[FYI] Did Encryption Empower These Terrorists?

Eric Murray ericm at lne.com
Tue Sep 25 12:29:02 EDT 2001 

On Tue, Sep 25, 2001 at 09:45:19PM +0800, Enzo Michelangeli wrote:
> ----- Original Message -----
> From: "Steven M. Bellovin" <smb at research.att.com>
> To: "Bill Frantz" <frantz at pwpconsult.com>
> Cc: <lynn.wheeler at firstdata.com>; "Ben Laurie" <ben at algroup.co.uk>;
> <cryptography at wasabisystems.com>
> Sent: Tuesday, September 25, 2001 6:31 AM
> Subject: Re: [FYI] Did Encryption Empower These Terrorists?
> 
> 
> > In message <v03110706b7d555f61a45@[165.247.220.34]>, Bill Frantz writes:
> [...]

[..]

> > Actually, I believe it's by the merchants.  Internet transactions
> > generally count as "card not present" transactions, which means that
> > the merchants take the risk.
 
[..]

> This is actually the second attempt at solving this problem: offering
> chargeback protection to merchants was the main attraction of SET, and
> merchants and their acquiring banks were also ready to pay for it. However,
> it was so inconvenient for the cardholders that they avoided SET-enabled
> e-tailers like the plague...


Actually SET wasn't all that inconvienent for cardholders.
There was a registration (cert issuance) stage.  After that
it was pretty much invisible, except that you used a 'wallet'
rather than typing in your CC number.  Of course finding an actual
SET merchant was nearly impossible, and finding one that was
selling something interesting was impossible.


What killed SET was:

-SETco charging a huge amount of $$$ for standards, compliance testing, etc.
 This was rough on small companies, who were doing most of the
 actual implementation.

-very complicated standards which were difficult to understand, let
 alone implement or do a security review on.  (the docs were decent, it's
 just that the standard was so much more complex than was required)

-a (valid) perception that MC/Visa owned the standard and could (and did)
 change it capriciously, then demand that implementers follow suit.

-Visa/MC didn't want it to succeed.


After working with SET for a couple years and attending numerous SET
meetings, I figured out that the people running SET (not the technical
folks, but their masters) wern't as incompetent at getting a standard done
as it appeared.  Rather, they were purposefully sabotaging it. SET was
meant as a counter to Cybercash and Mondex.  Those didn't go anywhere,
so SET wasn't required.  The current situation (CCs over SSL)
makes MC/Visa a lot more money than SET would since they're all
card-not-present transactions charged at high rates.


Eric



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list