Search Results from Financial Cryptography
A post on Matthew Green's blog highlights that Snowden revelations helped the push for HTTPS everywhere. Firefox also has a similar result, indicating a web-wide world result of 80%. (It should be noted that google's decision to reward HTTPS users...
Posted in Financial Cryptography on November 23, 2019 12:27 PM
From the annals of web research: A thriving marketplace for SSL and TLS certificates...exists on a hidden part of the Internet, according to new research by Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey. .......
Posted in Financial Cryptography on March 9, 2019 02:58 PM
Financial Cryptography and Data Security 2019 Twenty-Third International Conference February 18-22, 2019 St. Kitts Marriott Resort St. Kitts https://fc19.ifca.ai/cfp.html Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance,...
Posted in Financial Cryptography on September 1, 2018 03:28 PM
Call for Papers Financial Cryptography and Data Security 2017 Twenty-First International Conference April 3–7, 2017 The Palace Hotel Malta Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance,...
Posted in Financial Cryptography on September 18, 2016 09:50 AM
Financial Cryptography and Data Security (FC15) 19th International Conference January 26-30, 2015 InterContinental San Juan, Puerto Rico URL: http://fc15.ifca.ai/ CALL FOR PAPERS Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate...
Posted in Financial Cryptography on June 26, 2014 03:25 AM
This was a draft of an article now published in Bitcoin Magazine. That latter is somewhat larger, updated and has some additional imagery. MtGox, the Bitcoin exchange, is in the news again, this time for collapsing. One leaked report maintains...
Posted in Financial Cryptography on February 26, 2014 04:56 PM
Last month, I wrote to explain that these challenges by Dan Bernstein: 2011 Grigg-Gutmann: In the past 15 years "no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or...
Posted in Financial Cryptography on January 19, 2014 04:19 PM
One of the complaints against the SSL obesity security model was that all the blabber of x.509/CAs was there to protect against the MITM (man-in-the-middle) attack. But where was this elusive beast? Now we have evidence. In the recent Der...
Posted in Financial Cryptography on December 30, 2013 01:39 AM
Back in 2006 Philipp Gühring penned the story of what had been discovered in European banks, in what has now become a landmark paper in banking security: A new threat is emerging that attacks browsers by means of trojan horses....
Posted in Financial Cryptography on December 24, 2013 03:40 AM
According to the record, I first started talking publically about this problem it seems in 2004, 9 years ago, in a post exchange with Bill Stewart: Bill Stewart wrote: > I don't understand the threat model here. The usual models...
Posted in Financial Cryptography on September 5, 2013 05:02 AM
Preliminary Call for Papers Financial Cryptography and Data Security 2014 Eighteenth International Conference March 3–7, 2014 Accra Beach Hotel & Spa Barbados Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate...
Posted in Financial Cryptography on July 5, 2013 01:09 AM
It's confirmed -- Skype is revealing traffic to Microsoft. A reader informed heise Security that he had observed some unusual network traffic following a Skype instant messaging conversation. The server indicated a potential replay attack. It turned out that an...
Posted in Financial Cryptography on May 16, 2013 02:25 PM
In news that might bemuse, Facebook is in the process of turning on SSL for all time. In this it is following google and others. In that, they, meaning google and Co., are following yet others including EFF, Mozilla and...
Posted in Financial Cryptography on November 22, 2012 10:29 AM
I have struggled to write this story for a long time, and now Business Insider has written it for us: In a world where you can watch cyberattacks happen in real-time, it's no wonder that nation-states are doing little to...
Posted in Financial Cryptography on October 23, 2012 09:54 AM
You saw it here first :) Kaspersky has dipped into the payments market with a thing called Safe Money: A new offering found in Kaspersky Internet Security is Safe Money, Kaspersky Lab's unique technology designed to protect the user's money...
Posted in Financial Cryptography on August 26, 2012 07:34 AM
Several cases in USA are resolving in online theft via bank account hackery. Here's one: Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers,...
Posted in Financial Cryptography on June 20, 2012 04:42 PM
As we all know, it's a right of passage in the security industry to study the SSL business of certificates, and discover that all's not well in the state of Denmark. But the business of CAs and PKI rolled on...
Posted in Financial Cryptography on February 9, 2012 10:54 PM
The Economist also picks up on the "bursting the bubble" paper from Florencio & Herley: BIG numbers and online crime go together. One well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs. Another nice...
Posted in Financial Cryptography on November 13, 2011 04:21 AM
Two Microsoft researchers have published a paper pouring scorn on claims cyber crime causes massive losses in America. They say it’s just too rare for anyone to be able to calculate such a figure. Dinei Florencio and Cormac Herley...
Posted in Financial Cryptography on October 26, 2011 05:05 PM
Google radically expanded Tuesday its use of bank-level security that prevents Wi-Fi hackers and rogue ISPs from spying on your searches. Starting Tuesday, logged-in Google users searching from Google’s homepage will be using https://google.com, not http://google.com — even if they...
Posted in Financial Cryptography on October 23, 2011 05:24 AM
RSA's Coviello declares the new threat environment: "Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defences," Coviello added. "People are the new perimeter contending with zero-day malware delivered through...
Posted in Financial Cryptography on October 13, 2011 10:31 AM
Long term readers will know that I have often written of the failure of the browser vendors to provide effective security against phishing. I long ago predicted that nothing will change until the class-action lawsuit came. Now signs are appearing...
Posted in Financial Cryptography on August 17, 2011 11:21 AM
We've long documented the failure of PKI and secure browsing to be an effective solution to security needs. Now comes spectacular proof: sites engaged in carding, which is the trading of stolen credit card information, have always protected their trading...
Posted in Financial Cryptography on August 1, 2011 06:13 PM
What to learn from the RSA SecureID breach? RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. Which points to: In a letter to customers Monday,...
Posted in Financial Cryptography on June 7, 2011 11:45 AM
Just when you thought it couldn't get any worse for infosec, there's more bad news on the horizon. WASHINGTON—The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the...
Posted in Financial Cryptography on June 3, 2011 07:30 AM
Clive throws some security complaints against Apple in comments. He's got a point, but what is that point, exactly? The issues raised have little to do with Apple, per se, as they are all generic and familiar in some sense....
Posted in Financial Cryptography on October 24, 2010 01:30 AM
An Adobe PDF is being circulated in spam that exploits bugs in Adobe's Reader and/or Windows. The PDF itself is code-signed by a stolen certificate: The attack, which has been spotted attached to e-mails touting renowned golf coach and author...
Posted in Financial Cryptography on September 13, 2010 07:37 PM
There appears to be a wave of something going through the infosec industry. There are reports like this: In the past month, we've had several customers at work suddenly insist that we make modifications to their firewalls and/or load balancers...
Posted in Financial Cryptography on August 21, 2010 01:27 PM
Nelson spotted it, too late for yesterday's post of old predictions come true: Symantec Corp. is paying $1.28 billion in cash to buy a division of VeriSign Inc. that sells security technology to websites. The deal, announced Wednesday, represents VeriSign's...
Posted in Financial Cryptography on May 20, 2010 08:36 PM
In an influential paper, Prof Ross Anderson proposes that the _Market for Lemons_ is a good fit for infosec. I disagree, because that market is predicated on the seller being informed, and the buyer not. I suggest the sellers are...
Posted in Financial Cryptography on April 13, 2010 02:25 AM
In a paper Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL_, by Christopher Soghoian and Sid Stammby, there is a reasonably good layout of the problem that browsers face in delivering their "one-model-suits-all" security model. It is more...
