Re: [spam]::Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-13 Thread Jonathan Thornburg

In an earlier message, I wrote

I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks) to
avoid it.



Jason Axley asked

Why do you not use OLB?


Basically, so far as I know the fine print in online bank service
agreements basically says you (the customer) are responsible for any
transactions we receive with your username and pin, and our electronic
records are the final word on this.

Thus if there is an a false transaction on my account, i.e. one which
I did not intend to authorize (whether this happened due to insider
fraud in the bank, MITM phishing, virus in my computer, or whatever
other cause), the basic legal presumption is that it's my loss, not
the bank's.  I consider the risks of this too high.



 What would need to
be fixed for you to use OLB in the future?


I would want the same ability to refuse an unauthorized transaction
that I have now with credit cards, where basically any losses over
50 Euros/dollars are the bank's problem, not mine.



What is your threat model
(WIYTM)?


For online banking, any/all of
(a) insider fraud at the bank and/or anyone else to whom they've
outsourced relevant processing
(b) computer breakin/theft at the bank and/or anyone else to whom
they've outsourced relevant processing
(c) MITM phishing or DNS hijacking
(d) viruses/worms in my computer



 What risks are present in OLB that are not present in the
offline world?


(c) and (d) above.  Also liability for problems is mine, not the bank's
(see above).  Also there are few paper records that I can use to help
document problems.

In the offline world, (a) and (b) are mitigated by paper records
(and forms with my written signature) which crooks usually don't
bother forging.



What about the risks of the offline financial world?


If I wire-transfer money from my bank in Germany to my credit union
in Canada, my written signature is (supposed to be) required to verify
that I did in fact authorize the transaction.  If the bank sends my
money off to a crook's account (whether by mistake or due to deliberate
fraud), the next time I get a statement I'll notice, and I'll ask them
what happened.  If the bank can't show me a piece of paper with my
signature on it, my understanding is that (if I complain enough) I can
force them to refund the money to me (so it's then their problem to try
to recover it from wherever it went).



 For example, all of
the information that someone needs to put money in, or take it out, of
your checking account via ACH is nicely printed in magnetic ink on your
checks in the US.  And you give it out to anyone when you write them a
check.


Where I live now (Germany) people don't use cheques, they do bank
transfers which the *payer* gives direct to her bank.  These (are
supposed to) have the written signature of the payer (the account-holder).
If someone forges one of these and takes money out of my account, I can
refuse the transaction and (I understand) the bank is legally required
to refund the money to me (and it's their problem to recover it from
whoever got it).

When I lived in Canada (where people use cheques in the same way
as in the US), my understanding is that
(a) Even with the transit/routing numbers, noone is supposed to be able
to take money out of an account without prior written permission.
A cheque constitutes such permission _for_a_specific_transaction_,
but not for any other transaction(s).
(b) If someone forges another cheque (eg scans my signature etc),
and my bank honors it and takes the money out of my account.
then since I didn't actually sign that cheque, legally it's the
bank's fault for honoring it, and (if I complain enough)
I can force the bank to refund the money to me (so it's then
the bank's problem to try to recover it from the crook).



This reminded me of how I laughed when I saw an interview with a local
security person where he said that he didn't even connect a computer to
the Internet at home due to the risk.  To me, this seems akin to deciding
to not leave your house because you can't be sure someone won't shoot
you dead.


Well, in certain places that's basically what people do.  For example,
many foreign people in Bhagdad don't venture out of the green zone.
My point is that when substantial amounts of money are involved, IMHO
the internet is basically a red zone where I don't feel safe venturing.

ciao,

--
-- Jonathan Thornburg [EMAIL PROTECTED]
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam


-
The Cryptography Mailing List
Unsubscribe by sending 

Live Tracking of Mobile Phones Prompts Court Fights on Privacy

2005-12-13 Thread John Gilmore
[See the details at EFF:
  http://www.eff.org/legal/cases/USA_v_PenRegister/
 including the three court orders, and EFF's argument to the first court.

