Phishing Works!

Point over to MSNBC and have a squiz at the latest stats, personaly I'd take percaentages and figures with a grain of salt as different market segments are going to be represented very differently.  As a gauge of the general state of phishing it probably is not far wrong.

Anti-spam firm MailFrontier Inc. showed 1,000 consumers examples of so-called "phishing" e-mail as well as legitimate e-mail from companies such as eBay and PayPal. About 28 percent of the time, the consumers incorrectly identified the phishing messages as legitimate.
What's more, the legitimate e-mails were often dismissed as potential fraud. An e-mail message from the Federal Trade Commission was dismissed as a fraud by 50 percent of the consumers.

...
Attacks on the rise, banks targeted

Not only are consumers unable to accurately spot fakes, they are regularly surrendering personal information. According to a study released in April by Gartner's Avivah Litan,  1.78 million Americans say they've fallen for a fake e-mail and willingly provided credit card numbers, bank account PINs, and other information to computer criminals.
Perhaps an additional 1 million users have done so and don't realize it, the study said. In all, the study concluded that about $1.2 billion has been stolen from U.S. financial institutions through phishing attacks.

It goes on and hints that it is all getting worse, that's probably no surprise if you are reading this.  What is needed is the so therefore to come out.  I think that will be in the shape of a whole new feel to e-commerce.

Prediction:  credit card numbers, username/password pairs and plastic cards with pin numbers are all going to be replaced by something new.  A wireless, smarter cryptographic something new.

When financial cryptography = PAIN

Physical pain that is.

Ironically, rather than protecting their wearers from kidnapping, implantable security devices may actually turn their wearers into tempting targets for Mexico's notorious kidnapping gangs, especially as the chips migrate to serve as payment devices, says Albrecht. "What could be more inviting to kidnappers than a chip that offers access to secure areas or someone's bank account? If criminals want to get ahold of a chip, they will naturally try to nab a person wearing one."
The potentially gruesome implications of being probed for an implanted chip are obvious, said Albrecht. She points out that at least one Mexican kidnapping gang, a group nicknamed "el chip" for its interest in RFID implants, is focused on the technology. According to recent reports, its members have stripped kidnapping victims and demanded to be told where they have chips implanted in their bodies. 

As a side note seats are still available at the 'RFID Academy Australia' 29-30 July 2004 held by Alien Technologies http://www.alientechnology.com/01_rfidacademy_p05.html They don't seem to have any financial issues addressed just tracking, still if you have excess amounts of money to spend listening to their markting you may want to book in.

Financial Cryptography '05

Financial Cryptography and Data Security (FC'05) is the premier international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce.


Some interesting items to be discussed there, go have a look.

Amoungst some of the more interesting items:

Anonymity and Privacy
Audit and Auditability
Authentication and Identification, including Biometrics
Certification and Authorization
Commercial Cryptographic Applications
Commercial Transactions and Contracts
Digital Cash and Payment Systems
Digital Incentive and Loyalty Systems
Digital Rights Management
Fraud detection
Game Theoretic Approaches to Security Infrastructure
Design Legal and Regulatory Issues
Microfinance and Micropayments
Reputation Systems
RFID-Based and Contactless Payment Systems
Secure Banking
Secure Financial Web Services
Securing Emerging Computational Paradigms
Security and Risk Perceptions and Judgments
Security Economics
Smart Cards and Secure Tokens
Trust Management
Trustability and Trustworthiness
Underground-Market Economics
 

 
Important Dates Conference: February 28 - March 3, 2005 Submission Deadline: September 10, 2004 Author Notification: November 1, 2004

FCRFID

As it becomes more obvious that RFID's can be spoofed even with limited resources ( http://cryolite.ath.cx/perl/skin/prox ) A search on the current state of RFID challange-response systems turned up 96 bit symetrical encryption as the comercial standard.

I would like to invite anyone with detailed knowledge to comment on the possibility of brute forcing such a system.

I am assuming that listening in on a transaction for reference will provide sufficient data to know when the key has been revealed. At 40 scans a second even running sveral days seems to imply precomputed tables into the petabytes. Yet it is not so many bits if more details of the encryption is known. A non-disclosure needs to be signed to get more details, so it will take an insider somewhere to hint out just how secure they are.

tag that got my interest:
http://www.emmicroelectronic.com/Products.asp?IdProduct=205

The EM4035 is a CMOS integrated circuit intended for use in
contactless Read/Write transponders. The EM4035 is
completely ISO15693 compliant and is a member of ISO
15693 standard passive Read/Write RF tags operating at
13.56MHz.
The Chip contains an implementation of a crypto-algorithm
with 96 bit of user configurable secret-Keys contained in
EEPROM.

