[fc-discuss] Financial Cryptography Update: Phishing for News..

iang@iang.org iang@iang.org
Fri, 4 Nov 2005 11:57:58 +0000 (GMT)


(((((((((( Financial Cryptography Update: Phishing for News.. ))))))))))

                           November 04, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000589.html



------------------------------------------------------------------------

George reports that his story published here in FC has made it to
USAToday:

https://www.financialcryptography.com/mt/archives/000515.html
http://www.usatoday.com/tech/news/computersecurity/2005-11-02-cybercrim
e-online-accounts_x.htm
===========8<===========8<=======
He watched, horrified, as the intruder in quick succession dumped
$60,000 worth of shares in Disney, American Express, Starbucks and 11
other blue-chip stocks, then directed a deposit into the online account
of a stranger in Austin.  "My entire portfolio was being sold out right
before my eyes," recalls Rodriguez, 41, a commercial real estate broker
who alerted Ameritrade in time to stop the trades.
=========>8==========>8==========

Also BusinessWeek but I was not able to find a URL.  George's story is
a great one if you are unsure how far phishing reaches!

Some interesting sniping from the banks on two-factor tokens.  The
current generation of two-factor tokens (like RSA Security's SecureId)
are the stocking fillers of the security field.  Cute, cheap in small
numbers and broken by January.	This is a well written piece rounding
up the issues:

http://www.cnn.com/2005/TECH/internet/10/31/banking.security.ap/
===========8<===========8<=======
But tokens create their own headaches. They're relatively costly to
deploy and can prompt lots of calls to customer service if they're lost
or temporarily out of reach. Banks also fear a "necklace" scenario in
which customers end up collecting an annoying strand of tokens from all
the companies they do business with online.

Even one token might be seen as a hassle.

After ETrade Financial Corp. began offering tokens from RSA Security
Inc. to its 2.8 million U.S. customers, only 20,000 signed up. Almost
all those people could get the gadgets for free because they were
frequent traders or had more than $50,000 in their accounts; everyone
else had to pay $25.
=========>8==========>8==========

That about matches the 1% takeup rate that I heard of in the gold
sector, when someone tried to sell these things.

===========8<===========8<=======
One-time passwords can be given out in less expensive ways. They can be
beamed to a cell phone or handheld computer, or mailed to customers on
scratch-off cards.

But security experts warn that one-time passwords can be stolen in a
"man-in-the-middle" attack, in which a con artist harvests a victim's
code on a phony Web site and instantly relays it to the real bank, then
conducts transactions in her name. Such frauds are rare -- if they
happen at all -- but that's partly because there are so many easier
targets, for now.

Token vendors point out that their devices can be set to foil men in
the middle by generating additional codes for each individual
transaction. Still, there are enough knocks against hardware-based
solutions that most banks will take softer steps to meet the
regulators' demands.
=========>8==========>8==========

Not bad!  Someone has done their homework.  This is not to say that it
can't be done better, and the Wikid token may be just that.  I haven't
examined it in detail but it essentially duplicates what the software
tools to address phishing do - it caches the cert in some way.

http://www.wikidsystems.com/
http://www.wikidsystems.com/WiKIDBlog/

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/