 The real story is that for years prosecutors have been asking
 magistrates to issue court orders to track cellphones in real time
 WITHOUT WARRANTS.  They're tracking people for whom they can't get
 warrants because they have no probable cause to believe there's any
 crime.  They're fishing.  The public never knew, because it all
 happens under seal.  One judge who had previously issued such orders
 got an attack of conscience, and surprisingly PUBLISHED a decision
 against such a secret DoJ request.  EFF noticed and offered legal
 analysis, and that judge and two others started publicly refusing
 such requests.  DoJ won't appeal, because without an appeals court
 precedent against them, they can keep secretly pulling the wool over
 the eyes of other magistrates, and keep tapping the locations of
 ordinary people in realtime without warrants.  --gnu]

No cookies or login required:
http://www.theledger.com/apps/pbcs.dll/article?AID=/20051210/ZNYT01/512100416/1001/BUSINESS

Published Saturday, December 10, 2005
Live Tracking of Mobile Phones Prompts Court Fights on Privacy

By MATT RICHTEL
New York Times

Most Americans carry cellphones, but many may not know that government
agencies can track their movements through the signals emanating from
the handset.

In recent years, law enforcement officials have turned to cellular
technology as a tool for easily and secretly monitoring the movements
of suspects as they occur. But this kind of surveillance - which
investigators have been able to conduct with easily obtained court
orders - has now come under tougher legal scrutiny.

In the last four months, three federal judges have denied prosecutors
the right to get cellphone tracking information from wireless
companies without first showing probable cause to believe that a
crime has been or is being committed. That is the same standard
applied to requests for search warrants.

The rulings, issued by magistrate judges in New York, Texas and
Maryland, underscore the growing debate over privacy rights and
government surveillance in the digital age.

With mobile phones becoming as prevalent as conventional phones (there
are 195 million cellular subscribers in this country), wireless
companies are starting to exploit the phones' tracking abilities. For
example, companies are marketing services that turn phones into even
more precise global positioning devices for driving or allowing
parents to track the whereabouts of their children through the
handsets.

Not surprisingly, law enforcement agencies want to exploit this
technology, too - which means more courts are bound to wrestle with
what legal standard applies when government agents ask to conduct such
surveillance.

Cellular operators like Verizon Wireless and Cingular Wireless know,
within about 300 yards, the location of their subscribers whenever a
phone is turned on. Even if the phone is not in use it is
communicating with cellphone tower sites, and the wireless provider
keeps track of the phone's position as it travels. The operators have
said that they turn over location information when presented with a
court order to do so.

The recent rulings by the magistrates, who are appointed by a majority
of the federal district judges in a given court, do not bind other
courts. But they could significantly curtail access to cell location
data if other jurisdictions adopt the same reasoning. (The
government's requests in the three cases, with their details, were
sealed because they involve investigations still under way.)

It can have a major negative impact, said Clifford S. Fishman, a
former prosecutor in the Manhattan district attorney's office and a
professor at the Catholic University of America's law school in
Washington. If I'm on an investigation and I need to know where
somebody is located who might be committing a crime, or, worse, might
have a hostage, real-time knowledge of where this person is could be a
matter of life or death.

Prosecutors argue that having such information is crucial to finding
suspects, corroborating their whereabouts with witness accounts, or
helping build a case for a wiretap on the phone - especially now that
technology gives criminals greater tools for evading law enforcement.

The government has routinely used records of cellphone calls and
caller locations to show where a suspect was at a particular time,
with access to those records obtainable under a lower legal
standard. (Wireless operators keep cellphone location records for
varying lengths of time, from several months to years.)

But it is unclear how often prosecutors have asked courts for the
right to obtain cell-tracking data as a suspect is moving. And the
government is not required to report publicly when it makes such
requests.

Legal experts say that such live tracking has tended to happen in
drug-trafficking cases. 

