Citibank e-mail looks phishy
Citibank e-mail looks phishy http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339272126- 130061744t-11005c "A seemingly innocent e-mail from Citibank Australia introducing a new online banking process has been mistaken for a phishing attack. The e-mail was sent last month and described a new sign-on procedure that promised to be "even more secure". As part of a security upgrade, customers were asked to update their log-in credentials. The message also asked recipients to log on to the bank's Web site and authenticate themselves by entering their Citicard or credit card number, and ATM PIN (!!). The bank has a strict policy to safeguard customers from such scams. Its online security section says: "Customers should understand that Citibank will never send e-mails to customers to verify personal and/or account information... It is important you disregard and report e-mails which... request any customer information - including your ATM PIN or account details." A spokesperson for Citibank was surprised that the e-mail was confused for a possible scam and denied the bank had contradicted its security statements. "These are all online banking customers and are used to receiving e-mails from us. I don't believe we have contradicted ourselves ... there is only a link to the privacy policy and we always tell people to type in the URL". Citibank's technical and fraud departments will investigate the situation." carlos - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Why Blockbuster looks at your ID.
>I was in England last week where I noticed that the banks are >switching all UK credit cards to chip+pin technology. We'll see. >For that matter, French cards have all been chip+pin for years. >Any idea what their fraud rates are like? The French card machines >will do magstripe with a signature, but it's mostly us foreigners who need it. Below is a link to an interesting site discussing the "chip and PIN" technology and its introduction in the UK (the article "Chip and Spin" also addresses the French experience): http://www.chipandspin.co.uk/ Carlos - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Kerberos Design
Hi, You may want to have a look at these: - Designing an Authentication System: a Dialogue in Four Scenes (http://web.mit.edu/kerberos/www/dialogue.html) - Limitations of the Kerberos Authentication System, Steven M. Bellovin, and Michael Merrit, 1991 (http://www.cybersafe.ltd.uk/docs_other/Limitations%20of%20the%20Kerberos%20 Authentication%20System.pdf) Carlos == Hi, I'm currently looking into implementing a single sign-on solution for distributed services. The requirement profile seems to somewhat fit Kerberos, but I'm not entirely convinced that I can use it in my scenario - which can't simply run an off-the-shelf KDC and use UDP for communication with it. However, years of reading various crypto resources have strongly conditioned me against simple-minded attempts to "roll my own" as a crypto dilletante. I've been trying to study Kerberos' design history in the recent past and have failed to come up with a good resource that explains why things are built the way they are. Since I'm already using OpenSSL for various SSL/x.509 related things, I'm most astonished by the almost total absence of public key cryptography in Kerberos, and I haven't been able to find out why this design choice was made - performance reasons, given that at its inception public key operation cost was probably much more prohibitive? So, I'd like to ask the audience: - Is there a good web/book/whatever resource regarding the design of Kerberos? Amazon offers the O'Reilly book, which, from the abstract, seems to take the cryptographic design of Kerberos as a given and concentrates on its usage, and another one that also doesn't seem to give much detail on the issue. Something in the direction of EKR's SSL/TLS book would be very much appreciated. - Is Kerberos a sane choice to adapt for such solutions today? Is there anything more recent that I should be aware of? thanks, -- [*Thomas Themel*] [extended contact] But let your communication be, Yea, yea; Nay, nay: [info provided in] for whatsoever is more than these cometh of evil. [*message header*] - Matthew 5:37 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]