Posted in Financial Cryptography on March 24, 2010 07:52 PM
A wave of stupidity is flooding through the USA mediawaves. Here's an example: A cyberattack disabled US cell phone networks, slowed Internet traffic to a crawl and crippled America's power grid Tuesday -- all in the interest of beefing up...
Posted in Financial Cryptography on February 22, 2010 04:59 PM
Reading up on something or other (Ivan Ristić), I stumbled on this EV breach by Adrian Dimcev: Say you go to https://addons.mozilla.org and download a popular extension. Maybe NoScript. The download location appears to be over HTTPS. ... (lots of...
Posted in Financial Cryptography on February 10, 2010 12:23 PM
From a couple of sources posted by Lynn: A single run only hits 0.0005 percent of users, 1% of customers will follow the phishing links. 0.5% of customers fall for phishing schemes and compromise their online banking information. the monetary...
Posted in Financial Cryptography on December 5, 2009 06:35 PM
SSL is a protocol that gives a point-to-point connection with some protection against MITM (man-in-the-middle). Attacks against SSL as a security paradigm can be characterised in three levels: within the protocol, within the application (but outside the protocol), and within...
Posted in Financial Cryptography on November 17, 2009 10:46 AM
Phishing has come a long way. It is now no longer characterised by its email lure to get you to click on a different website. The phishers have moved on from the basic MITM that cracked secure browsing ... and...
Posted in Financial Cryptography on October 15, 2009 09:28 AM
The CA and PKI business is busy this week. CAcert, a community Certification Authority, has a special general meeting to resolve the trauma of the collapse of their audit process. Depending on who you ask, my resignation as auditor was...
Posted in Financial Cryptography on July 15, 2009 07:13 AM
No, not this stupidity: "The Breach of All Breaches?" but this one, spotted by JP (and also see Fraud, Phishing and Financial Misdeeds, scary, flashmob, and fbi wanted poster seen to right): * Reported by John Deutzman Photos from security...
Posted in Financial Cryptography on February 13, 2009 08:25 AM
Adam points to a report by Ponemon Institute and old friends PGP Inc on data breaches. data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Within that number, the largest cost...
Posted in Financial Cryptography on February 4, 2009 04:51 AM
Seen on the net: 09 Jan 2009 14:21 Phishers make much less from their scams than analysts have estimated, according to research from the software maker. The financial losses experienced by victims of phishing scams may be up to 50...
Posted in Financial Cryptography on January 19, 2009 05:10 PM
Symantec posts an odd report on Phishing. The numbers are very useful: Turner described visiting online private chat rooms, where underground buyers and sellers did business from June 1, 2007, to July 1, 2008. Credit cards, thousands at a time,...
Posted in Financial Cryptography on December 9, 2008 07:38 PM
One of the dilemmas that the browser security UI people have is that they have to deal with two different groups at the same time. One is the people who can work with the browser and the other is those...
Posted in Financial Cryptography on October 6, 2008 05:27 AM
A slightly smaller problem than this weekend's systemic risk and the US Treasury is the continuing weakness of the security of the US retail banking sector: They are a staple of consumer-complaint hotlines and Web sites: anguished tales about money...
Posted in Financial Cryptography on September 8, 2008 07:54 AM
Since the famous Bill Gates Memo, around the same time as phishing and related frauds went institutional, Microsoft has switched around to deal with the devil within: security. In so doing, it has done what others should have done, and...
Posted in Financial Cryptography on July 11, 2008 09:26 AM
Spiegel reports that a German lower court ("Amtsgerichts Wiesloch (Az4C57/08)") has found a bank responsible for malware-driven transactions on a user's PC. In this case, her PC was infected with some form of malware that grabbed the password and...
Posted in Financial Cryptography on July 6, 2008 08:28 AM
Anon asks: > ian: I never understood why you insist on using HTTPS for the blog... maybe you can shed light ? Fair question, and often I ask myself whether it is worth the extra effort. As succinctly as I...
Posted in Financial Cryptography on June 21, 2008 07:19 AM
Sometime around 3 years back, banks started to respond to phishing efforts by putting in checks and controls to stop people sending money. This led to the emergence of a new business model that promised great returns on investment by...
Posted in Financial Cryptography on June 6, 2008 01:00 PM
Life is slowly improving with that old tired security model called secure browsing. Here's a roundup: Firefox have their new security UI in place whereby you can click on exceptions to store the certificates as accepted and trust by you...
Posted in Financial Cryptography on June 6, 2008 10:21 AM
It is often remarked that Information Security specialists are so good at their work that they lock out all threats, including the users. Meanwhile the rest of the world has moved on and done things like insecure browsing, insecure email,...
Posted in Financial Cryptography on May 26, 2008 07:06 AM
Dria writes up a fine intro to the new Firefox security UI, the thing that forms the front line for phishing protection. Basically, the padlock has been replaced with a button that shows a "passport" icon in multiple colours...
Posted in Financial Cryptography on May 11, 2008 12:44 PM
Paypal has released a white paper on their approach to phishing. It is mostly good stuff. Here are their Principles: 1. No Silver Bullet -- We have not identified any one solution that will single-handedly eradicate phishing; nor do we...
Posted in Financial Cryptography on April 22, 2008 02:27 PM
Phishing still works, says Verisign: ...these latest messages masquerade as an official subpoena requiring the recipient to appear before a federal grand jury. The emails correctly address CEOs and other high-ranking executives by their full name and include their phone...
Posted in Financial Cryptography on April 17, 2008 12:02 PM
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn't happen fast enough, but a significant step has been taken (reported by Lynn) with...
Posted in Financial Cryptography on April 14, 2008 10:47 AM
It is frequently pointed out by economists that incentives are the key to a lot of behaviour. They argue that, if incentives are aligned, positive results happen, and if misaligned, damage is done. This tradition goes a long way back...
Posted in Financial Cryptography on March 24, 2008 10:32 AM
Well, it had to happen one day. A major player has finally broken the code of silence and blamed the browsers. In this case, it is PayPal, and Safari. Infoworld last week quoted Michael Barrett, PayPal’s CIO, saying the following:...
Posted in Financial Cryptography on March 6, 2008 11:17 AM
For a decade now, SSH has successfully employed a simple opportunistic protection model that solved the shared-key problem. The premise is quite simple: use the information that the user probably knows. It does this by caching keys on first sight,...
Posted in Financial Cryptography on February 17, 2008 04:26 PM
Skype is the darling child of cryptoplumbers, the application that got everything right, could withstand the scrutiny of the open investigators, and looked like it was designed well. It also did something useful, and had a huge market, putting it...
Posted in Financial Cryptography on January 29, 2008 05:46 PM
Over at mozo, Jonath asks the most surprising question: My second question is this: as members of the Mozilla community, is this an effort that you want me (or people like me) participating in, and helping drive to final publication?...
Posted in Financial Cryptography on January 11, 2008 02:22 PM
So what happened in 2007? All doom and gloom, really. Here's a roundup of what I called the year of the platypus, for some mixed up reason to do with security in its own worse nightmare: Security went down, overall....
Posted in Financial Cryptography on December 15, 2007 08:29 AM
Bruce Schneier wrote in cryptogram: Man-in-the-middle attack by Tor exit node. So often man-in-the-middle attacks are theoretical; it's fascinating to see one in the wild. The guy claims that he just misconfigured his Tor node. I don't know enough about...