So the question is, will it be possible to do a power analysis on an RFID? Would doing a die probe of one brake security for all using the same key.

I know that there are high security tags in existance that are much more secure, but it is likely to be ones like this using just 96bits?

As a side note while looking at secure rfid's I also spotted this non-secure one whose specs were very impressive.
http://www.emmicroelectronic.com/DetailNews.asp?IdNews=68

An amazing feature of EM4223 is that it can read tags at a distance above 15 meters when using an optimized transponder antenna. It also has an enhanced anticollision protocol which performs without saturation effect. Indeed, with other RFID chips, it may happen that the reader saturates and is not able to read more than a certain number of tags because the transmission channel becomes saturated.
"The saturation limits of the transmission channel of EM4223 are extended to such a point that a reader is able to read over one thousand tags simultaneously present in the field", said Mougahed Darwish, president of the management board of EM Microelectronic. "Due to its high speed anticollision feature, it is also possible to read two hundred EM4223 tags per second. This high throughput will set new performance benchmarks, especially when operating under the prevailing ETSI regulation."

That's 15m reading, 200 per second, able to have 1000 in scan zone at once, one thing is certain this technology is definately not standing still.

While the idea of a Financial Cryptographic Radio Frequency Identification Device is not yet here, it is my bet it soon will be.

Workshop on Cryptographic Hardware and Embedded Systems

The focus of this workshop is on all aspects of cryptographic hardware and security in embedded systems. The workshop will be a forum of new results from the research community as well as from the industry. Of special interest are contributions that describe new methods for efficient hardware implementations and high-speed software for embedded systems, e.g., smart cards, microprocessors, DSPs, etc.


Boston Marriott Cambridge
Cambridge (Boston), USA
August 11-13, 2004

Computer architectures for public-key and secret-key cryptosystems
Efficient algorithms for embedded processors
Reconfigurable computing in cryptography
Cryptographic processors and co-processors
Cryptography in wireless applications (mobile phone, LANs, etc.)
Security in pay-TV systems
Smart card attacks and architectures
Tamper resistance on the chip and board level
True and pseudo random number generators
Special-purpose hardware for cryptanalysis
Embedded security
Device identification

ISOC Phishing Cyber-Survey

ISOC Administration
*********************************
Cyber-Survey #12 - Phishing and Authentication
By Michael R. Nelson - VP of Public Policy

In recent months, there have been growing concerns about "phishing," the
use of the Internet by criminals to steal personal data such as
bank-account numbers and user passwords. According to the Gartner Group,
an estimated 57 million US Internet users have received e-mail messages
directing them to phony Web sites and about 1.8 million may have
divulged personal information as a result. Furthermore, the number of
phishing attacks has more than tripled in the last six months.

This short survey is designed to get the advice of Internet Society
members on how best to reduce the problem of phishing and cyberfraud.

www.isoc.org/members/surveys/current

The survey will end on July 12, 2004.

Thank you for your input.

ELLIPTIC CURVE CRYPTOGRAPHY - Germany

THE 8TH WORKSHOP ON ELLIPTIC CURVE CRYPTOGRAPHY (ECC 2004)

Ruhr-University Bochum, Germany

September 20, 21 & 22, 2004

THIRD ANNOUNCEMENT June 29, 2004


ECC 2004 is the eighth in a series of annual workshops dedicated
to the study of elliptic curve cryptography and related areas.
The main themes of ECC 2004 will be:
- The discrete logarithm problem.
- Efficient parameter generation and point counting.
- Provably secure cryptographic protocols.
- Efficient software and hardware implementation.
- Side-channel attacks.
- Deployment of elliptic curve cryptography.

It is hoped that the meeting will continue to encourage
and stimulate further research on the security and implementation
of elliptic curve cryptosystems and related areas, and encourage
collaboration between mathematicians, computer scientists and
engineers in the academic, industry and government sectors.

There will be approximately 15 invited lectures (and no contributed
talks), with the remaining time used for informal discussions.
There will be both survey lectures as well as lectures on latest
research developments.


SPONSORS:
BSI - Bundesamt für Sicherheit in der Informationstechnik
Bundesdruckerei GmbH
DFG-Graduate School on Cryptography
ECRYPT - European Network of Excellence in Cryptography
escrypt - Embedded Security GmbH
Ruhr-University Bochum
University of Waterloo


www.cacr.math.uwaterloo.ca/conferences/2004/ecc2004/announcement.html