Lack of fraud reporting paths considered harmful.

John Ioannidis ji at tla.org
Fri Jan 25 18:11:56 EST 2008


Perry E. Metzger wrote:
> 
> That's not practical. If you're a large online merchant, and your
> automated systems are picking up lots of fraud, you want an automated
> system for reporting it. Having a team of people on the phone 24x7
> talking to your acquirer and reading them credit card numbers over the
> phone, and then expecting the acquirer to do something with them when
> they don't have an automated system either, is just not reasonable.
> 
> 

But how can the issuer know that the merchant's fraud detection systems 
work, for any value of "work"? This could just become one more avenue 
for denial of service, where a hacked online merchant suddenly reports 
millions of cards as compromised.  I'm sure there is some interesting 
work to be done here.

/ji

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list