news

information must be hard-coded into the user’s system.The PKI challenge partici-pants fixed this temporarilyby using a virtual directory,which is preprogrammedwith the information ofwhere all the other directoriesare located. Hodgson men-tioned that noone is responsi-ble for the directory issuecurrently and they are seekingvolunteers. Hodgson toldComputer Fraud & Securitythat a number of organiza-tions could take responsibilityfor this but it would be com-plicated, difficult to adminis-trate and allocate cost.

Another big pitfall is con-figuration, where users arepresented with too manyoptions, clicking on certainoptions could restrict usersfrom interacting with otherusers.This could be eliminat-ed if vendors offered a stan-dard set of options. There isa functionality gap withsome applications, for exam-ple the option of clear-signedand opaque signed emails —the user email applicationshould read both. There isalso a problem where ven-dors are introducing new fea-tures at different rates.

Hodgson says that a success-ful outcome would involve anagreement to fix the mainproblems and to actually getthe PKI vendors to talk toeach other.

Global PKI vendors partici-pating in the PKI Challengehave nearly finished testingand the results are due inNovember although accordingto Hodgson, making the dead-line will be tight. More inter-operability can only be goodbut Hodgson provides areminder to PKI users thatthey will have to support the

cost that increased interoper-ability brings.

After the testing is complet-ed the report will be submit-ted to the EC.

Fraud Roundup

Nigerian fraud schemefakes bank websites

The Nigerian fraud scheme isvery inventive at deploying allimaginable methods to lurevictims. Recently the UK’sNational Criminal Intelli-gence Service says that twoCanadians lost more than£100 000 after visiting a fakeversion of a high street Britishbank’s website. The criminalsbehind the scam have notbeen caught but according toan NCIS spokesperson, they“suspect the crime has WestAfrican links”.

The only difference in thefake bank website comparedto the original was the domainname had ‘the’ present in frontof it. NCIS reports that thesite has been shut down andthe British bank has swiftlypurchased all similar varia-tions of its own domain name.

An NCIS spokesperson toldComputer Fraud & Securitythat the fake bank website isyet another tactic for trickingvictims into thinking the offerof $24 million dollars in theNigerian fraud scheme is gen-uine. Originally bank certifi-cates were produced to givethe hoax authenticity. Thesebank certificates have nowbeen replaced by hoax web-sites, looking identical to rep-utable banks, the victim is sentthe fake website url and a

password. The victim logs inand is able to view an enor-mous transaction in theirname in what seems to be avalid online account.

The NCIS has had a recentsuccess in arresting 18 peoplein conjunction with a similarfake website involving theReserve Bank of South Africa.Although the spokespersonfrom NCIS believes that theperpetrators in this case arenot the same as those involvedin the UK Bank.Earlier this year the NCIS pre-dicted that hi-tech crimewould increasingly exploitWeb spoofing and this hasmaterialised in these recentcases.Fr

Hoax email captures Yahoo’scustomer creditnumbers

A fraudulent email has beensent out by an unidentifiedparty posing as part of theYahoo! organization to YahooPayDirect! customers askingthem for credit card numbers.

Yahoo PayDirect! chargesover one million customers forservices. Yahoo retaliated bysending out another massemail warning customers toignore the bogus email.

A spokesperson from Yahoo!said “it’s been bought to ourattention that an individual orgroup of individuals posing aspart of our organization havesent out an email to users inorder to trick them into givingtheir online account informa-tion”.

According to reports fromReuters a Yahoo spokesperson

has confirmed that a minorityof customers had suppliedtheir credit card details.

E-commerceRoundup

Web services —hesitations in US

Evans Data Corp hasannounced the results fromits latest North AmericanDeveloper Survey whichhighlights the main draw-backs to developers usingWeb services. The highestconcern cited by developerswas security (26%) with lackof standards coming a closesecond at (24%). Althoughthis hesitation will not get inthe way of Web servicesimplementation across theboard because 39.% of devel-opers are currently develop-ing Web-enabled applicationsand and 91% expect todeploy Web services in thenext two years.

According to Evans Data,“Web services are rapidly gain-ing prominence with morethan nine in 10 developersexpecting their companies touse Web services in the nexttwo years. According to thesurvey, the main obstacles tocreating Web services; are thelack of established Web ser-vices standards, concernsabout end-to-end security andunderstanding the architec-ture.

The existing security mea-sures that are most likely to beimplemented by developersare XML encryption(46.4%),XML digital signatures (42%)and SOAP (also 42%).

Whitfield Diffie, a distin-guished Sun engineer said thatindustry is “moving towards aWeb services environment”.

3