Japan Puts Its Money on E-Cash

2005-12-13 Thread R. A. Hettinga

--- begin forwarded text


 Date: Mon, 12 Dec 2005 19:10:44 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: Japan Puts Its Money on E-Cash

 No, not *that* E-Cash(tm), but you get the idea...

 Cheers,
 RAH
 ---

 
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/11/AR2005121101097_pf.html

 The Washington Post

 Japan Puts Its Money on E-Cash
 While Saving Time, Consumers May Spend More

 By Anthony Faiola
 Washington Post Foreign Service
 Monday, December 12, 2005; A01

 TOKYO -- Toru Nashimoto, a trim 36-year-old with nary a coin in the pockets
 of his slick pinstripe suit, confidently strode toward the cashier at a
 bustling sushi bar to settle his $45 lunch tab. He whipped out a thin
 electronic card and placed it above a scanner that quickly blinked neon
 blue before emitting a computerized ka-ching.

 It was the telltale sound of Japan's new electronic money. In seconds,
 Nashimoto had paid for his meal of sea urchin, eel and raw fish and was
 hustling back to work. No change from the cash register, no waiting for
 confirmation, no pin code to enter. Who needs to carry real money? said
 the commercial real estate manager. I often don't even carry a wallet with
 me anymore.

 Nashimoto is part of the latest trend in Japan, where society is rethinking
 commerce by doing away with the increasingly arcane concept of cash.

 Technology analysts say the use of electronic money amounts to a leap
 forward in commerce and shopping. Using cell phones that transmit infrared
 signals -- or, as in Nashimoto's case, a smart card that doubles as a set
 of electronic keys and lets him earn airline miles with each use --
 Japanese consumers are whisking through checkout lines, buying everything
 from sushi to furniture without ever yanking out their wallets.

 Users can add value to their cards or cell phones at thousands of automated
 docking stations around the country, where they insert paper money and get
 credit for e-cash. They can also use credit cards to replenish e-cash on
 the Internet.

 Electronic money emerged four years ago as a convenient tool for fast-paced
 train commuters. The Japan Research Institute, an economic research group,
 estimates that at least 15 million people here are now using e-cash, a
 figure projected to reach 40 million -- about one in every three Japanese
 -- by 2008. The number of e-cash transactions reached 15.8 million per
 month in 2005, more than double last year's figure, according to Japan's
 two largest electronic money providers.

 E-cash is being accepted at convenience stores, department stores, cafes,
 restaurants, newsstands and electronics retailers -- enabling users to go
 shopping carrying nothing but their cell phones. At some supermarkets, up
 to 40 percent of all purchases are made with electronic money.

 Vending machines that dispense sodas and snacks with a flash of a cell
 phone are popping up on street corners and inside office buildings across
 Japan. Tokyo's subway system -- the world's second busiest after Moscow's
 -- will begin accepting electronic money next year. Experts cite the rise
 of e-cash as a reason for a drop last July in the circulation of yen coins,
 the first decline since 1971.

 Japan is moving toward the cashless society, said Makoto Yamada, an
 executive at bitWallet Inc., operator of Japan's largest virtual money
 service and a partnership jointly owned by the Sony Group, the Toyota
 Group, All Nippon Airways, two large Japanese banks and NTT DoCoMo, Japan's
 largest cell phone operator. Electronic money is taking us there.

 The smart cards and phones used are embedded with antennas and integrated
 circuit chips that allow the devices to receive and emit electronic
 signals. When the devices are placed near a scanner at a checkout, for
 instance, a signal is emitted and e-money is deducted.

 Similar electronic money concepts are being tried in North America and
 Europe. Analysts say the Japanese version requires some fine-tuning before
 it can be exported.

 Many note that the idea works well here partly because concerns about
 safety and security are quite low -- in Japan, even lost wallets are often
 returned to their owners intact. So the loss of a card or a cell phone
 loaded with hundreds of dollars of e-cash represents a comparatively small
 risk.

