *an* answer: http://www.financialcryptography.com/mt/archives/000174.html I've been to the Anti-Phishing Working Group site, e.g. http://www.antiphishing.org/resources.html They have nice charts on the amount of phishing observed as a function of time. But I haven't been able to find any hard information about what they are actually doing to address the problem. The email forwarded by Dan Geer was similarly vaporous. I'm afraid I agree. The purpose seems to be to create a cartel, suck in some fees, and ... do some stuff. As the fees base ensures that only corporations join, only those with solutions to sell have an incentive to join. So in a while you'll see that they have a list of preferred solutions. None of which will address the problem, but they'll sure make you feel safe from the size of the price tag. Here's an interesting link, describing the application of actual cryptology to the problem: http://news.zdnet.co.uk/0,39020330,39159671,00.htm IMHO it's at a remarkable place in the price/performance space: neither the cheapest quickdirty solution, nor the ultimate high performance solution. At least it refutes the assertion about security experts' wads having been shot. This is one of the first signs I've seen that real security experts have even set foot in this theater of operations, let alone shot anything. That's a standard solution in mainland Europe for accessing online accounts. I'm not sure how it addresses phishing (of the sort that I know) as the MITM just sits in the middle and passes the query and response back and forth, no? Those tokens
Re: Using crypto against Phishing, Spoofing and Spamming...
* Amir Herzberg: # Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites, at http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF The trusted credentials area is an interesting concept. However, experience suggests that given the current business models, we cannot build the required logotype registry. All registries which are used on the Internet (for IP address assignments, BGP prefixes, DNS names, and even X.509 certificates) are known to fail under stress. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: authentication and authorization
-Original Message- From: John Denker [mailto:[EMAIL PROTECTED] Sent: 5 juillet 2004 18:28 To: Anton Stiglic Cc: [EMAIL PROTECTED]; 'Ian Grigg' Subject: Re: authentication and authorization [...] We should assume that the participants on this list have a goodly amount of technical expertise. We should use the established technical definitions, unless there is a good reason not to. Well, there is nt established technical definition for digital identity, but most definitions seem to focus to what I defined it as. [...] A digital identity is usually composed of a set of identifiers (e.g. Unix ID, email address, X.500 DN, etc.) and other information associated to an entity (an entity can be an individual, computer machine, service, etc.). Other information may include usage profiles, employee profiles, security profiles, cryptographic keys, passwords, etc. That is very unhelpful, because it lumps together two types of things that really ought to be treated differently. -- I want my email address to be widely known. I want my public keys to be widely known. -- I want my password to be secret. I want my private keys to be secret. The term digital identity is not intended to help you solve the problem. In a digital identity there are parts that an individual wants to keep private, other parts can be public (others should be divulged to only certain individuals, possibly via a zero-knowledge proof that will convince the verifier, without giving him enough information to be able to prove the property to someone else). You can refer to the different parts of a digital identity using different terms if you want, but the term digital identity usually includes all of those parts. Relating to the real world, you might have a fetish for high-healed pink leather boots, which is part of your identity (something that characterizes you), but not want others to know about that. But its still part of your identity, just as your SSN number is. Identity can be stolen in the sense that this information can be copied, revealed to someone, and that someone can use it in order to identify and authenticate himself to a system and get authorization to access resources he wouldn't normally be allowed to. The following document has a nice diagram on the first page of appendix A: http://www.ec3.org/Downloads/2002/id_management.pdf Again that (including the reference) misses the point and blurs things that really need to be kept distinct. You are mixing up two problems, that of defining digital identity, and that of preventing unauthorized individuals to access resources that they are not supposed to (via identity theft for example), as well as privacy. The focus _must_ be on the transaction, not on the ID. Suppose I carry out a transaction with the jewellery store. Did I authorize a $3.00 payment for a new watch battery, or a $30,000.00 payment for diamond necklace? You are talking about the problem of non-repudiation here... [...] Collecting more and more ID information about me is at best marginally helpful to the relying party; ID might tell the RP whether I *could* have authorized a particular transaction (was it within my account limit?) but ID cannot possibly tell the RP whether I *did* authorize a particular transaction. And (!!) don't forget the converse: If the transaction is legit, there is no reason why my ID needs to be involved. Cash transactions are still legal! I agree with that last part. It relates to the whole thing about attribute, vs identity vs individual authentication that I mentioned. I favour attribute authentication in most cases. And with stuff like Digital Credentials you can also have accountability even with attribute authentication (for example if forced by law). The proper use of _identification_ is obvious: In some exceptional circumstances it is important to be able to connect a real meat-space _identity_ with a particular event. For instance, if there is a hit-and-run accident, it really helps if a witness notes the license number of the car. (Been there, done that.) Again, this relates exactly to my discussion about attribute, identity and individual authentication. Things like Digital Credentials is what is going to help you out, not re-defining the term digital identity. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]