[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

John Kelsey kelsey.j at ix.netcom.com
Tue Oct 25 07:20:05 PDT 2005

>From: cyphrpunk <cyphrpunk at gmail.com>
>Sent: Oct 24, 2005 5:58 PM
>To: John Kelsey <kelsey.j at ix.netcom.com>
>Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

>Digital wallets will require real security in user PCs. Still I don't
>see why we don't already have this problem with online banking and
>similar financial services. Couldn't a virus today steal people's
>passwords and command their banks to transfer funds, just as easily
>as the fraud described above? To the extent that this is not
>happening, the threat against ecash may not happen either.

Well, one difference is that those transactions can often be undone,
if imperfectly at times.  The whole set of transactions is logged in
many different places, and if there's an attack, there's some
reasonable hope of getting the money back.  And that said, there have
been reports of spyware stealing passwords for online banking systems,
and of course, there are tons of phishing and pharming schemes to get
the account passwords in a more straightforward way.   The point is,
if you're ripped off in this way, there's a reasonable chance you can
get your money back, because the bank has a complete record of the
transactions that were done.  There's no chance of this happening when
there's no record of the transaction anywhere.  

>> The payment system operators will surely be sued for this, because
>> they're the only ones who will be reachable.  They will go broke, and
>> the users will be out their money, and nobody will be silly enough to
>> make their mistake again.

>They might be sued but they won't necessarily go broke. It depends on
>how deep the pockets are suing them compared to their own, and most
>especially it depends on whether they win or lose the lawsuit. 

I don't think so.  Suppose there's a widespread attack that steals
money from tens of thousands of users of this payment technology.
There seem to be two choices:

a.  The payment system somehow makes good on their losses.

b.  Everyone who isn't dead or insane pulls every dime left in that
system out, knowing that they could be next.  

It's not even clear that these are mutually exclusive, but if (a)
doesn't happen, (b) surely will.  Nobody wants their money stolen, and
I don't think many people are so confident of their computer security
that they're willing to bet huge amounts of money on it.  If you have
to be that confident in your computer security to use the payment
system, it's not going to have many clients.  



More information about the cypherpunks-legacy mailing list