[IWAR] WHERE HAVE THEY BEEN? Ecommerce 'effort'

From: 7Pillars Partners (partnersat_private)
Date: Wed Mar 18 1998 - 15:12:50 PST

  • Next message: 7Pillars Partners: "[IWAR] LEGAL 'terrorist' label challenged"

    I don't know who to suspect for being behind the times, the news service, or
    the University. --MW
    College professor tries to undermine cyber-thieves
    
    Copyright  1998 Nando.net
    Copyright  1998 The Associated Press 
    
    (March 18, 1998 3:54 p.m. EST http://www.nando.net) - Computer scientist Jie
    Wang doesn't pretend to be Sherlock Holmes, but
    he's trying to foil one of today's most crafty criminal types -- the
    cyber-thief.
    
    The researcher believes better security measures are needed to stop con artists
    from exploiting consumers who have
    accepted the World Wide Web as a viable, safe way to do business.
    
    Wang is developing software so consumers who buy goods and services over the
    World Wide Web can electronically "sign"
    for them, much the same as they would with a credit card at a store or
    restaurant.
    
    "The solution is a better way to check IDs," he said. "When I'm on the Web, how
    can I tell if the person using the credit card
    is the one who owns it?"
    
    While thousands of legitimate businesses now use the Web to market their goods
    and services, there is ample opportunity for
    fraud, theft and other crime, said Wang, an associate professor in the
    Department of Mathematical Sciences at the University
    of North Carolina at Greensboro.
    
    "When you go shopping on the World Wide Web, you are asked to give out
    information like your credit card numbers,
    password, street address and telephone number," he said.
    
    A cyber-thief can obtain this valuable information by creating bogus Web sites
    and luring unsuspecting consumers to them.
    This gives them access to personal consumer information that they can use for
    their benefit.
    
    Wang even has his own term for the computer criminal that preys on unsuspecting
    browsers -- the attacker.
    
    "The customers may not notice that they are going to a wrong place," said Wang,
    who has written and lectured extensively on
    computer security issues around the world.
    
    "There are a lot of tricks for doing that," he said. "A person thinks he is
    going to a certain store or a certain stockbroker, but
    actually goes to an attacker's Web site."
    
    In one type of attack, which Wang calls "identity spoofing," a cyber-thief
    steals a user's identity to log onto exclusive Web
    sites.
    
    "The member may never notice because it doesn't cost him or her anything," Wang
    said.
    
    A second type of attack involves using someone's credit card numbers. These can
    be obtained via a fake Web site.
    
    "After a customer gives a credit card number, they will say the system is
    malfunctioning and you will need to try back later,"
    he said.
    
    The real purpose is to obtain a consumer's credit card numbers, he said. "If
    you think about it, it's a pretty good con game,"
    Wang said.
    
    His ultimate goal is to find a consumer-friendly way to identify the user by an
    electronic signature that can beverified and
    scrambled, or encrypted, to prevent anyone without a code from reading it.
    
    Wang is developing a cryptosystem that uses both public and private codes, or
    keys. Even if an attacker were able to steal a
    consumer's credit card number and password, the system would prevent him from
    using it.
    
    Here's how the cryptosystem would work: A credit card company sets up a
    public-key cryptographic program and
    distributes it to businesses that maintain Web sites and use credit accounts.
    
    Each account owner then gets a pair of keys -- one public and one private.
    
    When a consumer sends in the account number to the Web site, the site would
    send back a short message asking the user to
    acknowledge it, or "sign" it.
    
    The customer then uses a secret key to encrypt the message and sends it back to
    the Web site. In turn, the Web site uses the
    public key to decrypt the message and compared it to the original message.
    
    If they match, the electronic signature is a match. If they don't -- no deal.
    
    Wang said while the theory is not new, the biggest drawback is devising a
    user-friendly electronic signature. He doesn't see a
    groundswell of support from the credit card industry.
    
    "People will continue to do business the old way until some big things happen,"
    he said. "If, in the future, everything is done on
    the Web, if nobody goes to a real store, then this type of theft could be a
    major problem."
    
    By PAUL NOWELL, AP Business Writer
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:36 PDT