Re: once more, with feeling.
James A. Donald [EMAIL PROTECTED] writes: Visualize Obama, McCain, or Sarah Palin setting up your network security. Then realize that whoever they appoint as Czar in charge of network security is likely to be less competent than they are. You're think about this from the wrong angle. We don't need to legislate network security because, as you say, we'll never get a workable law, and even if we did we really have no idea how to build secure systems that users would actually want to use (although there are some good hypotheses out there). What we need is real-world controls (that have nothing to do with computers) to rein in the free hand that computerisation has given to attackers. Credit freezes are the first step, although even then it's been a massive battle and most likely Congress will eventually pass a law that neutralises the various state laws, as it has for numerous other laws in the past (and even some of the state laws have been watered down with thaw provisions that take you right back to square one). Some examples that come to mind immediately for fighting phishing: - Credit freezes that are real freezes, and require a physical bank visit with ID to thaw. - COB and credit-limit-increase freezes that require physical presence to change (the first thing phishers do when they get your CC info is to wind the credit limit up to max and change the billing address). The once a blue moon that you might want to change these details it's really not to hard to drop by a bank for a minute or two to authorise things. - Ability to specify floor limits for spending independent of the credit limit, e.g. with a credit limit of $10K you can't spend more than $2K domestically and $1K internationally. I think that should give you a general idea of where this is going. At the moment the banks' fraud-guessing systems are really just that, guessing systems, and from numerous reports and assorted anecdotal evidence they're not very effective. The user holds the position of the interior, they know better than any guessing system what's appropriate and what isn't for their financial transactions. The rampant exploitation of the banking system by crooks works because all of the above are totally uncontrolled, and banks have no interest in controlling them. That's what we need legislation for, not to require two-factor-authentication-that-isn't and other gimmicks but to get the banks and credit-reporting agencies to install effective internal controls. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: street prices for digital goods?
David Molnar [EMAIL PROTECTED] writes: Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? I've been (very informally) tracking it for awhile, and for generic data (non- Platinum credit cards, PPal accounts, and so on) it's essentially too cheap to meter, you often have to buy the stuff in blocks (10, 20, 50 at a time) to make it worth the sellers while. I haven't tracked the big-ticket items like PPal accounts with guaranteed minimum balances (rather than just any generic PPal account) because the offerings are too ephemeral, you might get PPal with minimum $5K balance advertised for a few weeks, then Platinum Visa for a few weeks, and then something else again. I'm curious because it would be interesting to look at the street price for a specific online bank's logins before and after the bank makes a change to its security practices. (One not particularly great example of a change: adopting EV certs.) Alternatively, look at the price of some good before and after a prosecution. If this has already been done, my apologies, I'd appreciate the pointer. I'm not aware of anyone having done this, mostly because the data doesn't seem to be available. The phishers don't sell (e.g.) BofA accounts specifically, they sell whatever's available - you get a block of X accounts or cards from various banks, whatever's at hand when you buy. The only way to see whether a measure was effective would be to keep buying blocks over time and see what the mix of banks was, and even then it'd be pretty unscientific because you'd be getting lots from random phishing sources or data thefts which might (coincidentally) be targetting one particular bank and not another. Given the diverse sources for this stuff, it's likely that even the vendors only have a vague idea of what the statistics are. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: usable security at www.usable.com
to make it easy to login to participating web sites. However, I don't see any details of the protocols or algorithms. The service looks very user friendly and secure (i.e. if implemented properly) It is unfortunate that being a security aware company they don't provide information about the protocols or algorithms. I haven't used the service either. So I am as clueless as anyone else. But I won't let that stop me from making some speculations ;-) Note: The following are pure speculations and wild guesses: The service seems to incorporate a technology similar to RSA's passmark to perform mutual authentication i.e. authenticate the client machine to the server to prevent phishing. In addition, it appears, they are also utilizing host-proof hosting AJAX paradigm such that your login information is never sent to the Usable's cloud servers in clear-text. Both of these technologies are well-defined and, if implemented properly, provide reasonable amount of security. BankOfAmerica utilizes RSA's Passmark for Logons. Passpack utilizes Host-proof hosting AJAX paradigm. saqib http://doctrina.wordpress.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: street prices for digital goods?
