EMV and Re: mother's maiden names...

Ed Gerck edgerck at nma.com
Fri Jul 15 14:31:56 EDT 2005 

Well, the "acceptable risk" concept  that appears in these two
threads has been for a long time an euphemism for that business
model that shifts the burden of fraud to the customer.

The dirty little secret of the credit card industry is that they
are very happy with 10% of credit card fraud, over the Internet or not.

In fact, if they would reduce fraud to _zero_ today, their revenue
would decrease as well as their profits. So, there is really no
incentive to reduce fraud. On the contrary, keeping the status
quo is just fine.

This is so because of insurance -- up to a certain level,
which is well  within the operational boundaries of course,
a fraudulent transaction does not go unpaid through VISA,
American Express or Mastercard servers.  The transaction is
fully paid, with its insurance cost paid by the merchant and,
ultimately, by the customer.

Thus, the credit card industry has successfully turned fraud into
a sale.  This is the same attitude reported to me by a car manufacturer
representative when I was talking to him about simple techniques
to reduce car theft -- to which he said: "A car stolen is a car sold."
In fact, a car stolen will need replacement that will be provided by
insurance or by the customer working again to buy another car.  While
the stolen car continues to generate revenue for the manufacturer
in service and parts.

Whenever we see continued fraud, we should be certain: the defrauded
is profiting from it.  Because no company will accept a continued  loss
without doing anything to reduce it. Arguments such as "we don't
want to reduce the fraud level because it would cost more to reduce the
fraud than the fraud costs" are just a marketing way to say that
a fraud has become a sale.

Because fraud is an hemorrage that adds up, while efforts to fix it --
if done correctly -- are mostly an up front cost that is incurred only
once.  So, to accept fraud debits is to accept that there is also a credit
that continuously compensates the debit. Which credit ultimately flows
from the customer -- just like in car theft.

What is to blame? Not only the twisted ethics behind this attitude but
also that traditional security school of thought which focus on risk,
surveillance and insurance as the solution to security problems.

There is no consideration of what trust really would mean in terms of
bits and machines[*], no  consideration that the insurance model of
security cannot scale in Internet volumes and cannot even be ethically
justifiable.

"A fraud is a sale" is the only outcome possible from using such security
school of thought.  Also sometimes referred to as "acceptable risk" --
acceptable indeed, because it is paid for.

Cheers,

Ed Gerck

[*] Unless the concept of trust in communication systems is defined in
terms of bits and machines, while also making sense for humans, it really
cannot be applied to e-commerce. And there are some who use trust as a
synonym for authorization. This may work in a network, where a trusted
user is a user authorized by management to use some resources. But it
does not work across trust boundaries, or in the Internet, with no
common reporting point possible.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list