[FYI] Did Encryption Empower These Terrorists?
Bill Frantz
frantz at pwpconsult.com
Tue Sep 25 15:08:01 EDT 2001
At 3:31 PM -0700 9/24/01, Steven M. Bellovin wrote:
>In message <v03110706b7d555f61a45@[165.247.220.34]>, Bill Frantz writes:
>>At 10:11 AM -0700 9/24/01, lynn.wheeler at firstdata.com wrote:
>>>as mentioned in the various previous references ... what is at risk ...
>>>effectively proportional to the aggregate of the account credit limits ...
>>>for all accounts that happened to have been stored in any account master
>>>file ... is significantly larger than any particular merchant may have
>>>directly at risk because of a security breach. in the "security
>>>proportional to risk" theory .... the entity that has the risk should have
>>>control over the security measures, those security measures should be
>>>proportional to what they have at risk, and the cost of those security
>>>measures should also be proportional to the risk.
>>
>>It seems to me that because of the $50 liability limit under US law, most
>>of the risk is carried by the credit card issuers. They are also in a
>>position to require proper security by contract with the merchant.
>>
>
>Actually, I believe it's by the merchants. Internet transactions
>generally count as "card not present" transactions, which means that
>the merchants take the risk.
FWIW the merchant that accepts the fraudulent transaction is probably not
the one running the web site from which the credit card number was stolen.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | My heart goes out to | Periwinkle -- Consulting
(408)356-8506 | those directly affected| 16345 Englewood Ave.
frantz at pwpconsult.com | by the 9/11/01 attack. | Los Gatos, CA 95032, USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list