Jason Holt wrote:
I remember the first time a site asked for the number on the back of
my credit card. It was a Walmart or Amazon purchase, and with no
warning they redirected me to some site with a questionable domain. I
thought for sure my session was being hijacked, and my bank had given
eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several
blind signature schemes, including one widely discussed on the
Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper
seems to show that it is possible for the bank/mint to recognize blind
signatures (i.e. untraceabl
On Mon, Jul 11, 2005 at 09:37:36PM +, Jason Holt wrote:
> I remember the first time a site asked for the number on the back of my
> credit card. It was a Walmart or Amazon purchase, and with no warning they
> redirected me to some site with a questionable domain. I thought for sure
> my ses
I remember the first time a site asked for the number on the back of my credit
card. It was a Walmart or Amazon purchase, and with no warning they
redirected me to some site with a questionable domain. I thought for sure my
session was being hijacked, and my bank had given me no idea what the
From: Eu-Jin Goh <[EMAIL PROTECTED]>
Subject: FRI 15 JULY 1630 HRS : Reflective side-channel cryptanalysis
To: [EMAIL PROTECTED]
Date: Mon, 11 Jul 2005 08:46:19 -0700
- ---
When - FRI 15th July
1630 hrs at Gates 4-B (opp
Florian Weimer wrote:
> * David Alexander Molnar:
>
>> Actually, smart cards are here today. My local movie theatre in Berkeley,
>> California is participating in a trial for "MasterCard PayPass." There is
>> a little antenna at the window; apparently you can just wave your card at
>> the antena
Perry E. Metzger wrote:
> However, you need both the end to end communication and the hardware
> token with built in display and keyboard.
there is two issues for digital signatures ...
1) "something you have" authentication and
2) proof to the relying party as to the integrity level of the oper
Peter Gutmann wrote:
[EMAIL PROTECTED] writes:
Take a look at Boojum Mobile -- it is precisely the idea of using the cell
phone as an out-of-band chanel for an in-band transaction.
http://www.boojummobile.com
Banks here have been using it to authenticate higher-value electronic
transaction
If anyone knows how many people this affected, I'd love to know. (I'm
assuming its their entire customer base)
Adam
On Mon, Jul 11, 2005 at 09:07:45AM -0600, Anne & Lynn Wheeler wrote:
|
http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm
|
| City National Bank i
>
>
> On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
>
>> less attractive to commit credit card fraud. You are, however, not
>> making it harder. That's why I believe the credit cards companies will
>> indeed have a good, long look at smartcards. Probably not tomorrow or
>> next week but in the
> Perry E. Metzger wrote:
>
>> A system in which the credit card was replaced by a small, calculator
>> style token with a smartcard style connector could effectively
>> eliminate most of the in person and over the net fraud we experience,
>> and thus get rid of large costs in the system and get ri
http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm
City National Bank is the latest major US company to admit it has lost
customer data.
The bank says it lost data back-up tapes in April, while they were being
transported to a secure facility by third-party data s
--- begin forwarded text
From: [EMAIL PROTECTED] (Peter Gutmann)
To: [EMAIL PROTECTED]
Subject: Looking for crypto iButton specs
Date: Tue, 12 Jul 2005 00:56:35 +1200
Sender: [EMAIL PROTECTED]
During a recent discussion about secure crypto device bootstrap and
attestation capabilities, I
http://www.finextra.com/fullstory.asp?id=13952
US consumers want companies fined for security breaches
The majority of US consumers want to see criminal charges levied against
companies that fail to protect their personal data, as one in five
individuals admit falling victim to identity t
http://www.atmmarketplace.com/news_story_23530.htm
Keeping an eye on ATM fraud
What happened to the good ole days when the magnetic stripe was king?
Remember … those were the days when you didn’t have to worry about ATM
devices that skim or trap. In today’s techie world, those days are long
gone,
>| Not having to show ID may save annoyance, but it doesn't significantly
>| improve privacy.
>
>Most credit card issuers will happily give you extra cards, so your
>friends can spend your money. In whatever name you want. If you need
>to show ID, this can become, umm, complicated.
I dunno about
another characteristic of the PKI x.509 identity certificate activity
(besides attempting to create mass world-wide confusion regarding the
difference between identification and authentication ... and trying to
get govs. to mandate that x.509 identity certificates, grossly
overloaded with personal
Guys,
This is just a reminder that the NIST hash workshop (Oct
31-Nov 1 of this year) is still taking submitted talks,
abstracts, etc., until July 15. There are no proceedings,
so there should not be any problem publishing things that
you discuss at this workshop. A major goal of doing this is
t
Florian Weimer <[EMAIL PROTECTED]> writes:
> * Perry E. Metzger:
>> Nick Owen <[EMAIL PROTECTED]> writes:
>>> It would seem simple to thwart such a trojan with strong authentication
>>> simply by requiring a second one-time passcode to validate the
>>> transaction itself in addition to the session
[EMAIL PROTECTED] writes:
> Nick Owen writes:
> | I think that the cost of two-factor authentication will plummet in the
> | face of the volumes offered by e-banking.
