Caller ID "spoofing" 2975

there has been lots of recent discussions on mitm and spoofing attacks on internet banking ... with attackers doing website impersonation for harvesting and skimming (phishing) information

that then can be used for fraudulent transactions.

part of this is some of the vulnerabilities in SSL ... not so much in the cryptography but in the business processes around its use. there are numerous browser efforts in progress for the SSL vulnerability countermeasures ... especially focused around spoofing internet banking sites. ttp:--www.garlic.com-~lynn-2006d.html#26 Callder ID "spoofing"

the early SSL for what came to be called e-commerce

was that the end-user understood the relationship between a corporate enbreasty and that enbreasty's URL, the end-user typed in the URL to contact that website, and the end-user's browser used SSL to confirm that the website corresponded to the URL typed in (the site that the user thot they were talking to, was in fact the site they were talking to). This eliminated various website mitm-attacks, spoofing, and impersonations. However, it was predicated on the end-user understanding the corporate enbreasty that they were dealing with and the relationship between that corporate enbreasty and the URL.

As browsers and web evolved, URLs became more and more something that was supplied and clicked on ... and less and less something that the end-user actually types in (or even understood anything about).

Now you can have an attacker sending email and-or putting up a spoofed site ... the end-user clicks on something and goes to an "SSL" site. the browser confirms that the "SSL" site that the end-user is talking to corresponds to the URL clicked-on. Since the attacker can supply the URL ... the only thing prooved is that the attacker is who the attacker claims to be (with-out provable chain of evidence between who the end-user thinks they are talking to is actually who they are talking to).

so one of the current countermeasures being floated for spoofed websites ... is a new clbutt of SSL credentials. these will only be issued to businesses that have pbutted some level of investigation as being reputable business. browsers will then give some new visual indicator to end-users when dealing with new kind of SSL. the user still won't know if they are dealing with who they think they are dealing with ... but they will at least be buttured that who-ever it is has pbutted some level of reputable business audit.

this is sort of along the lines of my suggestion from the early days of SSL and e-commerce that such businesses audits include things like FBI background check of all employees (which they still aren't

however, this doesn't necessarily address major exploits and vulnerabilities ... for long before the internet as well as thru-out the internet age ... the majority of sensitive information leakages and data breaches has always involved insiders. the internet age has introduced some new avenues for information leakage and data breaches ... but hasn't significantly reduced insider-based exploits (in fact, the possibility that something may have come from the internet may just be used to obfuscate that it really was an insider event).

so the first order response typically has been to heap on more and more security in attempt to stem the leakage of sensitive information (in some cases extremely internet oriented even tho it has been proven time and time again that the major threat is from insiders).

x9.59 financial standard took a different approach ... it was to eliminate aco**** numbers from the category of sensitive information ... even if (x9.59) account numbers were to leak all over the world ... crooks still couldn't use them for fraudulent transactions (this was recognition that it was practically impossible to provide sufficient information hiding technology to prevent account number leakage ... in part, because account numbers are required in so many different business processes).

--