Arguments such as "we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale. Because fraud is an hemorrhage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft.
Some 10 years ago I was officially discussing a national security system to hep prevent car theft. A lawyer representing a large car manufacturer told me that "a car stolen is a car sold" -- and that's why they did not have much incentive to reduce car theft. Having the car stolen was an "acceptable risk" for the consumer and a sure revenue for the manufacturer. In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts. The "acceptable risk" concept is an euphemism for that business model that shifts the burden of fraud to the customer, and eventually penalizes us all with its costs. Today, IT security hears the same argument over and over again. For example, the dirty little secret of the credit card industry is that they are very happy with +10% of credit card fraud over the Internet. In fact, if they would reduce fraud to zero today, their revenue would decrease as well as their profits. There is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine. This is so mostly because of a slanted use of insurance. Up to a certain level, which is well within the operational boundaries, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer. Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by that car manufacturer representative who said: "A car stolen is a car sold." The important lesson here is that whenever we see continued fraud, we must be certain: the defrauded is profiting from it. Because no company will accept a continued loss ithout doing anything to reduce it. What is to blame? Not only the shortsighted ethics behind this attitude but also that security "school of thought" which is based on risk, surveillance and insurance as "security tools". There is no consideration of what trust is or means, no consideration whether it is ethically justifiable. "A fraud is a sale" is the only outcome possible from using such methods. The solution is to consider the concept of trust(*) and provide means to induce trust among the dialogue parties, so that the protocol can be not only correct but also effective. The problem I see with the protocols such as 3D Secure (for example) is that it does not allow trust to be represented -- even though it allows authorization to be represented (**). Cheers, Ed Gerck (*) BTW, I often see comments that it is difficult to use the concept of trust. Indeed, and unless the concept of trust in communication systems is well- defined, it really does not make sense to apply it. The definition that I use is that "trust is that which is essential to a communication channel but cannot be transferred through that same channel." This definition allows one to use Shannon's communication theory formalism and define trust without any reference to emotions, feelings or other hard to define concepts. (**) Trust is often used as a synonym for authorization (see InterTrust usage, for example). This may work where a trusted user is a user authorized by management to use some resources. But it does not work across trust boundaries. Trust is more than authorization. Ian Grigg wrote: > .... > This is mostly prevalent on the > Internet, where there is a sense of self-taught, non- > commercial application of cryptography. My time in (or > close to) a telco taught me the difference, as there, > they have an engineering focus on cryptography, and really > understand what it means to calculate the cost of the > solution. > > For them, leaving a weakness was just another risk > calculation, whereas so much stuff that happens on the > net starts from "we must protect against everything" > and then proceeds to design the set of "everything" > for ones convenience. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]