Posted in Financial Cryptography on December 15, 2007 08:10 AM
Alessandro writes: WEIS 2008 - Workshop on the Economics of Information Security June 25-27, 2008 in Hanover, New Hampshire CALL FOR PAPERS Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating...
Posted in Financial Cryptography on December 4, 2007 08:02 AM
I didn't spot it when Peter Gutmann called it the world's biggest supercomputer (I thought he was talking about a game or something ...). Now John Robb pointed to Bruce Schneier who has just published a summary. Here's my paraphrasing:...
Posted in Financial Cryptography on October 5, 2007 07:07 AM
This blog frequently presses the case for the dysfunctional family known as security, and even presents evidence. So much so, that we've gone beyond the evidence and the conclusion, and we are more interested in the why? Today we have...
Posted in Financial Cryptography on September 9, 2007 02:17 PM
So, having read the HBR case I just wrote about ("nobody else reads the original material they quote, why should I?"), I discovered this numbers gem on the very last page: Perhaps the most worrying indicator is that the criminal...
Posted in Financial Cryptography on August 28, 2007 06:20 AM
Jonath over at Mozilla takes up the flame and publishes lots of stats on the current state of SSL, phishing and other defences. Headline issues: Number of SSL sites: 600,000 from Netcraft Cost of phishing to US: $2.1 billion dollars....
Posted in Financial Cryptography on August 23, 2007 09:06 AM
Tonight, we have bad news and worse news. The bad news is that the node is yet again the scene of imminent collapse of the Internet as we know it. The worse news is that the fix that could have...
Posted in Financial Cryptography on August 16, 2007 06:59 PM
This article reports that Mozilla are now proactive on security. This is good news. In the past, their efforts could be described as limited to bug patching and the like. Reactive security, in other words, which is what their fuzzer...
Posted in Financial Cryptography on August 9, 2007 08:05 AM
From the where did you read it first? department here comes an interesting claim: Beyond obvious tips like activating firewalls, shutting computers down when not in use, and exercising caution when downloading software or using public computers, Consumer Reports offered...
Posted in Financial Cryptography on August 9, 2007 07:36 AM
From the 'poignant reminder' department, Verisign lost a laptop with employee data on it. The employee, who was not identified, reported to VeriSign and to local police in Sunnyvale, Calif. that she had left her laptop in her car and...
Posted in Financial Cryptography on August 9, 2007 07:23 AM
In the PKI ("public key infrastructure") world, there is a written practice that the user, sometimes known as the relying party, should read the CPS ("certificate practice statement") and other documents before being qualified to rely on a certificate. This...
Posted in Financial Cryptography on August 8, 2007 07:14 AM
The doom and gloom in the security market spreads. This time it is from Richard Bejtlich who probably knows his stuff as well as any (spotted at Gunnar's 1raindrop). After a day at Black Hat, the expensive high-end "shades of...
Posted in Financial Cryptography on August 5, 2007 06:51 PM
Thinking a bit about the theme of security v. management [1,2, 3], here is today's thesis: The CSO should have an MBA. As a requirement! Necessary (but maybe not sufficient) for the Chief Security Officer job. That being a slightly...
Posted in Financial Cryptography on July 24, 2007 11:25 AM
It costs $500 for a kit to launch an MITM phishing attack. (Don't forget to add labour costs at 3rd world rates...) David Franklin, vice president for the Europe, Middle East and Africa told IT PRO that these sites are...
Posted in Financial Cryptography on July 23, 2007 06:39 AM
One of the things that occurred in the early days of phishing was the realisation that the browser (and its manufacturer) was ill-suited to dealing with the threat, even though it was the primary security agent (c.f., from the SSL...
Posted in Financial Cryptography on May 23, 2007 10:13 AM
So why can't we do it? In short, we do know that all security is really about risk management. So we just do risk management, right? Igor says we can do it, in comments. Chandler says it is hard. He...
Posted in Financial Cryptography on May 18, 2007 07:46 AM
The meme is starting to spread. It seems that the realisation that the security community is built on self-serving myths leading to systemic fraud has now entered the consciousness of the mainstream world. Over on the Volokh Conspiracy, Paul Ohm,...
Posted in Financial Cryptography on May 17, 2007 08:21 AM
It's been a bad week for security leaders. Bruce Schneier has been lambasted for asking whether we need a security industry at all, Ross Anderson published an article "commissioned by the Federal Reserve" that was riddled with errors, and now...
Posted in Financial Cryptography on May 10, 2007 04:26 PM
Over on EC and other places they are talking about the .bank TLD as a possibility for solving phishing. Alex says it's an idea who's time has come. No chance: Adam correctly undermines it: Crooks are already investing in their...
Posted in Financial Cryptography on May 9, 2007 06:52 AM
One of the things we know is that MITMs (man-in-the-middle attacks) are possible, but almost never seen in the wild. Phishing is a huge exception, of course. Another fertile area is wireless lans, especially around coffee shops. Correctly, people have...
Posted in Financial Cryptography on May 8, 2007 02:18 PM
Follows is the Programme for WEIS2007, the annual Workshop on Economics of Information Security to be held in June 7- 8, 2007, Pittsburgh, USA....
Posted in Financial Cryptography on April 24, 2007 08:56 AM
Adam over at EC joined the fight against the disaster known as Internet Security and decided Choicepoint was his wagon. Mine was phishing, before it got boring. What is interesting is that Adam has now taken on the meta-question of...
Posted in Financial Cryptography on April 17, 2007 03:42 PM
A slight debate has erupted over Adam's presentation "Security Breaches are good for you" which makes it a success. Of course, Adam means good for the rest of us, not the victims. One can consider two classes of beneficiaries to...
Posted in Financial Cryptography on April 6, 2007 04:35 PM
Somehow I ended up on Wikipedia's entry on phishing, and added a link from the AOL playtime era to its more modern incarnation of the rape & pillage of a financial district swollen with multi-nationals, conglomerates and fat, bloated merchant...
Posted in Financial Cryptography on February 23, 2007 03:27 PM
Some numbers from Guillaume Lovet on what it costs to gain control of an online bank account: The most straightforward is to buy the 'finished product'. In this case we'll use the example of an online bank account. The product...
Posted in Financial Cryptography on February 22, 2007 12:56 PM
The Mozilla governance debate is running hot, rejoinders flowing thick and fast. Here is a seriously good riposte by James Donald: A successful open source project has a large effect on what large numbers of people do. The effect has...
Posted in Financial Cryptography on February 11, 2007 11:34 PM
The gut-wrenching fight with who we want to be continues over at Mozilla. In a status update, Mitchell posts on the evolving Principles: SPECIFICITY: There were a set of comments about the Manifeto not being specific, either about the nature...
Posted in Financial Cryptography on February 10, 2007 08:46 AM
Over on anti-fraud, Gervase asked: >> Perhaps you should define "stakeholder" while you are here. Ok, fair question. I received a huge tome entitled Phishing and Countermeasures in the post a week or so ago, and it includes lots of...
Posted in Financial Cryptography on February 7, 2007 04:09 PM
Over in MozoLand, they have opened up a bug track on the problems with Extended Validation certificates, as their way of carrying out the debate as to what Mozo should do. Using bug tracking systems doesn't mean "EV is a...