On Thu, 11 Sep 2008, Peter Gutmann wrote: David Molnar [EMAIL PROTECTED] writes: Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? I've been (very informally) tracking it for awhile, and for generic data (non- Platinum credit cards, PPal accounts, and so on) it's essentially too cheap to meter, you often have to buy the stuff in blocks (10, 20, 50 at a time) to make it worth the sellers while. At such cheap prices, it must be close to the point where it would be worth it for the the card issuers to buy the numbers as a loss mitigation measure. -d - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: street prices for digital goods?
Damien Miller writes: -+--- | | David Molnar [EMAIL PROTECTED] writes: | | Dan Geer's comment about the street price of heroin as a metric for | success has me thinking - are people tracking the street prices of | digital underground goods over time? | | I've been (very informally) tracking it for awhile, and for generic | data (non- Platinum credit cards, PPal accounts, and so on) it's | essentially too cheap to meter, you often have to buy the stuff in | blocks (10, 20, 50 at a time) to make it worth the sellers while. | | At such cheap prices, it must be close to the point where it would | be worth it for the the card issuers to buy the numbers as a loss | mitigation measure. | I have had a guy who wished to remain nameless claim that he makes a fine living breaking into the machines of black-market card sellers and copying the card numbers they have for sale. He then (he says) takes those card numbers to the issuing banks and sells those numbers to the banks so that the banks can prophylactically cancel the soon-to-be-affected cards. He claimed to get 50c/card. All hearsay... --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: street prices for digital goods?
On Thu, 11 Sep 2008, Peter Gutmann wrote: | ...I've been (very informally) tracking it for awhile, and for generic | data (non-Platinum credit cards, PPal accounts, and so on) it's | essentially too cheap to meter, you often have to buy the stuff | in blocks (10, 20, 50 at a time) to make it worth the sellers while. But this implies there is something very wrong with our current thinking about attacks. If, as is commonly assumed, hackers today are in this as a business, and are driven by then the value of a credit card number is determined exactly by the most money you can turn it into, by any approach. If I have a credit card number, I can turn it into money by selling it, or alternatively I can buy stuff and sell that instead. Now, there are costs involved with buying goods, receiving them, and reselling them; and also there's some probability that the credit card providers will notice my activity and block my transactions. (There's of course also the possibility that I get caught and sent to jail!) If the costs of doing this business are fixed, I can drive them to zero by using enough credit cards, and there are clearly plenty around - but see below. So the only significant issue is variable costs: For every dollar I charge on a card, I only get back some fraction of a dollar, based on my per- transaction costs and the probability of my transaction getting rejected. This probability grows with the size of the transaction, so the actual optimal strategy is complicated. Still ... if you can *buy* a credit card number for a couple of cents, its actually *value* can't be much higher. Which implies that something in the overall system makes it difficult to monetize that card. I'm not sure what all of them are, but we can guess at some. The card providers *must* be rather good at blocking cards fairly quickly - at least when large amounts of money are involved. That is: The probability of being blocked must go up very rapidly with the size of the transaction, forcing the optimal transaction size to be small. If it's small enough, then fixed costs per transaction become significant. And something blocks the approach of do many small transactions against many cards - presumably because these have to be done in the real world, which means you need many people going to many vendors picking up all kinds of physical objects. Whatever the causes ... if it's cheap to *buy* credit card numbers, they must not really be worth all that much! -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: street prices for digital goods?
