Rubber hose attack

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Fri Nov 2 18:21:37 EST 2001


slight clarification .... while consumers don't directly pay the
transaction fees ... whatever fees that the merchants directly pay ... show
up in prices that come out of consumers pocket-book ... which they do pay
... as well as various & sundry fees that consumers pay to their issuing
bank as part of various credit related fees & charges.

parts of the issue has always been would the procedures to lower fraud,
cost more than the fraud they were limiting. Two things have been happening
... the cost of technology has in general been coming down rapdly ... both
the cost of technology needed to limit fraud as well as the cost of
technology for various kinds of fraud & counterfeiting (which tends to
increase the amount of fraud).

misc threads on the subject
http://www.garlic.com/~lynn/aadsm5.htm#spki2 Simple PKI
http://www.garlic.com/~lynn/aadsm6.htm#terror14 [FYI] Did Encryption
Empower These Terrorists? (addenda to chargebacks)
http://www.garlic.com/~lynn/aadsm7.htm#auth2 Who or what to authenticate?
(addenda)
http://www.garlic.com/~lynn/aadsmore.htm#schneier Schneier: Why Digital
Signatures are not Signatures (was Re :CRYPTO-GRAM, November 15, 2000)
http://www.garlic.com/~lynn/aepay6.htm#ccfraud2 "out of control credit card
fraud"
http://www.garlic.com/~lynn/aepay6.htm#ccfraud3 "out of control credit card
fraud"
http://www.garlic.com/~lynn/aepay7.htm#fakeid Fake IDs swamp police
http://www.garlic.com/~lynn/2000f.html#64 Cryptogram Newsletter is off the
wall?
http://www.garlic.com/~lynn/2001c.html#47 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#73 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001f.html#40 Remove the name from credit
cards!
http://www.garlic.com/~lynn/2001i.html#26 No Trusted Viewer possible?
http://www.garlic.com/~lynn/2001j.html#7 No Trusted Viewer possible?
http://www.garlic.com/~lynn/2001j.html#9 E-commerce security????

credit has enjoyed quite a bit of market penetration in terms of internet
transactions ... in part because it was relatively simple to adopt the
existing MOTO-model to the internet

http://www.garlic.com/~lynn/aadsm5.htm#asrn2 Assurance, e-commerce, and
some x9.59 ... fyi
http://www.garlic.com/~lynn/aadsm5.htm#asrn3 Assurance, e-commerce, and
some x9.59 ... fyi
http://www.garlic.com/~lynn/aadsm5.htm#asrn1 Assurance, e-commerce, and
some x9.59 ... fyi
http://www.garlic.com/~lynn/2001i.html#52 loosely-coupled, sysplex,
cluster, supercomputer & electronic commerce

however, x9.59 which had a requirement to preserve the integrity for all
account-based transactions in all envrionments with only authentication ...
also opens up other payment methods to the internet (as well as general
ability to reduce fraud)

http://internetcouncil.nacha.org/Projects/ISAP_Results/isap_results.htm
NACHA AADS results!!
http://www.garlic.com/~lynn/index.html#aads

with regard to to rubber hose attack ... there is an issue of ROI (assuming
a rubber hose attack has some rational financial motivation as opposed to
something akin to random violence) ... i.e. effort to mount the attack
vis-a-vis reward in return. The discussion of stealing a web merchant
credit card master file may have a relatively modest investment but result
in several hundred thousand account numbers for which fraudulent
transactions can be executed against.  The claim is that ROI for rubber
hose attacks would preclude majority of rational financial motivation ...
aka they're would be other attacks with signficiant better ROI. While
rubber hose attacks might never totally disappear ... the amount of fraud
from such events will be very small.

misc. past threads in the area:
http://www.garlic.com/~lynn/aadsm6.htm#websecure merchant web server
security
http://www.garlic.com/~lynn/aadsm6.htm#terror3 [FYI] Did Encryption Empower
These Terrorists?
http://www.garlic.com/~lynn/aadsm6.htm#terror4 [FYI] Did Encryption Empower
These Terrorists?
http://www.garlic.com/~lynn/aadsm6.htm#pcards The end of P-Cards?
http://www.garlic.com/~lynn/aadsm6.htm#pcards3 The end of P-Cards?
(addenda)
http://www.garlic.com/~lynn/aepay7.htm#netbank2 net banking, is it safe??
... security proportional to risk
http://www.garlic.com/~lynn/aepay7.htm#netsecure some recent threads on
netbanking & e-commerce security
http://www.garlic.com/~lynn/aepay7.htm#3dsecure2 3D Secure Vulnerabilities?
Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aepay7.htm#3dsecure3 financial payment
standards ... finger slip
http://www.garlic.com/~lynn/2001c.html#42 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#54 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001h.html#61 Net banking, is it safe???
http://www.garlic.com/~lynn/2001h.html#67 Would this type of credit card
help online shopper to feel more secure?
http://www.garlic.com/~lynn/2001i.html#53 Credit Card # encryption
http://www.garlic.com/~lynn/2001i.html#57 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#2 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#5 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#44 Does "Strong Security" Mean
Anything?
http://www.garlic.com/~lynn/2001k.html#55 I-net banking security
http://www.garlic.com/~lynn/2001l.html#2 Why is UNIX semi-immune to viral
infection?


some more general threads:
http://www.garlic.com/~lynn/subtopic.html#fraud
http://www.garlic.com/~lynn/subtopic.html#privacy


Johne37179 at aol.com on 11/02/2001 1:25 PM wrote:



In a message dated 11/2/01 2:03:05 PM, rick_smith at securecomputing.com
writes:

<< Of course. But this hasn't prevented people from acquiring and using
credit
cards. More to the point, it hasn't prevented the merchants, banks, and
credit card issuers from maintaining and promoting this imperfect system.
This would suggest that the losses from fraud (which customers don't pay,
at least not here in the US) are amply covered by the income they bring in.

This sounds to me like a system that "works" in a practical sense. >>

In good times when a 5% loss factor disappeared in the profits it didn't
matter. In times when every penny is being squeezed (Airlines), and fraud
seems to have doubled the risk management view may have changed.



John Ellingson
CEO
Edentification, Inc.
608.833.6261






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list