Lack of fraud reporting paths considered harmful.

Perry E. Metzger perry at piermont.com
Sun Jan 27 16:58:41 EST 2008 

Ian G <iang at systemics.com> writes:
> There is a philosophical problem with suggesting an automated protocol
> method for reporting fraud, in that one might be better off ... fixing
> the underlying fraud.

Lets say you're a big company like Amazon or someone similar. You're
pretty sure someone is trying to use a stolen credit card. How do you
"fix" the underlying fraud? Last I checked, Amazon had no police
force. Lets say that the miscreants are in any one of several Eastern
European countries. Even reporting the fraud to the police in the
originating country won't "fix" it because the foreign police will do
absolutely nothing.

Perhaps you argue that the credit card system itself is flawed. I
agree, but as a company like Amazon you're not in a position to fix
that, either.

The point of providing a feedback channel is so the issuing bank can
be alerted to an attempted fraud, call the customer, say "hi, did you
try to buy a container consumer electronics and have it shipped to
Belarus", hear back "no", and issue a new credit card. This is done
right now when the issuing bank notices suspicious activity, but there
is a hole in the system in which a merchant might refuse a suspicious
charge and yet have no way of telling the issuing bank about it.

The call-the-customer-and-reissue mechanism is a mediocre solution to
the fraud problem, but it is the one we have these days. As it stands,
a merchant can't easily tell the issuing bank that it should have a
look to see if a card is being used fraudulently, so the merchant can
know that something weird is happening but the issuing bank can remain
ignorant. This is not a good situation. That is why a feedback path
would be of use.

I had long assumed such a feedback path already existed, and I was
rather shocked to discover it did not.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list