Re: EMV and Re: mother's maiden names...
Thanks for some private comments. What I posted is a short summary of a number of arguments. It's not an absolute position, or an expose' of the credit card industry. Rather, it's a wake- up call -- The time has come to really face the issues of information security seriously, without isolating them with insurance at the cost of the consumers. Why? Because the insurance model will not scale as the Internet and ecommerce do. In other words, CardSystems Exposes 40 Million Identities as a harbinger. Now that we know more about the facts in this recent case, expect more to come unless we begin to improve our security paradigm. Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, as my comments show, how about the acceptable risk concept that turns fraud into sales? Do As I Say, Not As I Do? By weakly fighting fraud, aren't we allowing fraud systems to become stronger and stronger, just like any biological threat? The parasites are also fighting for survival. We're allowing even email to be so degraded that fax and snail mail are now becoming atractive again. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
- Original Message - From: Victor Duchovni [EMAIL PROTECTED] Subject: Re: EMV [was: Re: Why Blockbuster looks at your ID.] Whose loses do these numbers measure? - Issuer Bank? - Merchant? - Consumer? - Total? I'd say that you've fairly well hit the nail on the head. I've actually been meaning to reply to this for about a week now. The truth is that each credit card transaction actually has either 3 or 4 parties; User U, Merchant M, Credit Card Issuer CCI, and Merchant Insurer MI (this is simplified there are generally multiple parties under CCI). Under legitimate circumstances the process is fairly simple; Legitimate User LU agrees to pay CCI, CCI already has an agreement to pay M, and M supplies the product/service to LU. During billing LU pays CCI, CCI pays M, everyone is happy. Things are different in the case of False User FU. FU goes to M, FU agrees for LU to pay CCI, CCI (believing FU is LU) agrees to pay M, M supplies the product/service to FU. During billing is where things get strange. LU reports the bad transaction to CCI. CCI informs M and does not pay M. FU gets the product, M accepts the loss. In the normal case MI and M are the same entity so the buck stops there, if MI is seperate from M, then MI reimburses M for some portion. It's important to understand exactly who loses what when FU is in the picture. CCI loses the commision, generally a small flat fee on the order of $0.35, and a percentage generally 2%, this is not a large amount to lose, and the phone call to report the problem actually costs more than is lost, followed by the filing and tracking of the correct paperwork, this is the ACTUAL loss for CCI. MI loses the cost of the product/service reimbursed. LU loses basically nothing except time. FU obviously gains. The point being that expecting CCI to foot a multi-billion dollar bill to change the process so that MI doesn't lose the money doesn't make sense. CCI will only work to increase CCIs profits. It is up to MI to pay for the upgraded systems by working with CCI towards CCIs goals (fewer losses for MI also means fewer reports to CCI so fewer losses). LU may be willing to foot part of the bill for the perceived improvements, CCI will only foot the portion that is in CCIs favor, MI will have to foot the majority of the bill and will only do so when it is in MIs favor. With credit card fraud decreasing, it is not in MIs favor to examine it at this time. Joe - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV and Re: mother's maiden names...
