Re: Why Blockbuster looks at your ID.
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote: [...] > Actually, the people who would have to pay the investment -- the banks > and merchants -- have an excellent incentive. The loss because of > fraud is stunningly large. The real issue is that *consumers* have > little incentive to cooperate with such a system, because thanks to > the regulations, they suffer virtually no losses if their accounts are > hijacked. As I understand it, the merchants bear the entire cost of fraud - the banks bear almost none - and thus the consumers end up paying for it indirectly through higher prices. The merchants, however, have very little control over the infrastructure, which is provided by the banks, who have little incentive to actually control fraud because they would bear all of the costs of such, and none of the risk is theirs. So the assertion is that consumers and banks have little incentive to cooperate with such a system, but (some of***) the merchants REALLY WANT it. However, the system is useless if the consumers don't have it, and the banks have no incentive to give something to consumers that's better, because it would cost them money and save them money that they can currently simply charge the merchants for (fraud). *** The merchants can be divided into two groups - most of them who have not been bitten by fraud and will continue to try to pay as little as possible for credit processing services regardless of the risk because every little bit eats more into their profit, and those who have been bitten by fraud, understand the risks, and will go for paying for for a service that frees them from additional liability. Consumers, on the other hand, still have limited incentive to participate. I'd suspect the NewBanks(TM) would simply have to lure them with lower interest rates, which they'd find hard to do because it would cut into their profits, making it difficult to pay for all of the additional infrastructure they'd need to build. The system is, of course, pretty much worthless if it's not in the hands of the vast majority of consumers. As I said, any sea change like this has to either replace the traditional credit granting/honoring agencies, or take away enough of their business that they have no choice but to go along with it. Assuming that they don't use their considerable existing wealth and influence to simply make the new products illegal from the get go. -- - Adam ** I can fix your database problems: http://www.everylastounce.com/mysql.html ** Blog... [ http://www.aquick.org/blog ] Links.. [ http://del.icio.us/fields ] Photos. [ http://www.aquick.org/photoblog ] Experience. [ http://www.adamfields.com/resume.html ] Product Reviews: .. [ http://www.buyadam.com/blog ] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Dan Kaminsky <[EMAIL PROTECTED]> writes: > Credit card fraud has gone *down* since 1992, and is actually falling: > > 1992: $2.6B > 2003: $882M > 2004: $788M > > We're on the order of 4.7 cents on the $100. > > http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm > > If it's any consolation, I was rather surprised myself. I seem to have gotten that one drastically wrong. Thanks for the more accurate figures. A back of the envelope calculation makes me think that it is still more than enough money to provide a good incentive for a change in systems, though, especially when the cost of the anti-fraud measures needed at every part of the system are taken in to account. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
I'm think you wrong on that one. Financial cost and benefit are easily assessed on this, and I think the numbers add up. Credit card fraud costs in the hundreds of billions of dollars a year, much of which could be eliminated by a change to the sort of system I mention. That's not a small amount of money. Indeed, it is more than enough incentive for a major change. Credit card fraud has gone *down* since 1992, and is actually falling: 1992: $2.6B 2003: $882M 2004: $788M We're on the order of 4.7 cents on the $100. http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm If it's any consolation, I was rather surprised myself. --Dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
WWW 2006 Call For Papers: Security, Privacy & Ethics Track
WWW2006 Refereed Track: Security, privacy & Ethics Viruses, spyware, and identity theft are turning the World Wide Web into a dangerous place. By undermining consumer trust, these problems are hampering e-commerce and the growth of online communities. A basic lesson is coming home to researchers, operators, and ordinary users alike: Security and privacy are not frills or features, but vital and enabling building blocks. As Web-based systems take on a physical dimension through wireless devices and sensors, and as they absorb varied media — from books to online games to home movies — digital security is ramifying in its economic and social reach. This track promotes the view that security, privacy, and sound guiding ethics must be part of the texture of a successful World Wide Web. In addition to devising practical tools and techniques, it is the duty of the research community to promote and guide business adoption of security technology for the Web and to help inform related legislation. The organizers seek novel research in security, privacy, and ethics as they relate to the Web, including but not limited to the