---------- Forwarded message ----------
From: William Knowles <erehwon@dis.org>
To: DC-Stuff <dc-stuff@dis.org>, Access All Areas <aaa-list@access.org.uk>
Date: Wed, 18 Mar 1998 19:47:25 -0800 (PST)
Subject: College professer tries to undermine cyber-thieves
(March 18, 1998 3:54 p.m. EST http://www.nando.net) - Computer
scientist Jie Wang doesn't pretend to be Sherlock Holmes, but
he's trying to foil one of today's most crafty criminal types
-- the cyber-thief.
The researcher believes better security measures are needed to
stop con artists from exploiting consumers who have accepted
the World Wide Web as a viable, safe way to do business.
Wang is developing software so consumers who buy goods and
services over the World Wide Web can electronically "sign"
for them, much the same as they would with a credit card at
a store or restaurant.
"The solution is a better way to check IDs," he said.
"When I'm on the Web, how can I tell if the person using
the credit card is the one who owns it?"
While thousands of legitimate businesses now use the Web to
market their goods and services, there is ample opportunity
for fraud, theft and other crime, said Wang, an associate
professor in the Department of Mathematical Sciences at the
University of North Carolina at Greensboro.
"When you go shopping on the World Wide Web, you are asked
to give out information like your credit card numbers,
password, street address and telephone number," he said.
A cyber-thief can obtain this valuable information by creating
bogus Web sites and luring unsuspecting consumers to them.
This gives them access to personal consumer information
that they can use for their benefit.
Wang even has his own term for the computer criminal that
preys on unsuspecting browsers -- the attacker.
"The customers may not notice that they are going to a wrong
place," said Wang, who has written and lectured extensively
on computer security issues around the world.
"There are a lot of tricks for doing that," he said. "A person
thinks the is going to a certain store or a certain stockbroker,
but actually goes to an attacker's Web site."
In one type of attack, which Wang calls "identity spoofing,"
a cyber-thief steals a user's identity to log onto exclusive
Web sites.
"The member may never notice because it doesn't cost him
or her anything," Wang said.
A second type of attack involves using someone's credit card
numbers. These can be obtained via a fake Web site.
"After a customer gives a credit card number, they will say
the system is malfunctioning and you will need to try back
later," he said.
The real purpose is to obtain a consumer's credit card numbers,
he said. "If you think about it, it's a pretty good con game,"
Wang said.
His ultimate goal is to find a consumer-friendly way to identify
the user by an electronic signature that can beverified and
scrambled, or encrypted, to prevent anyone without a code
from reading it.
Wang is developing a cryptosystem that uses both public and
private codes, or keys. Even if an attacker were able to
steal a consumer's credit card number and password, the
system would prevent him from using it.
Here's how the cryptosystem would work: A credit card company
sets up a public-key cryptographic program and distributes it
to businesses that maintain Web sites and use credit accounts.
Each account owner then gets a pair of keys -- one public and
one private.
When a consumer sends in the account number to the Web site,
the site would send back a short message asking the user to
acknowledge it, or "sign" it.
The customer then uses a secret key to encrypt the message and
sends it back to the Web site. In turn, the Web site uses the
public key to decrypt the message and compared it to the
original message.
If they match, the electronic signature is a match. If they
don't -- no deal.
Wang said while the theory is not new, the biggest drawback
is devising a user-friendly electronic signature. He doesn't
see a groundswell of support from the credit card industry.
"People will continue to do business the old way until some
big things happen," he said. "If, in the future, everything
is done on the Web, if nobody goes to a real store, then this
type of theft could be a major problem."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated
Received on Thu Mar 19 03:32:31 1998