Well, the acceptable risk concept that appears in these two threads has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer. The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not. In fact, if they would reduce fraud to _zero_ today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine. This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer. Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: A car stolen is a car sold. In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts. Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs are just a marketing way to say that a fraud has become a sale. Because fraud is an hemorrage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft. What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems. There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable. A fraud is a sale is the only outcome possible from using such security school of thought. Also sometimes referred to as acceptable risk -- acceptable indeed, because it is paid for. Cheers, Ed Gerck [*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust as a synonym for authorization. This may work in a network, where a trusted user is a user authorized by management to use some resources. But it does not work across trust boundaries, or in the Internet, with no common reporting point possible. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV
AFAIK, the cards are still the same (Sony FeliCa: http://www.sony.net/Products/felica/): I never changed mine since I got it several years ago. The same card was also adopted in 2002 by EZ-Link in Singapore (http://www.ezlink.com.sg ). Enzo - Original Message - From: Anne Lynn Wheeler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: 'Ben Laurie' [EMAIL PROTECTED]; 'Peter Fairbrother' [EMAIL PROTECTED]; 'Florian Weimer' [EMAIL PROTECTED]; 'David Alexander Molnar' [EMAIL PROTECTED]; '? Schmidt' [EMAIL PROTECTED]; cryptography@metzdowd.com Sent: Wednesday, July 13, 2005 8:55 AM Subject: Re: EMV ... the original introduction of HK octopus transit card used the sony flavor of iso 14443 with 10cm and transit requirements of transaction in 100ms. having it in the bottom of a bag and bringing the bag within 10cm of the reader does the trick. there was a transit meeting where the mondex people attended ... they claimed that they could also be used for transit ... just get a wireless sleave for the mondex card ... and build 14' long tunnels leading up to the transit gates ... and have the people walk slowly thru the tunnels. Gabriel Haythornthwaite wrote: In Hong Kong a lot of people do little more than wave their bags at the turnstile. Removing the wallet and revealing its size is unnecessary. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV
... the original introduction of HK octopus transit card used the sony flavor of iso 14443 with 10cm and transit requirements of transaction in 100ms. having it in the bottom of a bag and bringing the bag within 10cm of the reader does the trick. there was a transit meeting where the mondex people attended ... they claimed that they could also be used for transit ... just get a wireless sleave for the mondex card ... and build 14' long tunnels leading up to the transit gates ... and have the people walk slowly thru the tunnels. Gabriel Haythornthwaite wrote: In Hong Kong a lot of people do little more than wave their bags at the turnstile. Removing the wallet and revealing its size is unnecessary. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV
Peter Fairbrother wrote: Florian Weimer wrote: * David Alexander Molnar: Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. If you are interested in useful RFID applications, just visit Singapore. 8-) They use RFID tickets on the subway (MRT) and on busses, and you don't have to worry about buying the right ticket because the system charges you the correct amount. However, there's one thing that makes me nervous: if you know the card number (which is printed on the cards), you can go to a web page, enter it, and obtain the last 20 rides during the last 3 days, without any further authentication. London Underground have a contactless system too, but it isn't used much. As I remember it had a similar problem, but they may have changed that. You take out your wallet with the card in and wave it over a palm-sized yellow blob on the turnstile, but you don't have to open your wallet to withdraw a token. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... Which, of course, they would never do if you were extracting money to buy a ticket, or showing your season ticket. Explain to me how the contactless system alters this risk in any way? Cheers, Ben. -- ApacheCon Europe http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: EMV
In Hong Kong a lot of people do little more than wave their bags at the turnstile. Removing the wallet and revealing its size is unnecessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Laurie Sent: Tuesday, 12 July 2005 8:14 PM To: Peter Fairbrother Cc: Florian Weimer; David Alexander Molnar; ? Schmidt; cryptography@metzdowd.com Subject: Re: EMV Peter Fairbrother wrote: Florian Weimer wrote: * David Alexander Molnar: Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. If you are interested in useful RFID applications, just visit Singapore. 8-) They use RFID tickets on the subway (MRT) and on busses, and you don't have to worry about buying the right ticket because the system charges you the correct amount. However, there's one thing that makes me nervous: if you know the card number (which is printed on the cards), you can go to a web page, enter it, and obtain the last 20 rides during the last 3 days, without any further authentication. London Underground have a contactless system too, but it isn't used much. As I remember it had a similar problem, but they may have changed that. You take out your wallet with the card in and wave it over a palm-sized yellow blob on the turnstile, but you don't have to open your wallet to withdraw a token. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... Which, of course, they would never do if you were extracting money to buy a ticket, or showing your season ticket. Explain to me how the contactless system alters this risk in any way? Cheers, Ben. -- ApacheCon Europe http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV
