Lack of fraud reporting paths considered harmful.
John Ioannidis
ji at tla.org
Fri Jan 25 18:11:56 EST 2008
Perry E. Metzger wrote:
>
> That's not practical. If you're a large online merchant, and your
> automated systems are picking up lots of fraud, you want an automated
> system for reporting it. Having a team of people on the phone 24x7
> talking to your acquirer and reading them credit card numbers over the
> phone, and then expecting the acquirer to do something with them when
> they don't have an automated system either, is just not reasonable.
>
>
But how can the issuer know that the merchant's fraud detection systems
work, for any value of "work"? This could just become one more avenue
for denial of service, where a hacked online merchant suddenly reports
millions of cards as compromised. I'm sure there is some interesting
work to be done here.
/ji
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list