In article [EMAIL PROTECTED], David Molnar [EMAIL PROTECTED] writes Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? up to a point... see the other responses The Symantec Threat Reports do seem to report advertised prices for a basket of goods, starting in Volume XI (March 2007) and running through the present. For example, Volume XI Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, etc. These are interesting, yes :) I've been thinking about this for some time -- I have found that it makes for some interesting questions to corporate types presenting ain't it awful PowerPoint slides that they don't quite understand :) but it's hard to see changes since they're reported as a band of prices presumably aggregated from many different sources. Indeed, but deeper than this, you have to ask yourself what the price means... I'm curious because it would be interesting to look at the street price for a specific online bank's logins before and after the bank makes a change to its security practices. exactly so ... if the price of BoA cards was $2 and is now $1 does this mean: (a) production surplus -- so the scammers are cutting each other's throats to offload their stashes is this because the bank's security is rubbish? is it because everyone has decided to attack this particular bank under the assumption that it is _the_ Bank of America? or because a new kit has come out for them to use (b) consumption scarcity -- no-one wants to buy is this because the bank's back-room operations are excellent and so it is hard to extract value? is it because the people who can cash the cards out have all the cards they can handle at the moment? (c) adulterated supply -- only one card in 800 is any good it's sometimes claimed that the loss per card is around $800, so if lots of the numbers don't work you need to reduce the price per card (d) incompetent pricing by the sellers the real price should be much higher, but the sellers have been persuaded that $1 is fair reward for their effort and so they don't attempt to get any more for their goods (e) incompetent pricing by the buyers most cards are worthless because the bank's back room operations are so good, but not all buyers have realised this so they overpay and probably (f)... onwards as well viz: in the absence of evidence that an efficient market is operating and without clear evidence of what price elasticity there is, it is almost impossible to draw conclusions about bank (in)efficiency from merely observing average prices :( There's a similar issue relating to the relative cost of cards and whole life details. The latter are more expensive, but perhaps only by a factor of 10-20. Is this a reflection of restricted supply? or does it reflect a paucity of buyers (you might use these details to scam the cost of a medium-size dwelling) or that there are very few buyers who are prepared to handle a specialist product... There is undoubtedly an interesting econometrics paper to be written here, but it will rely upon not only extensive data from the Underground Economy but also on good data from a bank (or banks) -- and this is impossible to obtain at present :( One then needs to tease out enough almost the same but not quite scenarios to be able to isolate the various factors and thereby put some numbers to the model... finally, does anyone happen to know of a good review of how the focus on street price has performed as a metric for drug interdiction? it usually demonstrates that the police overpay :) and that leads on to a further problem with the Underground Economy monitoring. You are only seeing list prices and anyone in business knows that you don't need to pay list price! -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: street prices for digital goods?
Peter Gutmann wrote: David Molnar [EMAIL PROTECTED] writes: Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? I've been (very informally) tracking it for awhile, and for generic data (non- Platinum credit cards, PPal accounts, and so on) it's essentially too cheap to meter, you often have to buy the stuff in blocks (10, 20, 50 at a time) to make it worth the sellers while. I haven't tracked the big-ticket items like PPal accounts with guaranteed minimum balances (rather than just any generic PPal account) because the offerings are too ephemeral, you might get PPal with minimum $5K balance advertised for a few weeks, then Platinum Visa for a few weeks, and then something else again. I'm curious because it would be interesting to look at the street price for a specific online bank's logins before and after the bank makes a change to its security practices. (One not particularly great example of a change: adopting EV certs.) Alternatively, look at the price of some good before and after a prosecution. If this has already been done, my apologies, I'd appreciate the pointer. I'm not aware of anyone having done this, mostly because the data doesn't seem to be available. The phishers don't sell (e.g.) BofA accounts specifically, they sell whatever's available - you get a block of X accounts or cards from various banks, whatever's at hand when you buy. The only way to see whether a measure was effective would be to keep buying blocks over time and see what the mix of banks was, and even then it'd be pretty unscientific because you'd be getting lots from random phishing sources or data thefts which might (coincidentally) be targetting one particular bank and not another. Given the diverse sources for this stuff, it's likely that even the vendors only have a vague idea of what the statistics are. Hi gang, I have a question about all this. There seems to be a disconnect between the approximate prices mentioned here - too cheap to only do small transactions, etc - and what I have seen when looking at various of the sites. Maybe I'm missing something and you could correct my thinking. At http://www.voy.com/211320/ I see figures that appear to be for a single card and I would not call them cheap. This one from the first of the month seems typical: best dumps for sale -- dumpsale, 09:44:39 09/01/08 Mon [1] USA Canada Australia visa classic 10$ visa gold/platinum/bussines/signature 20$ master card 10$ infinite 50$ amex 10$ Europe Asia visa classic 50$ visa gold/platinum/bussines/signature 80$ master card 50$ infinite 120$ ICQ: 430439968 E-mail: [EMAIL PROTECTED] The cheapest price here is $10, I assume this is per card, correct? If that is correct, what I see typically is that the order has to be a minimum of $500 if the money is sent Western Union. This means 50 cards at most. Most of the stuff I've seen is that they validate but do not guarantee the cards and don't give refunds. It would seem to me that one would have to have a fair size infrastructure and capital to make this work as it almost certain that some of the cards will fail. Plus it takes people time to call the issuer and go through the process of changing the mailing address as well attempting to increase the limit line of credit available. This would mean that from the time of purchase of the card it might be a week or more before they know that the new limit has been approved. This ties up capital so one wouldn't think the crooks would do one dump, scam all they can then start the process over again, but rather have a continuous stream working so they have cash flow. So are we really talking mostly about bigger operations than the local operator one sees mentioned in the paper from time to time? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
