The bank fraud blame game
Adam Shostack
adam at homeport.org
Sun Jul 1 17:32:20 EDT 2007
On Sun, Jul 01, 2007 at 04:01:03PM -0400, Perry E. Metzger wrote:
|
| Adam Shostack <adam at homeport.org> writes:
| > On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote:
| > >
| > > Given that all you need for this is a glorified pocket calculator,
| > > you could (in large enough quantities) probably get it made for <
| > > $10, provided you shot anyone who tried to introduce
| > > product-deployment DoS mechanisms like smart cards and EMV into
| > > the picture. Now all we need to do is figure out how to get there
| > > from here.
| >
| > I'd suggest starting from the deployment, training, and help desk
| > costs. The technology is free, getting users to use it is not. I
| > helped several banks look at this stuff in the late 90s, when cost of
| > a smartcard reader was order ~25, and deployment costs were estimated
| > at $100, and help desk at $50/user/year.
|
| Of course, given the magnitude of costs of fraud, and where it may be
| heading in the near term, the $50 a year may be well spent, especially
| if it could be cut to $25 with some UI investment. It is all a
| question of whether you'd rather pay up front with the security
| apparatus or after the fact in fraud costs...
It may be, indeed. You're going (as Lynn pointed out in another post)
to be fighting an uphill battle against the last attempts. I don't
think smartcards (per se) are the answer. What you really need is
something like a palm pilot, with screen and input and a reasonably
trustworthy OS, along with (as you say) the appropriate UI investment.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list