David Alexander Molnar [EMAIL PROTECTED] writes: On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. The contactless systems provide almost zero added user convenience. They're a nice marketing hack by the RFID crowd, but nearly nothing more. Users do not mind withdrawing a token from their wallet and inserting it momentarily into a reader. However, the contactless systems also provide a nice new mechanism for fraud, and with the increasing feasibility of phased array systems, that fraud may soon be possible at considerable distances. So, we've gained very little, other than a nice new app for RFID (RFID being a large scale solution waiting for problems), but at the same time we've lost quite a bit. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV
* David Alexander Molnar: Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. If you are interested in useful RFID applications, just visit Singapore. 8-) They use RFID tickets on the subway (MRT) and on busses, and you don't have to worry about buying the right ticket because the system charges you the correct amount. However, there's one thing that makes me nervous: if you know the card number (which is printed on the cards), you can go to a web page, enter it, and obtain the last 20 rides during the last 3 days, without any further authentication. It's a system where contactless readers make a lot of sense, though. Here's the MasterCard fact sheet about PayPass: http://www.paypass.com/fact_sheet.html In Germany, we have got something even better: digital cash (Geldkarte). The system is rather old, so it doesn't use contactless smartcards, and it was never accepted by customers and merchants. I'm not even sure if it's still usable. I own one or two of the smartcards, but I don't think I've ever used them. 8-/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. Interesting, they have a card (smart card)? and key fob version. I hope their key fob version is not as insecure as the SpeedPass RFID transponder token used by Exxon/Esso, which has recently been broken http://rfidanalysis.org/ The SpeedPass implemented an authentication algorithm (I think it was a CRC-like challenge response based on a secret that defined the polynomial used) based on a 40-bit key. Bono al. figured out the algorithm (based on a patent, which described the algorithm generically, they figured out the constants that were chosen). The question is why did they use a 40-bit secret? Is there some technological constraint preventing the use of something better? The other thing is that many of the smart cards also have a magnetic strip, so your security level is as strong as the weakest point (magnetic stripe type payments). Untill all the cards are smart cards, readers will accept both type. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV
Florian Weimer wrote: * David Alexander Molnar: Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. If you are interested in useful RFID applications, just visit Singapore. 8-) They use RFID tickets on the subway (MRT) and on busses, and you don't have to worry about buying the right ticket because the system charges you the correct amount. However, there's one thing that makes me nervous: if you know the card number (which is printed on the cards), you can go to a web page, enter it, and obtain the last 20 rides during the last 3 days, without any further authentication. London Underground have a contactless system too, but it isn't used much. As I remember it had a similar problem, but they may have changed that. You take out your wallet with the card in and wave it over a palm-sized yellow blob on the turnstile, but you don't have to open your wallet to withdraw a token. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote: We're on the order of 4.7 cents on the $100. Interesting statistics. Seems like it's the same thing in Canada http://www.rcmp.ca/scams/ccandpc_e.htm Reported $227M in credit card fraud in 1999, droped at $200M in 2003. Whose loses do these numbers measure? - Issuer Bank? - Merchant? - Consumer? - Total? -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
--- [EMAIL PROTECTED] wrote: [decline in credit card fraud] Interesting statistics. [...] But these are still considerable numbers, [...] I totally agree. And I would just like to make a quick point: the credit card companies (especially Visa/Mastercard) have been very agressive in fraud prevention in the last ten years. And I don't mean algorithms that detect unusual activity and flag a card, thereby prompting your bank to call and verify that that the charges are good. They've been doing that for years, if not decades. No, I mean literally detective work -- tracking people down, having their sites closed and bank accounts freezed and actually pushing to have people prosecuted. They have been quite active, trying to recruite people in the law enforcement community and offering handsome salaries. The whole thing works based on the premise that there are a lot of small-time gangsters at any given time but only a few big fish. And if you can increase the cost of doing business (either in terms of making credit fraud more expensive or in terms of increasing the likelihood to get caught) you can basically justify the expense of running a big anti-fraud unit. But, in a way, that's only dealing with the symptoms, whilst at the same time ignoring the root cause of the problem. You're only making it less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. -Jörn __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
