On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote:
|
| Dan Kaminsky [EMAIL PROTECTED] writes:
| Credit card fraud has gone *down* since 1992, and is actually falling:
|
| 1992: $2.6B
| 2003: $882M
| 2004: $788M
|
| We're on the order of 4.7 cents on the $100.
|
|
May we see the back of that envelope? Upgrade to EMV (chip PIN) here
in UK reportedly costs around 1.1 billion pounds (around $1.9
billion), and that is simply an upgrade to the existing infrastructure
and only in a single country. To fundamentally change the system would
require tens of billions
Adam Shostack [EMAIL PROTECTED] writes:
I think those numbers are misleading. The FTC reports ID theft as a
$50B problem, but I haven't seen that broken down by vector. I
suspect most of it is CC (rather than cheque, mortgage/line of
credit/auto loan), but have no data.
If you or anyone
Jerrold Leichter [EMAIL PROTECTED] writes:
In doing this calculation, be careful about the assumptions you make
about how effective the countermeasures will be. The new systems
may be more secure, but people will eventually come up with ways to
break them. The history of security measures
There's been a lot of discussion about how to strengthen cryptography
and authentication, to get away from problems of phishing, pharming,
etc. But such approaches can take you only so far, as this link
indicates:
http://www.lurhq.com/grams.html
Briefly, it's a Trojan that waits for you to
At 1:16 PM -0400 7/8/05, Perry E. Metzger wrote:
I seem to have gotten that one drastically wrong. Thanks for the
more accurate figures.
Don't worry. I would bet that identity theft will more than make up for it
soon enough, as transaction settlement times converge to instantaneity.
*That's*
Dan Kaminsky [EMAIL PROTECTED] writes:
Credit card fraud has gone *down* since 1992, and is actually falling:
1992: $2.6B
2003: $882M
2004: $788M
We're on the order of 4.7 cents on the $100.
Interesting statistics.
Seems like it's the same thing in Canada
Jerrold Leichter wrote:
| Credit card fraud has gone *down* since 1992, and is actually falling:
|
| 1992: $2.6B
| 2003: $882M
| 2004: $788M
|
| We're on the order of 4.7 cents on the $100.
|
|
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
|
The
3rd International IEEE Security in Storage Workshop
December 13, 2005
Golden Gate Holiday Inn, San Francisco, California USA
Sponsored by the IEEE Computer Society
Task Force on Information Assurance (TFIA)
Part of the IEEE Information Assurance Activities (IEEEIA)
Held In Cooperation and
It would seem simple to thwart such a trojan with strong authentication
simply by requiring a second one-time passcode to validate the
transaction itself in addition to the session.
Steven M. Bellovin wrote:
There's been a lot of discussion about how to strengthen cryptography
and
On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote:
We're on the order of 4.7 cents on the $100.
Interesting statistics.
Seems like it's the same thing in Canada
http://www.rcmp.ca/scams/ccandpc_e.htm
Reported $227M in credit card fraud in 1999, droped at $200M in 2003.
In message [EMAIL PROTECTED], John Levine writes:
Why does the clerk at Blockbuster want to see your driver's license?
Because his management has been told, by their bank, that if they do
not attempt to verify the identity of credit card users they will
risk their business relationship with the
In message [EMAIL PROTECTED], Nick Owen writes:
It would seem simple to thwart such a trojan with strong authentication
simply by requiring a second one-time passcode to validate the
transaction itself in addition to the session.
How does the user know which transaction is really being
To validate the transaction, a receipt could be sent to the user
encrypted by the server's public key. If the receipt is correct, the
user enters their PIN to 'sign' the transaction.
I'm assuming an asymmetric authentication system here outside the
browser. The attacker would have to steal the
I was in England last week where I noticed that the banks are
switching all UK credit cards to chip+pin technology. We'll see.
For that matter, French cards have all been chip+pin for years.