Posted in Financial Cryptography on January 30, 2007 11:18 PM
What follows is a long set of criticisms on the Mozilla draft principles. Like the original document, these are quite drafty; and also hypercritical. That's because that's what is needed now: hard words. Agreement isn't much use; it is indistinguishable...
Posted in Financial Cryptography on January 19, 2007 05:44 AM
From Epayment news: Jan 11 2007 : RSA Security says it has discovered a phishing toolkit which is being sold on Internet fraudster forums. The so-called "universal man-in-the-middle phishing kit" enables sophisticated "next-generation" attacks against banks and e-commerce sites, the...
Posted in Financial Cryptography on January 11, 2007 06:39 PM
What is to happen in the coming year? (Apologies for being behind on the routine end-of-year predictions, but I was AFI -- away from Internet -- and too depressed with predictions to make the journey. Still, duty calls!) More depression...
Posted in Financial Cryptography on January 10, 2007 01:27 PM
Preliminary Programme for "USABLE SECURITY 2007" which is colocated with FC2007 below, again in "title-only-peer-review" mode. An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks WSKE: Web Server Key Enabled Cookies (Panel) - The Future of Phishing Usability Analysis of...
Posted in Financial Cryptography on January 10, 2007 05:55 AM
Back in the good old days when security people would sprout nonsense and nobody blinked, we talked about non-repudiation as a feature of public keys. Finally, we blabbered to anyone who would listen, we can prove that the bad guy...
Posted in Financial Cryptography on January 5, 2007 10:16 AM
Last year I made a bunch of predictions. They were mostly accurate, so I'll not mail out this one; I'll just update if something comes along. (Warning. Read this only alongside last year's predictions.) 1. Government intervention ... and in...
Posted in Financial Cryptography on November 29, 2006 10:09 AM
The Grnch asks, in all honesty: > What is the point of encrypting information that is publicly visible? To which the answer is: To remove the security weakness of the decision. This weakness is the decision required to determine what...
Posted in Financial Cryptography on November 24, 2006 05:04 PM
The Sixth Workshop on the Economics of Information Security (WEIS 2007) The Heinz School, Carnegie Mellon University Pittsburgh (PA), USA June 7-8, 2007 http://weis2007.econinfosec.org/ C A L L F O R P A P E R S Submissions due: March...
Posted in Financial Cryptography on November 22, 2006 09:56 AM
Having read through the Extended Validation draft, it is pretty clear that this is "more of the same bad recipe." It didn't work last time, why should we expect the same recipe to work this time? Having said that, there...
Posted in Financial Cryptography on November 12, 2006 11:54 PM
Arthur spots a humourous post: But it also illustrated a fundamental difference in the way audits are conducted on both continents. In the United States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the...
Posted in Financial Cryptography on October 9, 2006 12:23 PM
Once upon a time we all went to CompSci school and had lots of fun. Then it all stopped. It stopped at different times at different places, of course, but it was always for the same reason. "You can't have...
Posted in Financial Cryptography on October 5, 2006 06:58 PM
There are already a couple of improvements signalled at Mozilla in security terms since the appointment of Window Snyder as single security chair, for those interested (and as Firefox has 10-20% of the browser market, it is somewhat important). Check...
Posted in Financial Cryptography on September 27, 2006 03:36 PM
Call for Papers FC'07: Financial Cryptography and Data Security http://fc07.ifca.ai/ Eleventh International Conference February 12-15, 2007 Lowlands, Scarborough, Trinidad and Tobago Submissions Due Date: October 9, 2006, 11:59pm, EDT (UTC-4) Program Chair: Sven Dietrich (Carnegie Mellon University) General Chair: Rafael...
Posted in Financial Cryptography on September 15, 2006 06:19 AM
One of the big problems with Mozilla was that they didn't have a Security Czar. This lack meant that far-reaching threats such as phishing failed to be addressed because the scope was too broad for the existing specialists, and as...
Posted in Financial Cryptography on September 7, 2006 06:53 AM
First some good news from PaymentNews: APACS, the UK payment association, has announced that six months after "PIN day" (Valentine’s Day 2006, February 14th), the UK is the world's first chip and PIN success story - with more than 99.8%...
Posted in Financial Cryptography on August 16, 2006 09:04 AM
http://www.e-pso.info/epso/psnews/06-08-03_psnews_no42.html News and events: 1. European Central Bank – Communication on TARGET2 2. European Commission – Staff Working Document on the Review of the E-money Directive (2000/46/EC) 3. France – Banks upgrade security of EMV cards 4. Portugal – Payments...
Posted in Financial Cryptography on August 3, 2006 01:13 PM
As predicted, Firefox is now a member of that unenviable club -- "fair game" for crackers: Upon successful execution, FormSpy hooks mouse and keyboard events in the Mozilla Firefox web browser. It can then forwards information such as credit card...
Posted in Financial Cryptography on July 28, 2006 08:40 AM
In talking with Hagai, it was suggested that I try using the TLS/IMAP capabilities of Thunderbird, which I turned on (it's been a year or two since the last time I tried it). Unfortunately, nothing happened. Nothing positive, nothing negative....
Posted in Financial Cryptography on July 23, 2006 07:19 AM
Lance James points out that Phishers have moved on to attacking 2-factor authentication tokens: The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test...
Posted in Financial Cryptography on July 10, 2006 05:48 PM
SNI is slowly coming to fruition. Quick reminder: SNI is the extension that supports multiple SSL servers on the same machine, and is one huge barrier to the routine employment of TLS as an aid against phishing and other threats....
Posted in Financial Cryptography on July 9, 2006 10:34 AM
This emerging threat has sent a wave of fear through the banks. Different strategies have been formulated and discussed in depth, and just this month the first roll-outs have been seen in Germany and Austria. This information cries out for...
Posted in Financial Cryptography on June 25, 2006 12:43 PM
We have often discussed how threats arise and impact security models. The hugely big question is whether to include this threat or this other threat? I think there is a metaphor to address part of this question - whether a...
Posted in Financial Cryptography on June 19, 2006 05:56 PM
It would be remiss of me not to pass on news that Mozilla have finally crafted a strategy for phishing protection in Firefox. It actually took me a few days to realise this is news, indeed, the news we had...
Posted in Financial Cryptography on June 7, 2006 12:10 PM
One of the things that we as society do to protect us against dodgy practices is to employ specialists to prepare considered reports. Often known as audits, these reports solve a particular economic problem for us - it is too...
Posted in Financial Cryptography on June 1, 2006 05:21 AM
Opera talks about security features in Opera 9. The good parts - they have totally rewritten their protocol engine, and: 3. We have disabled SSL v2 and the 40 and 56 bit encryption methods supported by SSL and TLS. The...
Posted in Financial Cryptography on May 24, 2006 02:50 PM
Two articles tracking hackers and looking into markets for trading stolen assets. The latter has better info: Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More...
Posted in Financial Cryptography on May 23, 2006 12:58 PM
A snippet of recent news: (May 5, 2006) Online search giant Yahoo! Inc. is developing what appears to be a person-to-person payment service and may be weeks away from introducing it, but details of the new service remain unclear. ......
Posted in Financial Cryptography on May 12, 2006 03:34 PM
Dave Birch reports that money in virtual worlds is well past GP. The online security for World of Warcraft is a bad as it is for internet banking, and World of Warcraft has six million subscribers (more than many banks...
Posted in Financial Cryptography on May 7, 2006 06:19 AM
Journalist Roger Grimes did some research on trojans and came up with this: Even more disturbing is that most banks and regulatory officials don’t understand the new threat, and when presented with it, hesitate to offer anything but the same...
