[cryptography] PKI "fixes" that don't fix PKI (part III)

John Levine johnl at iecc.com
Sun Sep 11 13:40:52 EDT 2011

>Wasn't there a paper on the underground economy that investigated such
>things by monitoring drop zones? And they found CC numbers, I thought? I
>could be wrong. I can't remember the title, but Thorsten Holz was one of
>the authors (no, not a relative of mine).

"Learning More About the Underground Economy: A Case-Study of
Keyloggers and Dropzones," by Thorsten Holz, et al., Dec 2008.

I read that and asked around.  There is indeed some PC malware
that collects card numbers along with other stuff, but it still
seems to be far from a priority.

In that paper, which is now three years old, their underground market
table lists 10,775 bank accounts, 78,359 Full identities, 149,000
email passwords, and only 5682 credit cards.

I asked around, eastern European gangs have vast numbers of stolen
card numbers in inventory, one estimate was 1/4 of all North American
cards.  Plain card numbers are useless, you need at least expiration
date, preferably also cardholder's name and adddress and the CVV code,
which would be easier to collect from a compromised web browser where
it can look at the fieldnames, but even better from a payment
processor hat has all that in spades.

So, anyway, really, there's no reason to believe that TLS on
individual web sessions has any effect on stolen credit cards or other
credentials.  It's way easier to steal them other ways than to try to
reconstruct them from packet streams.

Re dealing with phishing, I don't see any plausible solutions that
don't involve non-programmable hardware, e.g., a dongle with a little
screen that sets up its own secure session back to the bank and
displays a summary of the transaction with a verification code you
type in.


More information about the cryptography mailing list