when a fraud is a sale, Re: Rubber hose attack

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Mon Nov 5 11:44:18 EST 2001 

slight aside, in beginning security basics end-to-end typically means that
a authorization or service message requiest  ..... originates with the
requester and has been secured with authentication and/or encryption of the
requester and travels end-to-end from the requester to the service entity
... which first validates the authorization/service request (based on the
end-to-end authentication and/or encryption from the requester) and then
returns an authorization or some other indication that the service is
performed.

most beginning security basics teach that if authorization and/or service
request does not have end-to-end security and/or integrity then the design
is fundamentally flawed and opportunities for fraud is created.
An example is that in SET, the card-holder/consumer's authentication
information was stripped off at some random internet gateway and a flag
inserted in an otherwise normal iso 8583 financial transaction message
claiming that digital signature authentication had been performed. A year
or so after SET pilots were in operation, somebody from VISA gave a
presentation at some ISO meeting in europe detailing the percentage of iso
8583 messages where the "authenticated" flag  had been turned on by some
entity (and for which the consumer's issuing bank was now suppose to base
various business processes and decisions) and they could positively show
that no internet payment and/or any other form of digital signature
authentication was involved (aka no end-to-end entegrity and/or security).

in the account-based financial transaction ... the requestor is the
card-holder/consumer and the authorization or service entity is the
card-holder's financial institution.





                                                                                   
                    JohnE37179 at aol.                                                
                                com     To:      rick_smith at securecomputing.com,   
                                           egerck at nma.com, JohnE37179 at aol.com      
                         11/05/2001     cc:      lynn.wheeler at firstdata.com,       
                           08:49 AM        cryptography at wasabisystems.com,         
                                           Jason.Gruber at btinternet.com,            
                                           vertigo at panix.com                       
                                        Subject:      Re: when a fraud is a sale,  
                                           Re: Rubber hose attack                  
                                                                                   





In a message dated 11/5/01 9:41:44 AM, rick_smith at securecomputing.com
writes:

<< On one hand I'm tempted to read this as a plea for some absolute
notion of security, but somehow I don't think that's really what
you're saying. >>

Rick, my point is that VISA and to a slightly lesser extent, MC, have built
a
model just as you describe: send the money, but we don't take any risk.

I tend to agree with you that we should extend the meaning of end-to-end to

mean user-to-user, instead of device or token-to-token.

John







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list