[Cryptography] Insecure Chip 'n' PIN starts tomorrow

Jerry Leichter leichter at lrw.com
Fri Oct 2 14:29:07 EDT 2015


> The actual security model is: the vast majority of people are honest, and so the actual systemic cost of fraud is low relative to the cost of replacing the infrastructure.  Therefore it makes more economic sense to just use a risk-pool model to pay the cost of fraud rather than replace the infrastructure.
Yes.

> This model is valid in the short term, not in the long term.  Alas, resistance to long-term thinking is not limited to the banking industry nowadays.
The model is valid *as long as the relative costs involved remain as they are today*.  There's no inherent reason what that can't be the case for a very long time.  Yes, new attacks emerge, and new defenses are fielded.  Few people remember that for many years, credit cards were accepted with no checks for fraud at all:  There was no effective way to do it, and fraud was low enough that the cost - borne by the banks -  was acceptable.  By the mid-1970's, the cost of fraud became high enough that it became worthwhile for banks to distribute paper booklets of "known fraudulent" card numbers; cashiers were trained to check them.  Initially they came out every week (I think); eventually there were new ones every day.  They eventually became unwieldy; rescue came from the availability of an on-line infrastructure and mag stripes so that checks could be made by machine.

This changed the nature of frauds from "make a fraudulent card and use it for a couple of weeks" to "clone a card and use it quickly before it gets canceled".

The important thing here is that the costs be assigned to the right party or parties.  *In the US*, the consumer is almost never on the hook for any fraudulent charges.  (They are, theoretically, in cases of negligence, but that's so hard to prove that US banks don't really try.)  Again in the US, the banks have tried to shift costs to merchants, but the political culture resists that, so what has actually happened is that the banks have rolled out new security measures and then pushed liability on merchants who don't take advantage of them.  As long as the situation remains pretty much like this, I'm perfectly happy to let the banks and, to some degree, the merchants (remember that some of them are are large and powerful as the banks) make their own security tradeoffs.

The story elsewhere in the world is different.  In England, the banks have been much more aggressive in pushing liability onto their customers - and well-documented abuses have followed.

(BTW, the history of "banks are liable" in the US is interesting.  It was *the banks themselves* that got this principle written into law, way back when credit cards were first introduced.  It was a way for them to sell the idea - to both merchants and customers - that these new-fangled credit cards were "better than cash or a check".)

                                                        -- Jerry



More information about the cryptography mailing list