Financial Cryptography reports an account of the business model behing phishing. All of this relies on misusing information on large databases, and a dangerous tendency to redefine concepts of identity and authority, without realising that we are mistaking the model for the reality.
Apparently you can make a lot of money wihtout leaving your desk. 100,000 emails will harvest details of 20 bank accounts – a .01% return rate. The stolen balances may be between $10,000 and $100,000 dollars. (Not my accounts, then!)
As Financial Cryptography puts it, you need “information necessary to gain authorised control over a bank account “. I disagree with that word authorised. What FC should say is information that fools the computer into thinking you are the authorised owner – but FC is already giving in and implying that authorisation is when the computer thinks authorisation has taken place. It isnt. The database is a model of the real world, in which I am represented by my PIN and my username and my first dogs name and whatever else the security gurus have thought up: maybe 50 bytes of information? But none of these actually are me.
Theyre a model of me, a very specialised model of one part of me. I have heaven knows how many accounts on line for banks, websites, etc etc. Each has a different authentication code. But me, sitting on a Sunday morning blogging whilst looking forward to my breakfast, Im more than a few hundred bytes.