Posted in Financial Cryptography on May 5, 2006 05:55 PM
Firefox, the free open-source Web browser from Mozilla Corp., quietly gained enough users in March to finally grab 10% of the Web browser market, according to a report released yesterday by Web audience-measurement firm NetApplications.com. Funny, I thought that happened...
Posted in Financial Cryptography on April 22, 2006 10:26 AM
A curious remark from a German bank called Postbank about their desire to use digital signatures: The electronic signature, which the bank attaches to its e-mail, is issued by TC Trust, the German subsidiary of GeoTrust. Only Postbank customers using...
Posted in Financial Cryptography on March 31, 2006 10:42 AM
Bad news for Microsoft, but (other) browsers may breath a sigh of small relief. It seems that there is a shift from email-based phishing across to trojan hijacking. Predictable - as people gradually wake up to phishing, and as the...
Posted in Financial Cryptography on March 18, 2006 01:46 PM
Installing new SSL server certs is like visiting the in-laws for Christmas dinner. It's so painful, you dread it for weeks in advance. Afterwards, the relief flows through you as you know you don't have to do that for another...
Posted in Financial Cryptography on February 25, 2006 04:03 PM
Curious that Apple's Safari wasn't mentioned in recent discussions about High Assurance certs. Which brings us to a rash of sightings of Mac Viruses. Well, three at least. Unfortunately the media can be relied upon to over-play the appearance of...
Posted in Financial Cryptography on February 23, 2006 02:40 PM
GeoTrust, recently in trouble for being phished over SSL, has rushed to press a defensive PR that announces their support for high assurance SSL certificates. As it reveals a few details on this programme, it's worth a look: The new...
Posted in Financial Cryptography on February 21, 2006 07:05 PM
fm points to Gadi Evron who writes an impassioned plea for openness in security. Why? He makes a case that we don't know the half of what the bad guys are up to. His message goes something like this: DDoS...
Posted in Financial Cryptography on February 19, 2006 08:03 AM
fm points to Brian Krebs who documents an SSL-protected phishing attack. The cert was issued by Geotrust: Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by...
Posted in Financial Cryptography on February 14, 2006 06:21 AM
In a 2005 document entitled Trends and Attitudes in Information Security that someone sent to me, RSA Security, perhaps the major company in the security world today, surveys users in 4 of the largest markets and finds that most know...
Posted in Financial Cryptography on January 7, 2006 03:45 PM
Well, that was easy! I mentioned in my 2006 predictions that the USG controls enough of the Internet to have it's way, and it won't give that up. Now the administration has come out and defined its policy in definite...
Posted in Financial Cryptography on January 6, 2006 11:04 AM
We would be remiss if we didn't also measure the theory of GP (GP1, GP2, GP3) against that old hobby horse, phishing. When ecommerce burst on the scene as an adjunct to browsing, it pretty quickly emerged as "taking credit...
Posted in Financial Cryptography on December 30, 2005 07:51 PM
Lynn points to techworld that points to NetCraft that states it has confirmed 450 HTTPS phishing attacks: In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure...
Posted in Financial Cryptography on December 30, 2005 02:18 PM
2005 was when the Snail lost its identity. What is to come in 2006? Prediction always being a fool's game compared to the wiser trick of waiting until it happens and then claiming credit, here's a list of strategic plays...
Posted in Financial Cryptography on December 28, 2005 04:14 PM
e-gold rocketed to success in late 1999 in a classical exponential growth curve that took everyone by surprise. Why the mathematics of growth continue to shock and awe has never been explained to me, but when you've just taken a...
Posted in Financial Cryptography on December 26, 2005 07:57 PM
Previously, we talked about the Growth and Fraud's GP which is the place where growth kicks off into a self-sustained value growth machine (Parts 1,2) . Then I made some remarks on how to instruct security strategy, which lead to...
Posted in Financial Cryptography on December 19, 2005 09:12 AM
In the closing weeks of 2005, we can now look back and see how the Snail slithered its way across the landscape. 1. Banks failed to understand phishing at any deep level. They failed in these ways: Pushing out websites...
Posted in Financial Cryptography on December 14, 2005 02:25 PM
The US treasury has apparently launched an attack on Internet governance with a FUD claim: RIYADH (Reuters) - Global cybercrime generated a higher turnover than drug trafficking in 2004 and is set to grow even further with the wider use...
Posted in Financial Cryptography on December 12, 2005 09:24 AM
Imagine if you will a successful FC system on the net. That means a system with value, practically, but for moment, keep close in your mind your favourite payments system. Success means solid growth, beyond some point of survival, into...
Posted in Financial Cryptography on December 11, 2005 03:21 PM
News comes from multiple places that the Browser manufacturers (Microsoft, KDE, Mozilla, Opera) got together and displayed their anti-phishing techniques to each other. It was yet another private meeting, where the people who've done good research on anti-phishing weren't involved...
Posted in Financial Cryptography on November 25, 2005 04:36 AM
George reports that his story originally published here in FC has made it to USAToday: He watched, horrified, as the intruder in quick succession dumped $60,000 worth of shares in Disney, American Express, Starbucks and 11 other blue-chip stocks, then...
Posted in Financial Cryptography on November 4, 2005 11:37 AM
In another story similar in spirit to the Cuthbert case, Adam points to Mark who discovers that Sony has installed malware into his Microsoft Windows OS. It's a long technical description which will be fun for those who follow p2p,...
Posted in Financial Cryptography on November 1, 2005 05:55 AM
Finally, some good news! Matthias points out that Microsoft has announced that they are switching to TLS in browsers. Hooray! This means no more SSL v2, and the other laxidaisical dinosaurs of the browser world can be expected to shuffle...
Posted in Financial Cryptography on October 25, 2005 06:12 PM
Nick pointed me to his Cuthbert post, and I asked where the RSS feed was, adding "I cannot see it on the page, and I'm not clued enough to invent it." To which he dryly commented "if you tried to...
Posted in Financial Cryptography on October 25, 2005 05:14 PM
I wrote before about rising barriers in security. We now have the spectre of our worst nightmare in security turned haptic: the British have convicted a security person for doing due diligence on a potential scam site. If you work...
Posted in Financial Cryptography on October 11, 2005 11:08 PM
The net is buzzing about an "OpenSSL Potential SSL 2.0 Rollback Vulnerability" (1, 2) where you can trick your SSL v3 to roll back to SSL v2. There are then some security weaknesses in SSL v2 that can be exploited...
Posted in Financial Cryptography on October 11, 2005 12:01 PM
An article in the aforementioned JIBC, "Security as a legal obligation" by Edwin Jacobs, argues the current security crisis from the perspective of bonus pater familias. This legal doctrine has it that we should ask, what would the good citizen...
Posted in Financial Cryptography on October 10, 2005 09:13 AM
Bruce Schneier outlines some of the factors behind phishing and then tries to stick it on the banks. Sorry, won't work - the Banks are victims in this too, and what's more they are not in the direct loop. Make...
Posted in Financial Cryptography on October 7, 2005 11:37 AM
In security pennies, Microsoft released SP2 for Office with some attention to phishing: The most noteworthy enhancement is the addition of a new Phishing Protection feature to Outlook 2003's Junk E-mail Filter. This feature will be turned on by default...