Any idea what their fraud rates are like? The French card machines
will do magstripe with a
Steven M. Bellovin wrote:
There's been a lot of discussion about how to strengthen cryptography
and authentication, to get away from problems of phishing, pharming,
etc. But such approaches can take you only so far, as this link
indicates:
http://www.lurhq.com/grams.html
Briefly, it's a
* Steven M. Bellovin:
In message [EMAIL PROTECTED], Nick Owen writes:
It would seem simple to thwart such a trojan with strong authentication
simply by requiring a second one-time passcode to validate the
transaction itself in addition to the session.
How does the user know which transaction
--- [EMAIL PROTECTED] wrote:
[decline in credit card fraud]
Interesting statistics.
[...]
But these are still considerable numbers, [...]
I totally agree. And I would just like to make a quick point: the
credit card companies (especially Visa/Mastercard) have been very
agressive in fraud
FTR, e-gold were aware of the general makeup of this
threat since 1998 and asked someone to look at it. The
long and the short was that it was more difficult to solve
than at first claimed, so the project was scrapped. This
was a good risk-based decision. The first trojans that I
know of for
* Perry E. Metzger:
[EMAIL PROTECTED] writes:
But nevertheless, I do not understand why americans are so afraid of
an ID card.
Perhaps I can explain why I am.
I do not trust governments. I've inherited this perspective. My
grandfather sent his children abroad from Speyer in Germany just
Florian Weimer [EMAIL PROTECTED] writes:
I share your general concern, but it's not the ID cards which worry
me. After all, forgeable passports are only a very, very weak form of
defense in an age of non-invasive biometric applications which operate
in real-time. (I know, we aren't quite
I think that the cost of two-factor authentication will plummet in the
face of the volumes offered by e-banking. Also, the more uses for the
token, the more shared the costs will be. The question to me is will
the FIs go with a anything beyond secure cookies, IP address validation
and unique
1992: $2.6B
2003: $882M
2004: $788M
We're on the order of 4.7 cents on the $100.
I consulted an oracle at a major third party
processor. He said the number is more like
64-67 basis points, that you have to be very
precise about your definitions, i.e., very
precise about what goes in
Nick Owen [EMAIL PROTECTED] writes:
It would seem simple to thwart such a trojan with strong authentication
simply by requiring a second one-time passcode to validate the
transaction itself in addition to the session.
Far better would be to have a token with a display attached to the
PC. The
Florian Weimer writes:
|
| It would seem simple to thwart such a trojan with strong authentication
| simply by requiring a second one-time passcode to validate the
| transaction itself in addition to the session.
|
|
| How does the user know which transaction is really being
Nick Owen writes:
| I think that the cost of two-factor authentication will plummet in the
| face of the volumes offered by e-banking.
Would you or anyone here care to analyze
what I am presuming is the market failure
of Amex Blue in the sense of its chipcard
and reader combo?
--dan
* Nick Owen:
I think that the cost of two-factor authentication will plummet in the
face of the volumes offered by e-banking.
I doubt this is true. In Germany, we already use some form of
two-factor authentication for Internet banking transaction (account
number/password and a one-time
Perry E. Metzger wrote:
A system in which the credit card was replaced by a small, calculator
style token with a smartcard style connector could effectively
eliminate most of the in person and over the net fraud we experience,
and thus get rid of large costs in the system and get rid of the
Jerrold Leichter wrote:
There have been a couple of articles in RISKS recently about the fairly recent
use of a two-factor system for bank cards in England. There are already
significant hacks -
yes ...
and the banks managed to get the law changed so that, with
this guaranteed to be
Peter Fairbrother [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
A system in which the credit card was replaced by a small, calculator
style token with a smartcard style connector could effectively
eliminate most of the in person and over the net fraud we experience,
and thus get rid of
--
Ian Grigg [EMAIL PROTECTED]
In the payments world we've known how to solve all
this for some time, since the early 90s to my
knowledge. The only question really is, have you got a
business model that will pay for it, because any form
of token is very expensive, and the form of token
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|
| A system in which the credit card was replaced by a small, calculator
| style token with a smartcard style connector could effectively
| eliminate most of the in person and over the net fraud we
32 matches
Mail list logo