Is cryptography where security took the wrong branch?

[Ed Gerck]

Arguments such as "we don't want to reduce the fraud level because
it would cost more to reduce the fraud than the fraud costs" are just a
marketing way to say that a fraud has become a sale. Because fraud
is an hemorrhage that adds up, while efforts to fix it -- if done correctly
-- are mostly an up front cost that is incurred only once.  So, to accept
fraud debits is to accept that there is also a credit that continuously
compensates the debit. Which credit ultimately flows from the customer
-- just like in car theft.

Some 10 years ago I was officially discussing a national
security system to hep prevent car theft. A lawyer representing
a large car manufacturer told me that "a car stolen is a car sold"
-- and that's why they did not have much incentive to reduce
car theft. Having the car stolen was an "acceptable risk" for
the consumer and a sure revenue for the manufacturer. In fact, a
car stolen will need replacement that will be provided by insurance
or by the customer working again to buy another car.  While the
stolen car continues to generate revenue for the manufacturer in
service and parts.

The "acceptable risk" concept is an euphemism for that business
model that shifts the burden of fraud to the customer, and eventually
penalizes us all with its costs.

Today, IT security hears the same argument over and over again.
For example, the dirty little secret of the credit card industry is that
they are very happy with +10% of credit card fraud over the Internet.
In fact, if they would reduce fraud to zero today, their revenue
would decrease as well as their profits.

There is really no incentive to reduce fraud. On the contrary, keeping
the status quo is just fine.

This is so mostly because of a slanted use of insurance. Up to a certain
level,  which is well within the operational boundaries, a fraudulent
transaction does not go unpaid through VISA,  American Express or
Mastercard servers.  The transaction is fully paid, with its insurance cost
paid by the merchant and, ultimately, by the customer.

Thus, the credit card industry has successfully turned fraud into
a sale.  This is the same attitude reported to me by that car manufacturer
representative who said: "A car stolen is a car sold."

The important lesson here is that whenever we see continued fraud, we must
be certain: the defrauded is profiting from it.  Because no company will accept
a continued  loss ithout doing anything to reduce it.

What is to blame? Not only the shortsighted ethics behind this attitude but also
that security "school of thought" which is based on risk, surveillance and
insurance as "security tools". There is no consideration of what trust is or
means, no consideration whether it is ethically justifiable.  "A fraud is a sale" is
the only outcome possible from using such methods.

The solution is to consider the concept of trust(*) and provide means to
induce trust among the dialogue parties, so that the protocol can be
not only correct but also effective.  The problem I see with the protocols
such as 3D Secure (for example) is that it does not allow trust to be
represented -- even though it allows authorization to be represented (**).

Cheers,

Ed Gerck

(*) BTW, I often see comments that it is difficult to use the concept of trust.
Indeed, and unless the concept of trust in communication systems is well-
defined, it really does not make sense to apply it. The definition that I use
is that  "trust is that which is essential to a communication  channel but
cannot be transferred through that same channel." This definition allows one
to use Shannon's communication theory formalism and define trust without any
reference to emotions, feelings or other hard to define concepts.

(**) Trust  is often used as a synonym for authorization (see InterTrust usage,
for example). This may work where a trusted user is a user authorized by
management  to use some resources. But it does not work across trust
boundaries. Trust is more than authorization.

Ian Grigg wrote:

> ....
> This is mostly prevalent on the
> Internet, where there is a sense of self-taught, non-
> commercial application of cryptography.  My time in (or
> close to) a telco taught me the difference, as there,
> they have an engineering focus on cryptography, and really
> understand what it means to calculate the cost of the
> solution.
>
> For them, leaving a weakness was just another risk
> calculation, whereas so much stuff that happens on the
> net starts from "we must protect against everything"
> and then proceeds to design the set of "everything"
> for ones convenience.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com