Hi John,
thanks for your reply!
John Denker wrote:
The object of phishing is to perpetrate so-called "identity theft", so I must begin by objecting to that concept on two different grounds.
1) For starters, "identity theft" is a misnomer. My identity is my identity, and cannot be stolen.
I think I'd echo Lynn's comments - it's the label in use, so we might as well get used to it. In fact, the more I think of it, the more I realise that a desire to get the right terms in place might be part of the answer to the original question!
You are right that it's important to separate out the two cases: the theft of the immediate account (and money therein) which is more what phishing is, from the acquisition of identity data in order to open new places to steal from (credit ... see my rant&comments on why this is an American issue and hence may have escaped the rest of the world's attention:
http://www.financialcryptography.com/mt/archives/000146.html
2) Even more importantly, the whole focus on _identity_ is pernicious. For the vast majority of cases in which people claim to want ID, the purpose would be better served by something else, such as _authorization_. For example, when I walk into a seedy bar in a foreign country, they can reasonably ask for proof that I am authorized to do so, which in most cases boils down to proof of age. They do *not* need proof of my car-driving privileges, they do not need my real name, they do not need my home address, and they really, really, don't need some "ID" number that some foolish bank might mistake for sufficient authorization to withdraw large sums of money from my account. They really, really, reeeally don't need other information such as what SCI clearances I hold, what third-country visas I hold, my medical history, et cetera. I could cite many additional colorful examples, but you get the idea: The more info is linked to my "ID" (either by writing it on the "ID" card or by linking databases via "ID" number) the _less_ secure everything becomes. Power-hungry governments and power- hungry corporations desire such linkage, because it makes me easier to exploit ... but any claim that such linkable "ID" is needed for _security_ is diametrically untrue.
Again, I see here an answer to why it is the security industry is being ignored - all that above is well and good in theory, but it doesn't translate as easily to practice. I mean, as a hypothetical test - just how do you deliver some form of privileges system that allows one person to know my age, and another to know my sex, and another to know my drinking problems?
That's not really a solved *cheap* problem, is it?
So the reality of it is, the predeliction with identity being the root key to all power is the way society is heading. I don't like it, but I'm not in a position to stop the world turning.
===
Returning to:
> .... For the first > time we are facing a real, difficult security > problem. And the security experts have shot > their wad.
I think a better description is that banks long ago deployed a system that was laughably insecure. (They got away with it for years ... but that's irrelevant.) Now that there is widespread breakage, they act surprised, but none of this should have come as a surprise to anybody, expert or otherwise.
I think the security industry must at least acknowledge their part in this. For a decade now we as a field have been telling everyone that secure browsing with SSL and CA-signed certs and all that stuff is ... secure.
What was that quote? "The Netscape and Microsoft Secure E-Commerce System" ??
In fact, we're still saying it, and mentally, about half the field refuses to believe that the "secure browsing" security model has been breached. The issue runs very deep, and a lot of sacred cows have to be slaughtered before this one will be resolved.
I mean, we could just go on ignoring it, but that might explain why we are being ignored?
Now banks and their customers are paying the price. As soon as the price to the banks gets a little higher, they will deploy a more-secure payment authorization scheme, and the problem will go away.
Well, it is true, in a sense, that as the problem gets more expensive, there is more incentive to fix it. So far the banks have fiddled at the edges with server based stuff. But that can't help them much. About the only thing that can help them directly is if they lock out other IP numbers but that's a difficult one.
The issue is one for the client side to solve. The user is the one who is being enticed with the dodgy link. So it's one of these three agents: user, mailer, browser.
(Note that I didn't say "ID" scheme. I don't care who knows my SSN and other "ID" numbers ... so long as they cannot use them to steal stuff. And as soon as there is no value in knowing "ID" numbers, people will stop phishing for them.)
I think if we re-characterise phishing as the part of identity theft where accounts are stolen directly, we might have more of an acceptable compromise on the lingo.
iang
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