 Electronic money also banks on consumers who are willing to pay for their
 purchases in advance, the opposite philosophy of a credit card. That works
 well in debt-averse Japan, where only 9 percent of consumer transactions
 are settled by credit card. But would it work in a place like the United
 States, where 24 percent of transactions are made on credit?

 Some Americans, analysts note, are already using a version of e-cash to
 bypass toll lanes on highways. In the U.S., use of credit cards and debit
 cards is already very well developed, so it's unclear how electronic money
 will take off there, said Shigeru 

[Clips] Hacker attacks in US linked to Chinese military: researchers

2005-12-13 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 12 Dec 2005 19:39:51 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Hacker attacks in US linked to Chinese military: researchers
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html

 BREITBART.COM -

 Hacker attacks in US linked to Chinese military: researchers


 Dec 12 5:56 PM US/Eastern


 A systematic effort by hackers to penetrate US government and industry
 computer networks stems most likely from the Chinese military, the head of
 a leading security institute said. The attacks have been traced to the
 Chinese province of Guangdong, and the techniques used make it appear
 unlikely to come from any other source than the military, said Alan Paller,
 the director of the SANS Institute, an education and research organization
 focusing on cybersecurity.


  These attacks come from someone with intense discipline. No other
 organization could do this if they were not a military organization,
 Paller said in a conference call to announced a new cybersecurity education
 program.

  In the attacks, Paller said, the perpetrators were in and out with no
 keystroke errors and left no fingerprints, and created a backdoor in less
 than 30 minutes. How can this be done by anyone other than a military
 organization?

  Paller said that despite what appears to be a systematic effort to target
 government agencies and defense contractors, defenses have remained weak in
 many areas.

  We know about major penetrations of defense contractors, he said.

  Security among private-sector Pentagon contractors may not be as robust,
 said Paller, because they are less willing to make it hard for mobile
 people to get their work done.

  Paller said the US government strategy appears to be to downplay the
 attacks, which has not helped the situation.

  We have a problem that our computer networks have been terribly and
 deeply penetrated throughout the United States ... and we've been keeping
 it secret, he said.

  The people who benefit from keeping it secret are the attackers.

  Although Paller said the hackers probably have not obtained classified
 documents from the Pentagon, which uses a more secure network, it is
 possible they stole extremely sensitive information.

  He said it has been documented that US military flight planning software
 from its Redstone Arsenal was stolen.

  Pentagon officials confirmed earlier this year that US Defense Department
 websites are probed hundreds of times a day by hackers, but maintained that
 no classified site is known to have been penetrated by hackers.

  The US military has code-named the recent hacker effort Titan Rain and
 has made some strides in counter-hacking to identify the attackers, Paller
 said. This was first reported by Time magazine.

  Paller said a series of attacks on British computer networks reported
 earlier this year may have similar goals, but seems to use different
 techniques.

  In the United States, he said there are some areas of improvement such as
 the case of the Air Force, which has been insisting on better security from
 its IT vendors. But he argued that the fundamental error is that America's
 security strategy relies on writing reports rather than hardening systems.


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Crypto and UI issues

2005-12-13 Thread David Mercer
(Hopefully this is sent as ascii, as I had previously set my gmail to
send in utf-8 encoding, as I often send email in french as well as
english. -djm)

On 12/11/05, James A. Donald [EMAIL PROTECTED] wrote:
 It is not my position that inability to sign means that
 the chairman of the board is stupid.  It is that
 cryptographic signatures are too @#$%^* hard and need
 to be made user friendly.

 First write software that is easy enough for your
 mother.  Then we can work on making it easy enough for
 the marketing department.

And then we can work on making it easy enough for realtors!
Seriously, that long ago became my off the cuff usability test: they
seem to have a harder time figuring out user interfaces that my 75
year old grandmother, or the marketing folks for that reason.  Sales
people are actually fairly easy to train on any given UI, so long as
you instill the proper fear into them (if you don't do this right,
your competitor will steal your customer list, and there go all  your
commisions).