>
> Would you or anyone here care to analyze
> what I am presuming is the market failure
> of Amex Blue in the sense of its chipc
Perry Metzger writes:
> So, what is to be done? I would propose that the replacement of the
> credit card infrastructure is needed. Fraud is prevalent because of a
> massive inherent security flaw in the current system, to whit,
> the account number is identical to the payment authenticator, and
>
On Saturday 09 July 2005 23:31, [EMAIL PROTECTED] wrote:
>
> Nick Owen writes:
> | I think that the cost of two-factor authentication will plummet in the
> | face of the volumes offered by e-banking.
>
> Would you or anyone here care to analyze
> what I am presuming is the market failure
> of A
Nick Owen wrote:
> I think that the cost of two-factor authentication will plummet in the
> face of the volumes offered by e-banking. Also, the more uses for the
> token, the more shared the costs will be. The question to me is will
> the FIs go with a anything beyond secure cookies, IP address v
[EMAIL PROTECTED] writes:
>Take a look at Boojum Mobile -- it is precisely the idea of using the cell
>phone as an out-of-band chanel for an in-band transaction.
>
>http://www.boojummobile.com
Banks here have been using it to authenticate higher-value electronic
transactions as well. The way it
On Sun, 10 Jul 2005, Amir Herzberg wrote:
> But... crypto and authentication, imho, are the best tools to prevent
> such malware from being installed.
I disagree. Limited authority is the best way to prevent such malware
from being installed (and, if installed, from causing harm).
The premise th
> Take a look at Boojum Mobile -- it is
> precisely the idea of using the cell
> phone as an out-of-band chanel for an
> in-band transaction.
>
> http://www.boojummobile.com
In the foreseeable future, this approach won't stop fraudulent
transactions because the one-time password does not depend on
* Perry E. Metzger:
> Nick Owen <[EMAIL PROTECTED]> writes:
>> It would seem simple to thwart such a trojan with strong authentication
>> simply by requiring a second one-time passcode to validate the
>> transaction itself in addition to the session.
>
> Far better would be to have a token with a
* David Alexander Molnar:
> Actually, smart cards are here today. My local movie theatre in Berkeley,
> California is participating in a trial for "MasterCard PayPass." There is
> a little antenna at the window; apparently you can just wave your card at
> the antena to pay for tickets. I haven'
I think the difference now is the number of vendors entering the market,
the variety of solutions ( and their relative security), and demand
outside of Europe. When we started in mid-2001, we were looking at the
existing hardware guys and that is it. Now there a handful of
venture-backed softwar
Adam Shostack wrote:
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|
| > A system in which the credit card was replaced by a small, calculator
| > style token with a smartcard style connector could effectively
| > eliminate most of the in person
Steven M. Bellovin wrote:
There's been a lot of discussion about how to strengthen cryptography
and authentication, to get away from problems of phishing, pharming,
etc. But such approaches can take you only so far, as this link
indicates:
http://www.lurhq.com/grams.html
Briefly, it's a Tro
Perry E. Metzger wrote:
> Far better would be to have a token with a display attached to the
> PC. The token will display a requested transaction to the user and
> only sign it if the user agrees. Because the token is a trusted piece
> of hardware that the user cannot install software on, it provid
Perry E. Metzger wrote:
> If you have a sufficiently good token, you may no longer need to have
> identification information presented to the merchant, even by the
> token, to reduce misuse. It is true that the issuer will still know
> what transactions took place. However, you have at least reduce
Perry E. Metzger wrote:
> Why does the clerk at Blockbuster want to see your driver's license?
> Because his management has been told, by their bank, that if they do
> not attempt to verify the identity of credit card users they will risk
> their business relationship with the bank. Credit card fra
I think the failure of Amex Blue is due to poor timing and the
requirement for hardware on the end-user's PC. At the time of it's
introduction ecommerce and online banking were just getting started and
consumers were more worried about whether the store was real or not than
having their card stole
| Jerrold Leichter <[EMAIL PROTECTED]> writes:
| > In doing this calculation, be careful about the assumptions you make
| > about how effective the countermeasures will be. The new systems
| > may be more secure, but people will eventually come up with ways to
| > break them. The history of secur
David Alexander Molnar <[EMAIL PROTECTED]> writes:
> On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
>
>> less attractive to commit credit card fraud. You are, however, not
>> making it harder. That's why I believe the credit cards companies will
>> indeed have a good, long look at smartcards. P
Amex Blue was a market success in the sense that its ROI exceeded
expectations, rational and otherwise. It yielded thousands of new
accounts at a cost of acquisition far less than average, even when
taking into account the Windows driver support calls and the discarded
readers. That said, you migh
38 matches
Mail list logo