At 03:20 AM 7/18/2004, Enzo Michelangeli wrote:
Can someone explain me how the phishermen escape identification and
prosecution? Gaining online access to someone's account allows, at most,
to execute wire transfers to other bank accounts: but in these days
anonymous accounts are not exactly easy
Enzo Michelangeli [EMAIL PROTECTED] writes:
Can someone explain me how the phishermen escape identification and
prosecution? Gaining online access to someone's account allows, at most, to
execute wire transfers to other bank accounts:
Some (a lot of?) large-scale phishing is done by or with the
At 01:39 PM 7/21/2004, Ed Gerck wrote:
The PKI model is not tied to any legal jurisdiction and is not a
business process. What is meant then by relying-party (RP) and
RP Reliance in X.509 and PKIX? I hope the text below, from a
work in progress submitted as an IETF ID, helps clarify this issue.
In message [EMAIL PROTECTED], Ian Grigg writes:
Don't be silly. It's not a threat because people generally use
SSL. Back in the old days, password capture was a very serious
threat. It went away with SSH. It seems to me quite likely that
it would be a problem with web browsing in the
Steve,
thanks for addressing the issues with some actual
anecdotal evidence. The conclusions still don't
hold, IMHO.
Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Ian Grigg writes:
Right... It's easy to claim that it went away
because we protected against it. Unfortunately,
that's
At 01:54 PM 7/19/2004, Steven M. Bellovin wrote:
It's also worth remembering that an SSL-like solution -- cryptographically
protecting the transmission of credit card number, instead of digitally
signing a funds transfer authorization linked to some account -- was
more or less the only thing
Ian Grigg [EMAIL PROTECTED] writes:
Notwithstanding that, I would suggest that the money
already lost is in excess of the amount paid out to
Certificate Authorities for secure ecommerce certificates
(somewhere around $100 million I guess) to date. As
predicted, the CA-signed certificate
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal?
A lot. According to people at the anti-phishing conference earlier
this year, six-figure losses are common, and seven-figure not unknown.
The kind of phishes we all see, trolling for
Eric Rescorla wrote:
Ian Grigg [EMAIL PROTECTED] writes:
Notwithstanding that, I would suggest that the money
already lost is in excess of the amount paid out to
Certificate Authorities for secure ecommerce certificates
(somewhere around $100 million I guess) to date. As
predicted, the CA-signed
At 05:55 PM 7/17/2004, Eric Rescorla wrote:
Now, my threat model mostly includes (1), does not really include
(3), and I'm careful not to do things that leave me susceptible
to (2), so SSL does in fact protect against the attacks in my
threat model. I know a number of other people with similar
Enzo Michelangeli wrote:
Can someone explain me how the phishermen escape identification and
prosecution? Gaining online access to someone's account allows, at
most, to execute wire transfers to other bank accounts: but in these
days anonymous accounts are not exactly easy to get in any country,
Enzo Michelangeli wrote:
Can someone explain me how the phishermen escape identification and
prosecution? Gaining online access to someone's account allows, at most,
to execute wire transfers to other bank accounts: but in these days
anonymous accounts are not exactly easy to get in any country,
At 10:46 AM 7/10/2004, Florian Weimer wrote:
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal? (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)
At 10:46 AM 7/10/2004, Florian Weimer wrote:
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal? (I mean direct losses due
to partially rolled back transactions, not indirect losses because of
bad press or customer feeling insecure.)
I
SET failed due to the complexity of distributing the software and setting
up the credentials. I think another reason was the go-fast atmosphere of
the late 90s, where no one wanted to slow down the growth of ecommerce.
The path of least resistance was simply to bring across the old way of
Florian Weimer wrote:
There are simply too many of them, and not all of them implement
checks for conflicts. I'm pretty sure I could legally register
Metzdowd in Germany for say, restaurant service.
This indeed is the crux of the weakness of the
SSL/secure browsing/CA system. The concept
called
Ian Grigg wrote:
This indeed is the crux of the weakness of the
SSL/secure browsing/CA system. The concept
called for all CAs are equal which is an
assumption that is easily shown to be nonsense.
Exactly. Browsers simply require sites to have a certificate from any
CA. Browswers can't even
* Amir Herzberg:
Florian Weimer wrote:
* Amir Herzberg:
# Protecting (even) Naïve Web Users, or: Preventing Spoofing and
Establishing Credentials of Web Sites, at
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
The trusted credentials area is an interesting
* Hal Finney:
Only now are we belatedly beginning to pay the price for that decision.
If anything, it's surprising that it has taken this long. If phishing
scams had sprung up five years ago it's possible that SET would have
had a fighting chance to survive.
Wouldn't typical phishing
At 10:40 AM 7/7/2004, Hal Finney wrote:
SET failed due to the complexity of distributing the software and setting
up the credentials. I think another reason was the go-fast atmosphere of
the late 90s, where no one wanted to slow down the growth of ecommerce.
The path of least resistance was
At 10:40 AM 7/7/2004, Hal Finney wrote:
SET failed due to the complexity of distributing the software and setting
up the credentials. I think another reason was the go-fast atmosphere of
the late 90s, where no one wanted to slow down the growth of ecommerce.
The path of least resistance was
Florian Weimer wrote:
* Amir Herzberg:
# Protecting (even) Naïve Web Users, or: Preventing Spoofing and
Establishing Credentials of Web Sites, at
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
The trusted credentials area is an interesting concept.
Thanks.
There was an early attempt to use cryptography to authenticate online
credit card transactions, the SET protocol pushed by Visa and Mastercard
in the late 1990s. SET would require PC users to download a digital
wallet application which would hold cryptographic credentials that
would be used to
* Amir Herzberg:
# Protecting (even) Naïve Web Users, or: Preventing Spoofing and
Establishing Credentials of Web Sites, at
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
The trusted credentials area is an interesting concept. However,
experience suggests
Following some of our discussions on this list, I tried to think more
seriously on how crypto could be used for the basic current security
threats of spoofing, phishing and spamming. Preliminary write-ups of the
results are available in the following (or from my homepage):
# Protecting (even)
25 matches
Mail list logo