It's harder to get marketing people on board like that, as they don't
have the same direct financial levels to attack with pavlovian fear
conditioning, and CEO's are really bad, as they are used to having
secretaries do everything 'hard' with their communications gear, even
in the pre-computer era, and also are accustomed to a coterie of
handlers and PR people going around and cleaning up any messes they
inadvertently make.

But realtors, that's been my personal acid test to see if a UI is
truly easy to use.  Seriously.

And my appologies to Ben Laurie and friends, but why after all these
years is the UI interaction in ssh almost exactly the same when
accepting a key for the first time as overriding using a different one
when it changed on the other end, whether from mitm or just a
key/IP/hostname change?

Horrible, horrible UI, and I'm not sure what's worse, that or trying
to USE pgp (gpg, whatever) from a command line, or getting it
integrated into a gui mail client.
/ui rant

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: crypto wiki -- good idea, bad idea?

2005-12-13 Thread Jason Holt


On Mon, 12 Dec 2005, Paul Hoffman wrote:

Or should we just stick to wikipedia?  Is it doing a satisfactory job?


Also check out the Cryptography Reader:
http://en.wikipedia.org/wiki/Wikipedia:WikiReader/Cryptography

Matt Crypto set up an article (to clean up) of the day replete with a bar 
graph of how done he thinks it is.


As to accuracy, there are several authors I respect who keep many of the 
crypto articles on their watchlists, so that we notice when people make 
changes.


I'm quite happy with a number of the pages in the reader, enough that I point 
my students to them and use the figures in my lecture slides.  I like the 
intersecting planes in the secret sharing article particularly:

http://en.wikipedia.org/wiki/Secret_sharing


of work. I proposed a few weeks ago (in the meta-discussion) to do it, but 
was concerned that doing so would step on toes and seem invasive. No one has 
responded to that, not even the people who flagged the article as needing 
work.


An old wikipedia saying is be bold in updating pages: 
http://en.wikipedia.org/wiki/WP:BBIUP



-J

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: another feature RNGs could provide

2005-12-13 Thread Jason Holt


On Mon, 12 Dec 2005, Travis H. wrote:

One thing I haven't seen from a PRNG or HWRNG library or device is an
unpredictable sequence which does not repeat; in other words, a
[cryptographically strong?] permutation.  This could be useful in all


Rich Schroeppel tells me his Hasty Pudding cipher can be used to create PRPs 
(pseudorandom permutations) of arbitrary size.  It even has the ability to let 
you define external functions to help define set membership (for sets which 
aren't just composed of the natural numbers).


http://scholar.google.com/scholar?q=schroeppel+hastyie=UTF-8oe=UTF-8hl=enbtnG=Search


-J

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: crypto wiki -- good idea, bad idea?

2005-12-13 Thread Matt R
Travis H wrote:
 Would a wiki specifically for crypto distribute the burden enough to 
 be useful? Or should we just stick to wikipedia?  Is it doing a
 satisfactory job?

The English Wikipedia's crypto coverage is a mixed bag. Out of the 800+
articles, there's a handful of fairly-good entries (e.g. Data Encryption
Standard), yet more than a few abysmal entries. It's typically more current
than HAC or Applied Cryptography, yet not as comprehensive or consistent in
quality. My advice is to think of Wikipedia as collection of draft articles
that you can watch being constructed live.

