Rick Smith at Secure Computing [EMAIL PROTECTED] writes:
At 06:48 PM 11/5/2001, David Jablon wrote:
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password
Nobody is gonna indemnify the world against infringement, but I thought
Stanford's SRP protocol comes as close as realistically possible to what
you're asking for.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
but in the financial case ... you don't have to identify them (aka their
DNA) ... you just match them and the account. absolutely no identity
needed. If i deposit a large sum of money and want to be the only person
authorized to transact on the account ... there is no need to present
identity
Authentication of people is an especially subtle engineering problem.
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password schemes, your average
At 06:48 PM 11/5/2001, David Jablon wrote:
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password schemes, your average one-in-a-thousand
or one-in-a-million
not completely. except for some of the know your customer rules a
financial institution doesn't have to identify you ... they only have to
authenticate that you are the person authorized to transact with the
account; aka 1) I come in and open a brand-new account and deposit a whole
lot of
: when a fraud is a sale,
Re: Rubber hose attack
In a message dated 11/5/01 9:41:44 AM, [EMAIL PROTECTED]
writes:
On one hand I'm tempted to read
In a message dated 11/5/01 10:55:39 AM, [EMAIL PROTECTED] writes:
in the account-based financial transaction ... the requestor is the
card-holder/consumer and the authorization or service entity is the
card-holder's financial institution.
I think you have nailed it on the head. When
In a message dated 11/5/01 11:28:57 AM, [EMAIL PROTECTED] writes:
then
you can only 'authenticate' between entities that share some
fairly complex secret information. Anything else can be spoofed
pretty easily.
The information does not have to be secret at all. It can be open, but not
the following from a thread on some of the fees related to fraud issues at
http://lists.commerce.net/archives/internet-payments/200110/maillist.html
specifically from a thread on Visa/MasterCard Antitrust Comments.
Here's an interesting quote taken directly from Judge Barbara Nelson's
In a message dated 11/2/01 8:46:25 PM, [EMAIL PROTECTED] writes:
the following from a thread on some of the fees related to fraud issues at
Again, this is only a very small part of the problem. The Inspector General's
office reports that the average identity fraud in the Social Security
i believe i said that ROI represented the total cost of the program to
eliminate some fraud compared to the total amount of fraud. in the credit
card scenerio it isn't enuf to know the cost per event. assuming that
adding chips to those payment cards is a solution. in there US there are
At 11:08 AM 11/1/2001, vertigo wrote:
It appears that a lot
of work has to be done and a lot of money spent before even a small amount of
trust in an individual's proof of identity (on a world- or Internet-wide
scale) can be established.
Hmmm. I'm able to walk into a bank in semi-rural Italy
On Fri, 2 Nov 2001, Rick Smith at Secure Computing wrote:
Hmmm. I'm able to walk into a bank in semi-rural Italy and pull hundreds of
dollars out of my credit card account. I'm able to buy subscriptions to
Russian news sites. This seems pretty world-wide and Internet-wide to me.
Existing
On Fri, 2 Nov 2001, Rick Smith at Secure Computing wrote:
If Microsoft's system is too brittle, then they'll pay for it through fraud
expenses. If people find it unreliable or untrustworthy, they'll use other
mechanisms for buying things. While I would feel compassion for consumers
who are
At 11:44 AM 11/2/2001, vertigo wrote:
The point is, without this cosmic notion of trust, _I_ could walk into a bank
in semi-rurual Turkey and pull hundreds of dollars from YOUR credit card ac-
count.
Of course. But this hasn't prevented people from acquiring and using credit
cards. More to the
Rick Smith at Secure Computing writes:
While I would feel compassion for consumers
who are hurt or inconvenienced by some huge scam that exploited a poor
Microsoft security implementation, such a scenario would be
entertaining to
watch.
At 11:49 AM 11/2/2001, [EMAIL PROTECTED]
(as well as general
ability to reduce fraud)
http://internetcouncil.nacha.org/Projects/ISAP_Results/isap_results.htm
NACHA AADS results!!
http://www.garlic.com/~lynn/index.html#aads
with regard to to rubber hose attack ... there is an issue of ROI (assuming
a rubber hose attack has some rational
also a somewhat related thread regarding costs for stronger authentication
technology
http://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip
Market
http://www.garlic.com/~lynn/2001m.html#5 Smart Card vs. Magnetic Strip
Market
http://www.garlic.com/~lynn/2001m.html#6 Smart Card
are from those trusted insiders.
John,
True, attacks are usually carried-out by known and/or trusted individuals.
I suppose I was thinking more about key management on a theoretical level.
The infamous rubber hose attack still exists. Once you really get down
to the real-world level, things begin
In a message dated 11/1/01 11:09:21 AM, [EMAIL PROTECTED] writes:
It appears that a lot
of work has to be done and a lot of money spent before even a small amount of
trust in an individual's proof of identity (on a world- or Internet-wide
scale) can be established.
Not really. The problem
21 matches
Mail list logo