Posted in Financial Cryptography on September 29, 2005 06:01 AM
This week's phishing roundup starts with (thanks Lynn) sighting of a HTTPS phish. The attacker used a self-signed cert, and as we know browsers commonly fall to self-signed MITMs because of the popup madness ... A new, advanced form a...
Posted in Financial Cryptography on September 20, 2005 11:42 AM
Here's how your Paypal browsing can be protected with Trustbar: Apologies for the huge image! Notice the extra little window that has "PayPal, Inc" in it. That's a label that indicates that you have selected this site as one of...
Posted in Financial Cryptography on September 16, 2005 09:35 AM
A Notice of Extinction for prehistoric SSL v2 web servers is being typed up as we speak. This dinosaur should have been retired net-centuries ago, and it falls to Mozilla to clean up. In your browser, turn off SSL v2...
Posted in Financial Cryptography on September 6, 2005 12:45 PM
It looks like Microsoft are about to release their anti-phishing (first mooted months ago here): WASHINGTON _ Microsoft Corp. will soon release a security tool for its Internet browser that privacy advocates say could allow the company to track the...
Posted in Financial Cryptography on August 28, 2005 06:19 AM
Adam points to a great idea by EFF and Tor: Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 50,000 Tor users currently,...
Posted in Financial Cryptography on August 20, 2005 10:00 AM
A good article on Malware for security people to brush up their understanding. On honey clients Balrog writes (copied verbatim): In my earlier post about Microsoft’s HoneyMonkey project I mentioned that the HoneyNet Project will probably latch on and develop...
Posted in Financial Cryptography on August 20, 2005 07:54 AM
Over on EmergentChaos, there are two security systems that failed dismally when a slight attack is launched. In building real security systems, we try and analyse everyone else's attempts and especially the reasons for failure. One is brought about by...
Posted in Financial Cryptography on August 18, 2005 09:19 AM
Dramatic increase in threats to IM (instant messaging or chat) seen as the IMLogic Threat Center reports a 28 times increase over the last year. Right on cue. Meanwhile, new tool to download for your browser shows that independent researchers...
Posted in Financial Cryptography on August 3, 2005 06:56 PM
A couple of articles on disclosure - one about the Cisco hole which was revealed at Blackhat, and another from Oracle's CSO who trots out some mild reasons why security reasons shouldn't cause trouble. Security researchers generally work for free...
Posted in Financial Cryptography on July 30, 2005 01:26 PM
On the morning of May 5 2005, I decided to work from home [writes George Rodriguez in a great expose of how phishing is spreading through American retail finance]. As I'm checking emails I start receiving email notifications from my...
Posted in Financial Cryptography on July 6, 2005 03:38 PM
Open is a big word these days. It started out as open source, being the progression of AT&T's distro of Unix leading to BSD and then to GPL. For computer source code, open works well, as long as you are...
Posted in Financial Cryptography on June 29, 2005 08:00 AM
Petnames evolved out of hard-won experience in the Electric Communities project, and went on to become a staple within the capabilities school of rights engineering. But it wasn't until Bryce 'Zooko' Wilcox made his dramatic claims of naming that petnames...
Posted in Financial Cryptography on June 26, 2005 07:35 PM
Google confirms they are doing a payment system. It may be like Paypal's but I wouldn't bet on it. Google claims it will be unlike. Either way a new sport is about to erupt in the payments systems world -...
Posted in Financial Cryptography on June 22, 2005 09:21 AM
Phishing news: puddle phishing (targetting small banks) is on the rise, as is phishing outside the US. Both of these are to be expected as phishers move around and try new things. One might suspect that the major US financial...
Posted in Financial Cryptography on June 17, 2005 11:09 AM
Adam points at the Underhanded C Contest. This is a good idea - write some C which is totally readable but does something underhanded. This year's challenge is to do some basic image processing but to conceal a fingerprint in...
Posted in Financial Cryptography on June 14, 2005 12:00 PM
The FBI in the US presented how to own your wireless LAN (By way of Tom's hardware and Dan). This is welcome. We need full open disclosure and full open research into cracking if we are to get an edge...
Posted in Financial Cryptography on May 22, 2005 07:45 AM
As the technical community is starting to realise the dangers of the political move to strong but unprotected ID schemes, there is renewed interest in open Internet-friendly designs to fill the real needs that people have. I've written elsewhere about...
Posted in Financial Cryptography on May 21, 2005 09:07 AM
Judging by the private comments I have received, Advances in Financial Cryptography (FC++) has worked well. I now have a potential list of 3 more papers ready for distro! Question now is how to proceed. I'm open to comments on...
Posted in Financial Cryptography on May 18, 2005 09:45 PM
Some random notes on the adventure of securing FC with SSL. It seems that SSL still remains difficult to use. I've since found out that I was somewhat confused when I thought we could use one Apache, one IP# and...
Posted in Financial Cryptography on May 16, 2005 02:34 PM
Research on apotential SSH worm is reported by Bruce Schneier - this is academic work in advance of a threat, looking at the potential for its appearance in the future. Unusual! There is now optional protection available for the threat,...
Posted in Financial Cryptography on May 13, 2005 03:14 PM
I've just been reminded of Stefan's post that Microsoft are looking at blinded signatures. To add to that, I've heard related rumours. Firstly, that they are planning to introduce some sort of generic blinding signature technology in the (northern) summer...
Posted in Financial Cryptography on May 12, 2005 06:59 PM
VoIP has been an unmitigated success, once Vonage and Skype sorted out basic business models that their predecessors (remember SpeakFreely, PGPFone?) did not get right. And everyone loves a story of connivery and hacker attacks. Now the security industry is...
Posted in Financial Cryptography on May 11, 2005 08:30 AM
Good story about a success at defending from a DDOS. As a company sprung out of it, this is obviously a marketing story, but it still gives a lot of good background into the DDOS world. Postini reports that phishing...
Posted in Financial Cryptography on May 9, 2005 07:44 AM
Netcraft publishes the top phishing hosters - and puts Inktomi in pole position. Think class-action, damages, lack of due care, billion dollar losses ... we need more of this naming and shaming. Rumours abound that Microsoft is about to be...
Posted in Financial Cryptography on May 6, 2005 08:02 AM
In thoughts about how to do Internet security - something the world fails at dismally for the present time - it is sometimes suggested that a "consumer choice" model would work. This model sets up independent non-profit organisations that conduct...
Posted in Financial Cryptography on May 3, 2005 06:17 AM
GeoTrust published a three part attack on the current certification practices that leave users unprotected and wide open to phishing (Exec Summary, shots of Opera being spoofed, and a white paper). In essence, they say that current vetting procedures (which...
Posted in Financial Cryptography on April 12, 2005 07:48 PM
Online fraud has been organised, industrialised, institutionalised and big for some time now. When I tell people that they just look blank, they have no conception of what this means. In a nutshell, it means they're making money, scads of...
Posted in Financial Cryptography on April 11, 2005 02:10 PM
A PR by comodo points at an old KPMG document that discusses the risks that the unstable CA market is presenting to users, and by proxy browser manufacturers. The document itself assumes 19th century industrial policy in its support of...
Posted in Financial Cryptography on April 8, 2005 06:57 PM
I've written before about how a major milestone in phishing was reached when Lopez sued Bank of America in Florida, USA. If you don't see that, click and read this article. It is maybe not obvious on the outside, but...
Posted in Financial Cryptography on April 6, 2005 09:09 PM
The shocking truth - spam works!! - is revealed in a breathtaking survey by the Radicati group. Jokes about lack of economic nounce aside, the numbers in there are quite interesting: 10% of respondents have purchased products advertised in spam....
