I don't know who to suspect for being behind the times, the news service, or the University. --MW College professor tries to undermine cyber-thieves Copyright 1998 Nando.net Copyright 1998 The Associated Press (March 18, 1998 3:54 p.m. EST http://www.nando.net) - Computer scientist Jie Wang doesn't pretend to be Sherlock Holmes, but he's trying to foil one of today's most crafty criminal types -- the cyber-thief. The researcher believes better security measures are needed to stop con artists from exploiting consumers who have accepted the World Wide Web as a viable, safe way to do business. Wang is developing software so consumers who buy goods and services over the World Wide Web can electronically "sign" for them, much the same as they would with a credit card at a store or restaurant. "The solution is a better way to check IDs," he said. "When I'm on the Web, how can I tell if the person using the credit card is the one who owns it?" While thousands of legitimate businesses now use the Web to market their goods and services, there is ample opportunity for fraud, theft and other crime, said Wang, an associate professor in the Department of Mathematical Sciences at the University of North Carolina at Greensboro. "When you go shopping on the World Wide Web, you are asked to give out information like your credit card numbers, password, street address and telephone number," he said. A cyber-thief can obtain this valuable information by creating bogus Web sites and luring unsuspecting consumers to them. This gives them access to personal consumer information that they can use for their benefit. Wang even has his own term for the computer criminal that preys on unsuspecting browsers -- the attacker. "The customers may not notice that they are going to a wrong place," said Wang, who has written and lectured extensively on computer security issues around the world. "There are a lot of tricks for doing that," he said. "A person thinks he is going to a certain store or a certain stockbroker, but actually goes to an attacker's Web site." In one type of attack, which Wang calls "identity spoofing," a cyber-thief steals a user's identity to log onto exclusive Web sites. "The member may never notice because it doesn't cost him or her anything," Wang said. A second type of attack involves using someone's credit card numbers. These can be obtained via a fake Web site. "After a customer gives a credit card number, they will say the system is malfunctioning and you will need to try back later," he said. The real purpose is to obtain a consumer's credit card numbers, he said. "If you think about it, it's a pretty good con game," Wang said. His ultimate goal is to find a consumer-friendly way to identify the user by an electronic signature that can beverified and scrambled, or encrypted, to prevent anyone without a code from reading it. Wang is developing a cryptosystem that uses both public and private codes, or keys. Even if an attacker were able to steal a consumer's credit card number and password, the system would prevent him from using it. Here's how the cryptosystem would work: A credit card company sets up a public-key cryptographic program and distributes it to businesses that maintain Web sites and use credit accounts. Each account owner then gets a pair of keys -- one public and one private. When a consumer sends in the account number to the Web site, the site would send back a short message asking the user to acknowledge it, or "sign" it. The customer then uses a secret key to encrypt the message and sends it back to the Web site. In turn, the Web site uses the public key to decrypt the message and compared it to the original message. If they match, the electronic signature is a match. If they don't -- no deal. Wang said while the theory is not new, the biggest drawback is devising a user-friendly electronic signature. He doesn't see a groundswell of support from the credit card industry. "People will continue to do business the old way until some big things happen," he said. "If, in the future, everything is done on the Web, if nobody goes to a real store, then this type of theft could be a major problem." By PAUL NOWELL, AP Business Writer
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:36 PDT