Jerrold Leichter <[EMAIL PROTECTED]> writes: > In doing this calculation, be careful about the assumptions you make > about how effective the countermeasures will be. The new systems > may be more secure, but people will eventually come up with ways to > break them. The history of security measures is hardly encouraging.
I'm not sure I agree with that, and I'll tell you why. Take the case of NAMPS cell phone fraud. At one time, phone cloning was a serious problem. The main issue was that people could simply listen in on call setup and get all the information they needed to do phone fraud. Once strong crypto was used to authenticate mobiles with the deployment of digital cellphone networks, mobile phone cloning fraud didn't just shift around, it almost completely vanished. I suspect that many of the credit card frauds in question would be sufficiently hard to conduct on an industrial scale given the correct replacement for the current system that it would be difficult for criminal enterprises to sustain themselves off of the available revenue. > There have been a couple of articles in RISKS recently about the > fairly recent use of a two-factor system for bank cards in England. > There are already significant hacks - and the banks managed to get > the law changed so that, with this "guaranteed to be secure" new > system, the liability is pushed back onto the customer. That system has a number of flaws in it, including the fact that it is not an end to end cryptographically protected communication, and is thus subject to credential theft and the customer PIN is exposed to a reader provided by the merchant. I think with the right design, most such issues might go away. > It's a continuing battle, and the banker's approach is really the > only one that works over the long run: Keep the loss rate low enough > that you can live with it while keeping the system easy enough to > use that you don't lose customers. That is always the case, in any business. The question is, though, if you could lower the fraud costs from a billion a year to a few tens of millions a year with the expenditure of a half billion in equipment, would that be worthwhile? I suspect that it might. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]