The bank fraud blame game

Adam Shostack adam at homeport.org
Mon Jul 2 12:18:26 EDT 2007 

On Sun, Jul 01, 2007 at 11:09:16PM -0400, Leichter, Jerry wrote:
| | | > > Given that all you need for this is a glorified pocket
| | | > > calculator, you could (in large enough quantities) probably get
| | | > > it made for < $10, provided you shot anyone who tried to
| | | > > introduce product-deployment DoS mechanisms like smart cards and
| | | > > EMV into the picture.  Now all we need to do is figure out how
| | | > > to get there from here.
| | | >
| | | > I'd suggest starting from the deployment, training, and help desk
| | | > costs.  The technology is free, getting users to use it is not.  I
| | | > helped several banks look at this stuff in the late 90s, when cost
| | | > of a smartcard reader was order ~25, and deployment costs were
| | | > estimated at $100, and help desk at $50/user/year.
| | | 
| | | Of course, given the magnitude of costs of fraud, and where it may
| | | be heading in the near term, the $50 a year may be well spent,
| | | especially if it could be cut to $25 with some UI investment. It is
| | | all a question of whether you'd rather pay up front with the
| | | security apparatus or after the fact in fraud costs...
| | 
| | It may be, indeed.  You're going (as Lynn pointed out in another post)
| | to be fighting an uphill battle against the last attempts.  I don't
| | think smartcards (per se) are the answer.  What you really need is
| | something like a palm pilot, with screen and input and a reasonably
| | trustworthy OS, along with (as you say) the appropriate UI investment.
|
| You do realize that you've just come down to what the TPM guys want to
| build?  (Of course, much of the driving force behind having TPM comes
| from a rather different industry.  We're all happy when TPM can be
| used to ensure that our banking transactions actually do what the bank
| says it will do for a particular set of instructions issued by us and
| no one else, not so happy when they ensure that our "music transactions"
| act the same way....)

I don't believe that's so.  The TPM guys want to add a variety of
controls to extant PC designs to make them secure.  I want to add a
new device to the mix.

| Realistically, the only way these kinds of devices could catch on would
| be for them to be standardized.  No one would be willing to carry one
| for their bank, another for their stock broker, a third for their
| mortgage holder, a fourth for their credit card company, and so on.
| But once they *are* standardized, almost the same potential for
| undesireable uses appears as for TPM's.  What's to prevent the movie
| download service requiring that you present your Universal Safe Access
| Fob before they authorize you to watch a movie?  If the only significant
| differences between this USAF and TPM is that the latter is more
| convenient because more tightly tied to the machine, we might as well
| have the convenience.

Fair questions.  I'm sure I don't have answers.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list