Posted in Financial Cryptography on March 27, 2005 12:51 AM
In a paper (sorry, PDF only) last month at FC05, Garfinkel and friends reported on an interesting survey conducted in two communities of merchants, one which received signed email from a supplier, and one which did not. This was an...
Posted in Financial Cryptography on March 25, 2005 07:16 PM
Over at Mozilla, the honeymoon is definately over, as no less than Symantec's CEO casts some doubt on the notion that just because a browser is popular and open source doesn't mean it's secure. The full story. There is one...
Posted in Financial Cryptography on March 24, 2005 03:48 AM
Maybe there's hope for Microsoft yet .. they are reported as saying nothing at all about IE 7.0 security upgrades for phishing. There's no hope for Sun....
Posted in Financial Cryptography on March 22, 2005 01:24 AM
fm points at developments in the anti-phishing battle (extracted below) only unexpected if you had not an earlier entry on the Crooked Black Claw. It seems that Netcraft are having some success in aggregating the information collected from their toolbar...
Posted in Financial Cryptography on March 16, 2005 01:03 PM
In terms of definitions for FC, applying crypto to banking and finance doesn't work. Mostly because those doors are simply closed to us, but also because that's simply not how it is done. And this brings us to the big...
Posted in Financial Cryptography on March 2, 2005 01:55 AM
My counter to Peter Wayner's article kicked up a bit of a storm, regretfully carried on in the hallowed but private halls of IFCA's internal mail forums. (Yes, I did ask when they'll put up a forum for members and...
Posted in Financial Cryptography on February 26, 2005 05:05 PM
Over in the phishing department, Simon pointed to a new payments blog that seems to cover phishing as well....
Posted in Financial Cryptography on February 24, 2005 11:18 AM
17th February 2005. Bill Gates has just spoken at the RSA security conference: "Microsoft's chairman and chief software architect announced plans for an updated Internet Explorer 7.0 browser and a slew of other initiatives to bolster security in Microsoft products....
Posted in Financial Cryptography on February 18, 2005 02:21 PM
Ever since California passed its law on notification of data loss to citizens, we've wondered what happens when the data covers other states as well? Now we know. Choicepoint, one of the larger players in the data conglomerates market, has...
Posted in Financial Cryptography on February 17, 2005 02:43 PM
Gervase Markham has written "a plan for scams," a series of steps for different module owners to start defending. First up, the browser, and the list will be fairly agreeable to FCers: Make everything SSL, create a history of access...
Posted in Financial Cryptography on February 15, 2005 10:05 PM
Over on the mozilla-crypto group, discussions circulated as to how to fix the Shmoo bug. And phishing, of course. My suggestion has been to show the CA's logo, as that has to change if a false cert is used (and...
Posted in Financial Cryptography on February 11, 2005 09:00 AM
Adam & Michael discovered Stefan Brands' new blog called the Identity Corner. Stefan is of course the cryptographer who picked up from David Chaum and created a framework of mathematical formulas to deliver privacy control. Stefan's formulas as described in...
Posted in Financial Cryptography on February 8, 2005 07:08 PM
Over at something called the Shmoo conference, an exploit was announced that effects all browsers except including IE. Florian reports that spam is already circulating attacking IE. If you want to test it, and see what happens, browse over to...
Posted in Financial Cryptography on February 7, 2005 07:51 AM
Another case of the One True Number syndrome: If you are one of those mystified as to why phishing is so talked about, read this article. Or, if confused as to why computer scientists get angry when governments talk about...
Posted in Financial Cryptography on February 7, 2005 06:05 AM
Mozilla Foundation is running a project to develop a policy for adding new Certificate Authorities to FireFox, Thunderbird and the like. This is so that more organisations can sign off on more certificates, so more sites can use SSL and...
Posted in Financial Cryptography on February 6, 2005 03:41 PM
The letter to ICANN on Verisign's conflict of interest received several additional ones agreeing, and as yet no demurrals. I'm looking forward to the response, as governance of the net is very important, and it's key that we get this...
Posted in Financial Cryptography on February 4, 2005 02:11 PM
I know some have been banding around these ridiculous figures of phishing success, but I simply discounted them as being ridiculous. Yet, a new survey by Cyota in New York has said the same thing: "almost 5% [of banking account...
Posted in Financial Cryptography on February 1, 2005 08:01 PM
Over on the CostaGold settlement blog (yep, class action is now done by blog!) there is news that the court has granted final approval for the settlement of the seized funds. This hopefully brings the sorry episode to a close,...
Posted in Financial Cryptography on January 30, 2005 09:48 AM
Through a long chain of blogs (evidence that users care about phishing at least: gemal.dk MozIne, LWN, Addict) comes news that Thunderbird is also to have click-thru protection. The hero of the day is one Scott MacGregor. Easiest just to...
Posted in Financial Cryptography on January 25, 2005 10:11 AM
(JPM reports) here is a simple example from Eudora (a popular email client) for OSX. You'll get the idea. Note that "anti phishing technology!" is stunning, stupidly simple. It's just Not That Complex. "You need a big warning in email...
Posted in Financial Cryptography on January 22, 2005 01:45 PM
I've been focussed on a big project that finally came together last night, so am now able to relax a little and post. Adam picked up on this comment on haplass Salman Rushdie still suffering from his maybe-fatwa. Which led...
Posted in Financial Cryptography on January 21, 2005 09:45 AM
There are about 10 articles a day on phishing, so I don't read them. What else is there to say that hasn't been said since years ago? Including the fact that it gets better and better, it's enough to drive...
Posted in Financial Cryptography on January 21, 2005 07:13 AM
The Year of the Phish has passed us by, and we can relax in our new life swimming in fear of the net. Everyone now knows about the threats, even the users, but what they don't know is what happens...
Posted in Financial Cryptography on January 9, 2005 05:22 PM
A tech survey by accountants gives some interesting tips on security. The reason it is credible is because the authors aren't from our industry, so they can be expected to approach this without the normal baggage of some security product...
Posted in Financial Cryptography on January 4, 2005 06:59 AM
May 2005 be better than 2004, 2003, 2002, 2001 and so on. The previous years have been graded to determine the mean and referenced to 1999 as a benchmark for happiness. All claims and wishes are based on objective results...
Posted in Financial Cryptography on December 31, 2004 04:17 PM
In a show of remarkable adeptness, Netcraft have released an anti-phishing plugin for IE. Firefox is coming, so they say. This was exciting enough to make it on Slashdot, as David at Mozilla pointed out to me....
Posted in Financial Cryptography on December 30, 2004 02:26 PM
Recently, it's become fashionable to write an article on how to protect yourself from all the malware, phishing, spyware, viruses, spam, espionage and bad disk drives out there. Here's some: [IBM], [Schneier], [GetLuky]. Unfortunately, most of them go over the...
Posted in Financial Cryptography on December 29, 2004 05:47 PM
Stuart Schechter sent out the FC05 programme announcement just now, and it includes a text version of the programme, so here it is. The programme looks pretty good this year, with some varied stuff away from the "pure crypto" legacy...
Posted in Financial Cryptography on December 29, 2004 12:10 PM
Cypherpunk askes a) why has phishing gone beyond "don't click that link" and b) why we can't educate the users? A lot of what I wrote in The Year of the Snail is apropos to that first question. In economic...