I would propose that improving Wikipedia's cryptography articles would be a
better bet than starting a new crypto wiki from scratch (or even importing
articles from Wikipedia, as they're available under a free license). Wikipedia
has a lot of visibility and momentum behind it, and new specialist topic wikis
tend to fizzle out quite quickly, in my experience. One example is
http://www.infosecpedia.org

If anyone's interested in helping out on Wikipedia, people are *very* welcome.
There's a Cryptography WikiProject, dedicated to improving crypto articles:

   http://en.wikipedia.org/wiki/Wikipedia:WikiProject_Cryptography
   http://en.wikipedia.org/wiki/Wikipedia:Wikiportal/Cryptography

Also, Wikipedia is a multilingual project. I believe the German, and more
recently the French Wikipedia editions have been quite active in this area. For
example, the French Crypto Portal:

   http://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Portail_Cryptologie

-- Matt

Wikipedia: http://en.wikipedia.org/wiki/User:Matt_Crypto
Blog: http://cipher-text.blogspot.com



___ 
To help you stay safe and secure online, we've developed the all new Yahoo! 
Security Centre. http://uk.security.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Japan Puts Its Money on E-Cash

2005-12-13 Thread Matt Crawford


On Dec 12, 2005, at 18:14, R. A. Hettinga wrote:


 But would it work in a place like the United
 States, where 24 percent of transactions are made on credit?

 Some Americans, analysts note, are already using a version of e- 
cash to

 bypass toll lanes on highways.


Don't take that as a sign of consumer acceptance, though.  In  
Illinois, if you won't pre-pay your tolls in $40 increments, you will  
pay double the rate in cash at the toolbooth.  And the electronic  
system is anything but anonymous.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Hacker attacks in US linked to Chinese military: researchers

2005-12-13 Thread Alexander Klimov
On Mon, 12 Dec 2005, R. A. Hettinga wrote:
 --- begin forwarded text
  [...]
   These attacks come from someone with intense discipline. No other
  organization could do this if they were not a military organization,
  Paller said in a conference call to announced a new cybersecurity education
  program.

   In the attacks, Paller said, the perpetrators were in and out with no
  keystroke errors and left no fingerprints, and created a backdoor in less
  than 30 minutes. How can this be done by anyone other than a military
  organization?

Sounds really convincing :-) Of course, only a military can type for
30 minutes without a single keystroke error. (I would rather guess
that this was a script.) Left no fingerprints is even more revealing :-)

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-13 Thread Peter Clay
On Mon, Dec 05, 2005 at 07:29:11PM +0100, Florian Weimer wrote:
 For those of you who haven't rolled out a national ID scheme in time,
 there's still the general identity theft problem, but this affects you
 even if you don't use online banking.

Hmm. What's the evidence that national ID schemes reduce credit fraud
(what people normally mean when they say ID theft)? How does it vary
with the different types of scheme?

I've been opposing the UK scheme recently on the grounds of unreliable
biometrics and the bad idea of putting everyone's information in a
basket from which it can be stolen (in addition to the civil liberties
reasons). My solution to the credit fraud problem is simple: raise the
burden of proof for negative credit reports and pursuing people for
money.

Pete
-- 
Peter Clay   | Campaign for   _  _| .__
 | Digital   /  / | |
 | Rights!   \_ \_| |
 | http://www.ukcdr.org

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-13 Thread Anne Lynn Wheeler
Peter Clay wrote:
 Hmm. What's the evidence that national ID schemes reduce credit fraud
 (what people normally mean when they say ID theft)? How does it vary
 with the different types of scheme?
 
 I've been opposing the UK scheme recently on the grounds of unreliable
 biometrics and the bad idea of putting everyone's information in a
 basket from which it can be stolen (in addition to the civil liberties
 reasons). My solution to the credit fraud problem is simple: raise the
 burden of proof for negative credit reports and pursuing people for
 money.

some number of organizations have come up with the term account fraud
... where fraudulent transactions are done against existing accounts ...
to differentiate from other forms of identity theft which involves
things like using a stolen identity to establish new accounts.

account fraud just requires strong authentication applied consistently
... doesn't require identification ... although there are cases where
identification is confused and is used as a supstitute for
authentication. part of the issue of confusing identification for
authentication ... is that it is typically quite a bit more privacy
evasive than pure authentication.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]