The bank fraud blame game
Adam Shostack
adam at homeport.org
Mon Jul 2 12:18:26 EDT 2007
On Sun, Jul 01, 2007 at 11:09:16PM -0400, Leichter, Jerry wrote:
| | | > > Given that all you need for this is a glorified pocket
| | | > > calculator, you could (in large enough quantities) probably get
| | | > > it made for < $10, provided you shot anyone who tried to
| | | > > introduce product-deployment DoS mechanisms like smart cards and
| | | > > EMV into the picture. Now all we need to do is figure out how
| | | > > to get there from here.
| | | >
| | | > I'd suggest starting from the deployment, training, and help desk
| | | > costs. The technology is free, getting users to use it is not. I
| | | > helped several banks look at this stuff in the late 90s, when cost
| | | > of a smartcard reader was order ~25, and deployment costs were
| | | > estimated at $100, and help desk at $50/user/year.
| | |
| | | Of course, given the magnitude of costs of fraud, and where it may
| | | be heading in the near term, the $50 a year may be well spent,
| | | especially if it could be cut to $25 with some UI investment. It is
| | | all a question of whether you'd rather pay up front with the
| | | security apparatus or after the fact in fraud costs...
| |
| | It may be, indeed. You're going (as Lynn pointed out in another post)
| | to be fighting an uphill battle against the last attempts. I don't
| | think smartcards (per se) are the answer. What you really need is
| | something like a palm pilot, with screen and input and a reasonably
| | trustworthy OS, along with (as you say) the appropriate UI investment.
|
| You do realize that you've just come down to what the TPM guys want to
| build? (Of course, much of the driving force behind having TPM comes
| from a rather different industry. We're all happy when TPM can be
| used to ensure that our banking transactions actually do what the bank
| says it will do for a particular set of instructions issued by us and
| no one else, not so happy when they ensure that our "music transactions"
| act the same way....)
I don't believe that's so. The TPM guys want to add a variety of
controls to extant PC designs to make them secure. I want to add a
new device to the mix.
| Realistically, the only way these kinds of devices could catch on would
| be for them to be standardized. No one would be willing to carry one
| for their bank, another for their stock broker, a third for their
| mortgage holder, a fourth for their credit card company, and so on.
| But once they *are* standardized, almost the same potential for
| undesireable uses appears as for TPM's. What's to prevent the movie
| download service requiring that you present your Universal Safe Access
| Fob before they authorize you to watch a movie? If the only significant
| differences between this USAF and TPM is that the latter is more
| convenient because more tightly tied to the machine, we might as well
| have the convenience.
Fair questions. I'm sure I don't have answers.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list