Five Theses on Security Protocols

Anne & Lynn Wheeler lynn at
Mon Aug 2 13:43:23 EDT 2010

One of the other issues in the current payment paradigm ... with or without certificates ... the end-user as relying party, is frequently not in control of the risks & security measures related to their assets (fraudulent transactions against their accounts).

This shows up with what kind of fraud gets publicity (at least before the cal. state breach notification legislation) ... namely the kind that consumer has some control over ... lost/stolen cards ... and/or recognizing "add-on" ATM cash machine skimmers. There was almost no publicity about breaches and/or instances were skimmers were installed in machines at point of manufacture ... since about the only corrective action that consumers would have (in such cases), was to stop using the card altogether.

I was one of the co-authors for the financial industry X9.99 privacy standard ... and one of the most difficult concepts to get across was that the institution wasn't providing security for protecting the institutions' assets ... but providing security to provide assets of other entities (it required rethink by security departments about what was being protecting from whom ... in some cases it even required the institution to protect consumer assets from the institution itself).

We were somewhat tangentially involved in the cal. state data breach notification legislation ... having been brought in to help wordsmith the cal. state electronic signature legislation. Several of the participants were also heavily involved in privacy issues and had done in-depth, detailed consumer/public surveys ... where the number one issue came up as "identity theft" ... primarily the form involving fraudulent financial transactions ("account fraud") from information harvested in breaches. There seemed to be little or no activity in correcting problems related to breaches ... so they appeared to think that the data breach notifications might prompt corrective action (aka ... the crooks would perform fraudulent financial transactions with institutions other than the one that had the data breach ... if nothing else to put minimize LEOs determining the source of the information). As a result ... institutions having breaches experienced very little downside and any correcti
ve action was pure cost w/o any direct benefit to the institution (at least prior to data breach notification).

Part of the paradigm changes around x9.59 financial transaction standard, minimized the institutions (that had little direct interest in protecting your information) from having to protect your information. Besides "security proportional to risk" and "parameterized risk management" ... this also has the concept that the parties at risk, have increased control over the actual protection mechanisms (a security failure mode is trying to mandate for parties, with little or no vested interest/risk, be responsible for the security measures).

There is an analogy scenario in the recent financial mess ... involving environment where institutional parties were motivated to do the wrong thing. Congressional testimony pointed out that it is much more effective to change business process environment where the parties have vested interest to do the right thing ... as opposed to all the regulations in the world ... attempting to manage an environment where the parties have a vested interest to do the wrong thing.

virtualization experience starting Jan1968, online at home since Mar1970

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list