Posted in Financial Cryptography on December 27, 2004 02:17 PM
FC'05 - the Financial Cryptography conference to be held in Dominica, first week of March - has posted a preliminary programme. I haven't seen it announced yet, so maybe this is a 'leak' :-)...
Posted in Financial Cryptography on December 27, 2004 11:57 AM
Over at EmergentChaos, Adam asked what happens when "the Snail" gets 10x worse? I need several cups of coffee to work that one out! My first impressions were that ... well, it gets worse, dunnit! which is just an excuse...
Posted in Financial Cryptography on December 8, 2004 08:45 AM
So if 2004 depressingly swims past us as the Year of the Phish, what then will 2005 bring? Worse, much worse. The issue is this: during the last 12 months, the Internet security landscape changed dramatically. A number of known,...
Posted in Financial Cryptography on December 1, 2004 08:47 AM
Last year, 2003, was a depressing year. We watched the phishing thing loom and rise, and for the most part, security experts fudged, denied, shuffled and ignored while the phish was reeled in. Now, 2004 can truly be said to...
Posted in Financial Cryptography on December 1, 2004 08:32 AM
The tide is turning on bank responsibility for retail frauds. Two years back it was normal for banks to deny any responsibility for problems with their systems. Coverups were routine, and the computer could never ever be wrong. Phantom withdrawals...
Posted in Financial Cryptography on November 23, 2004 08:50 AM
Adam reports that Eric reports that the IETF has run its first meeting on opportunistic cryptography. Called "Better Than Nothing Security" the Internet protocol people are starting to get antsy about the number of attacks on unprotected sessions on the...
Posted in Financial Cryptography on November 11, 2004 03:44 PM
The media is talking about some report that calls for companies to cooperate and not display information on web sites as an aid on phishing [1][2]. Yeah, that'll make a difference. Over in Korea they are reporting some little group...
Posted in Financial Cryptography on October 18, 2004 04:51 PM
Reading the new SANS list of top 20 vulnerabilities leaves one distinctly uncomfortable. It's not that it is conveniently sliced into top 10s for Unix and Microsoft Windows, I see that as a practical issue when so much of the...
Posted in Financial Cryptography on October 9, 2004 07:51 AM
It was an impossible task anyway, and more kudos to Amit Yoran for resigning. News that he has quit the so-called "cybersecurity czar" position in the US means that one more person is now available to do good security work...
Posted in Financial Cryptography on October 4, 2004 06:33 PM
In the "war on phishing" which has yet to be declared, there is little good news. It continues to increase, identity theft is swamping the police departments, and obscure efforts by the RIAA to assert that CD pirating is now...
Posted in Financial Cryptography on October 2, 2004 10:22 AM
There's a big debate going on the US and Canada about who is going to pay for Internet wire tapping. In case you hadn't been keeping up, Internet wire-tapping *is* coming. The inevitability of it is underscored by the last...
Posted in Financial Cryptography on September 1, 2004 06:20 AM
James Sherwood of ZDNet reports: "Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing...
Posted in Financial Cryptography on August 31, 2004 05:12 AM
When it's a class action payout! Yep, Paypal got into a mess when it had to mail out notifications to many users announcing a class action payout and encouraging them to ... you guessed it, click on the link and...
Posted in Financial Cryptography on August 4, 2004 01:11 PM
Almost forgotten in the financial world, but e-gold, the innovative digital gold currency issuer based in Florida, USA (and nominally in Nevis, East Caribbean), was one of the biggest early targets for phishing [1]. Because of their hard money policy,...
Posted in Financial Cryptography on July 31, 2004 12:19 PM
The primary reason for looking at threats is to develop a threat model [1]. This model then feeds into a security model, which latter decides which threats we can afford to deal with, and how. But I have a secondary...
Posted in Financial Cryptography on July 24, 2004 09:50 AM
Governance is about the appropriate aligning of incentives. When we build a governance layer, what we are essentially doing is cleaning up after the technocrats have done their best. In the case of FC, the technocrats are cryptographers, software engineers,...
Posted in Financial Cryptography on July 12, 2004 05:40 PM
Will Kamishlian has written an essay on the question I posed on the Internet security community last week: "why is the community being ignored?" It's a good essay, definitely worth reading for those looking for the "big" perspective on the...
Posted in Financial Cryptography on July 4, 2004 03:48 AM
A question I posed on the cryptography mailing list: The phishing thing has now reached the mainstream, epidemic proportions that were feared and predicted in this list over the last year or two. Many of the "solution providers" are bailing...
Posted in Financial Cryptography on June 30, 2004 06:55 AM
As well as the FT review, in a further sign that phishing is on track to being a serious threat to the Internet, Google yesterday covered phishing on the front page. 37 articles in one day didn't make a top...
Posted in Financial Cryptography on June 23, 2004 10:59 AM
Today, the Financial Times leads its InfoTech review with phishing [1]. The FT has new stats: Brightmail reports 25 unique phishing scams per day. Average amount shelled out for 62m emails by corporates that suffer: $500,000. And, 2.4bn emails seen...
Posted in Financial Cryptography on June 23, 2004 10:30 AM
Phishing, the sending of spoof emails to trick you into revealing your browser login passphrase, now seems to be the #1 threat to Internet users. A dubious award, indeed. An article in the New York Times claims that online identity...
Posted in Financial Cryptography on June 15, 2004 07:24 PM
Identity theft is a uniquely American problem. It reflects the massive - in comparison to other countries - use of data and credit to manage Americans' lives. Other countries would do well to follow the experiences, as "what happens there,...
Posted in Financial Cryptography on May 25, 2004 08:34 AM
In what is rapidly becoming an Internet soap opera, an alleged writer of the Sasser virus, 18 year old Sven Jaschan from Germany, was fingered under the Bounty program initiated by Microsoft a few months back [1]. As predicted, with...
Posted in Financial Cryptography on May 11, 2004 07:07 AM
Below is the first quantitative estimate of costs for phishing that I have seen - one phisher took $75,000 from 400 victims. It's a number! What is needed now is a way to estimate what the MITM attack on secure...
Posted in Financial Cryptography on May 5, 2004 07:33 PM
The Feb issue of Nilson Report reports stats from the antiphishing.org WG. New for me at least, is some light thrown on Tumbleweed, the company behind the WG, which as suspected is casting itself as a solution to phishing....
Posted in Financial Cryptography on April 21, 2004 10:13 AM
The Future of Phishing by Dr. Jonathan Tuliani - UK Technical Manager for Cryptomathic Ltd. - Monday, 5 April 2004. This article examines how attackers are likely to respond to the current move towards 2-factor authentication as a defence against...
Posted in Financial Cryptography on April 5, 2004 12:57 PM
A working group on anti-phishing was formed late last year, and now publishes the first attempts (that I have seen) at hard statiscs on the epidemic in their monthly Phishing Attack Trends Report on the epidemic. The report has one...
Posted in Financial Cryptography on March 5, 2004 12:28 PM
A "solution" to Phishing called PassMarks has been proposed. The solution claims that the site should present an individualised image, the PassMark, to each account on login. Unfortunately, this won't work....
Posted in Financial Cryptography on March 3, 2004 01:20 PM
In a rare burst of journalistic research, the Economist has a good article on the state of viruses and similar security threats. It downplays terrorism, up-plays phishing, agrees that Microsoft is a monoculture, but disagrees with any conclusions promoted. Even...
Posted in Financial Cryptography on December 6, 2003 09:45 PM