Comments: A penny here...

Concerning the WebMoney theft. Surprisingly, WebMoney's website says nothing about it. They seem to be triing to cover it up. I haven't even found a single article on their discussion forums, although sometimes there are very interesting security issues discussed.
The Russian-language comment to the linked article, which is a verbatim copy of a Kommersant article (Kommersant is a popular business journal in the Russian-speaking world) is very informative though. Here's a short summary in English:

A 22 years old college student, Constantin Lykov (majoring in math) was working part-time in the print shop that prints the scratch-cards for webmoney (one way to convert cash to webmoney is through buying scratch-cards with secret codes that one can enter into the wallet). He somehow got hold of the files containing the secret codes and was stupid enough to print them out -- these printouts were used as evidence against him.

He stole approx. $1.5 million worth of codes, but was actually able to take posession of less than $1000 by the time he was arrested. He bought expensive cellphones in order to sell them on for cash, purchased a notebook computer (apparently a used one) and lost a minor sum gambling in an on-line casino.

The article goes on to saying that the people who eventually purchased the cards with the compromised codes haven't even noticed the theft, as webmoney decided to re-validate the codes.

I guess, this is why they went to unusual lengths to cover up the incident (usually, they are quite open about security issues): they don't want to undermine the trust in the scratch-cards.

Otherwise, I must say that WebMoney is the best digital cash provider, as far as cryptography and business model goes. While right now they are mostly catering to the Russian-speaking world (which includes the immigrant communities of North America and Western Europe, and the entirety of the former USSR), their service is scalable and very well-designed.

My only problems with them are a 0.8% per-transaction charge and the fact that they are often using home-grown crypto instead of established open standards even when such standards do exist. For example, they have their own secure messaging system instead of using any kind of secure email.

It is based on dispensable anonymous accounts where one can deposit using the public key and withdraw using the private key. They also have a nice eschrow mechanism.

Posted by Daniel A. Nagy at March 28, 2005 02:16 PM

For example, they encode RSA-keys and hashes in decimal.

Posted by Daniel A. Nagy at March 28, 2005 02:22 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x5634f9b12c30) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.