following areas: * Biometrics and secure template management * Digital Rights Management from its technical, ethical, and legal perspectives * Economic / business analysis of Web security and privacy * Electronic commerce, particularly security mechanisms for e-cash, auctions, payment, and fraud detection * Intrusion detection, insider threats, auditing, and honeypots * Legal and legislative approaches to issues of Web security and privacy * Location-based services * Knowledge-based authentication, such as security questions for password recovery * Privacy-enhancing technologies, including anonymity, pseudonymity and identity management * Public-key infrastructure and supporting concepts like digital signatures and certification * Secure and robust management of server farms * User interfaces as they relate to digital signing, encryption, passwords, and online scams like phishing * Wireless devices that interface with the Web, including RFID, sensors, and mobile phones * Web-services and supporting standards like XML Chairs * Ari Juels (RSA Laboratories) (Vice Chair) * Angelos Keromytis (Columbia University) (Deputy Vice Chair) PC Members * Masayuki Abe (NTT, Japan) * Kostas Anagnostakis (Univ. of Penn., USA) * Dan Boneh (Stanford Univ., USA) * Dario Catalano (l’ENS, France) * Sabrina de Capitani di Vimercati (Univ. of Milan, Italy) * Marc Dacier (Eurecom, France) * George Danezis (Univ. Cambridge, UK) * Ed Felten (Princeton Univ., USA) * Kevin Fu (Univ. of Mass, USA) * Craig Gentry (NTT DoCoMo?, USA) * Sotiris Ioannidis (Stevens Inst. of Tech., USA) * Markus Jakobsson (Univ. of Indiana, USA) * Marc Joye (Gemplus, France) * Arjen Lenstra (Lucent, Bell Labs, USA and Tech. Univ. Eindhoven, The Netherlands) * Radia Perlman (Sun Microsystems, USA) * Benny Pinkas (HP Labs, USA) * Mike Reiter (CMU, USA) * Eric Rescorla (RTFM Inc., USA) * Vitaly Shmatikov (UT Austin, USA) * Jessica Staddon (PARC, USA) * Dan Wallach (Rice Univ., USA) * Brent Waters (Stanford Univ., USA) * Rebecca Wright (Stevens Inst. of Tech, USA) * Dongyan Xu (Purdue, Univ., USA) * Yuliang Zheng (Univ. of North Carolina, USA) For more details, see http://www2006.org/tracks/security.php The World's WWW Conference WWW2006 will bring together the international communities of researchers, developers and business that drive the Web forward, shaping and developing its potential for new areas of communication, research, business and public administration. Since the first international WWW Conference in 1994, this prestigious event, organized by the International World Wide Web Conference Committee (IW3C2), has provided the annual public forum for communicating research and development of the Web infrastructure and applications, as well as W3C initiatives. The fifteenth conference in the series comes to the UK for the first time, and to one of the great historical centres of science and technology. Edinburgh is Scotland's capital city, home to one of the UK's oldest universities, an epicentre of the IT business sector and one of the world's great festival cities. The WWW2006 programme addresses topics in media, e-government, e-commerce, education and e-science. The technical programme will draw on global research and industrial strengths to provide a strategic forum for the dissemination of new techniques and applications throughout the research community, the business and company sector and government agencies. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Edgar Danielyan <[EMAIL PROTECTED]> writes: >> A system in which the credit card was replaced by a small, calculator >> style token with a smartcard style connector could effectively >> eliminate most of the in person and over the net fraud we experience, >> and thus get rid of large costs in the system and get rid of the need >> for every Tom, Dick and Harry to see your drivers license when you >> make a purchase. It would both improve personal privacy and help the >> economy by massively reducing transaction costs. > > Yes. And it will not happen. The cost and hassle of introducing such a > system will be so high that it wouldn't make sense financially, at > least not in the foreseeable future. I'm think you wrong on that one. Financial cost and benefit are easily assessed on this, and I think the numbers add up. Credit card fraud costs in the hundreds of billions of dollars a year, much of which could be eliminated by a change to the sort of system I mention. That's not a small amount of money. Indeed, it is more than enough incentive for a major change. The cost of deploying such a system has also gone down very fast. Fifteen years ago, the hardware and communications costs would have been prohibitively large. I believe that this is no longer the case. So, in summary, with fraud costs extraordinarily high, and the price of a new system falling, it would not take much time to amortize the costs of a new system, after which every dollar saved is pure profit. The incentive is now in place. > The banks and other credit card issuers accept that there are some > losses they will have, they try to minimise/control them and offload > a portion of the remaining risk to cardholders, merchants and > insurance companies. "Minimization" at the moment means accepting massive losses in the system. The cost of deploying a better system would swiftly pay for itself. I suspect that the time is finally right for such a thing. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Adam Fields <[EMAIL PROTECTED]> writes: > On Fri, Jul 08, 2005 at 10:42:02AM -0400, Perry E. Metzger wrote: > [...] >> A system in which the credit card was replaced by a small, calculator >> style token with a smartcard style connector could effectively >> eliminate most of the in person and over the net fraud we experience, >> and thus get rid of large costs in the system and get rid of the need >> for every Tom, Dick and Harry to see your drivers license when you >> make a purchase. It would both improve personal privacy and help the >> economy by massively reducing transaction costs. > > Haven't we been saying this for years? Yes. The only unusual point that I am making is that the lack of such a system is precisely the reason why the clerk at the store often asks for your ID when you make a purchase in the US. (The other major case is alcohol or tobacco purchases, where, again, it is a question of liability, but in this case, liability to the government which holds you responsible if you do not check government issued IDs.) > The standard argument I hear against it is "the people who would have > to pay for the very large initial investment have no economic > incentive to do so". They obviously don't think they have a long-term > need to do so now, and in the short term, this only replaces fraud > costs (a relatively known entity) with infrastructure costs (a > completely unknown one). Actually, the people who would have to pay the investment -- the banks and merchants -- have an excellent incentive. The loss because of fraud is stunningly large. The real issue is that *consumers* have little incentive to cooperate with such a system, because thanks to the regulations, they suffer virtually no losses if their accounts are hijacked. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
On Fri, Jul 08, 2005 at 10:42:02AM -0400, Perry E. Metzger wrote: [...] > A system in which the credit card was replaced by a small, calculator > style token with a smartcard style connector could effectively > eliminate most of the in person and over the net fraud we experience, > and thus get rid of large costs in the system and get rid of the need > for every Tom, Dick and Harry to see your drivers license when you > make a purchase. It would both improve personal privacy and help the > economy by massively reducing transaction costs. Haven't we been saying this for years? The standard argument I hear against it is "the people who would have to pay for the very large initial investment have no economic incentive to do so". They obviously don't think they have a long-term need to do so now, and in the short term, this only replaces fraud costs (a relatively known entity) with infrastructure costs (a completely unknown one). I don't see it happening. This is the same industry that convinced people it was a good idea to give out their ATM pin number to make purchases with a debit card... for what exactly? I think that you made the explicit point of talking about replacing the credit card infrastructure, when what you really meant was replacing the credit card companies with others that would make more rational business decisions in favor of consumer security and privacy. -- - Adam ** I can fix your database problems: http://www.everylastounce.com/mysql.html ** Blog... [ http://www.aquick.org/blog ] Links.. [ http://del.icio.us/fields ] Photos. [ http://www.aquick.org/photoblog ] Experience. [ http://www.adamfields.com/resume.html ] Product Reviews: .. [ http://www.buyadam.com/blog ] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Yes. And it will not happen. The cost and hassle of introducing such a system will be so high that it wouldn't make sense financially, at least not in the foreseeable future. The banks and other credit card issuers accept that there are some losses they will have, they try to minimise/control them and offload a portion of the remaining risk to cardholders, merchants and insurance companies. The world is perfect > A system in which the credit card was replaced by a small, calculator > style token with a smartcard style connector could effectively > eliminate most of the in person and over the net fraud we experience, > and thus get rid of large costs in the system and get rid of the need > for every Tom, Dick and Harry to see your drivers license when you > make a purchase. It would both improve personal privacy and help the > economy by massively reducing transaction costs. > > Perry > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Why Blockbuster looks at your ID.
Dirk-Willem van Gulik <[EMAIL PROTECTED]> writes: > And you may have then noticed the interesting effect; in Germany we have > mandatory cards - carry them round always - but virtually have to show > them. And only to officials often. > > In the US they have no official card - yet even the lowest clerk at the > blockbuster video asks for one... Dirk-Willem implicitly asks an interesting question. Answering it brings us back to security again. Why does the clerk at Blockbuster want to see your driver's license? Because his management has been told, by their bank, that if they do not attempt to verify the identity of credit card users they will risk their business relationship with the bank. Credit card fraud is far too prevalent, DVDs are easily resold, and the bank wants to make sure that they won't get defrauded. Blockbuster also wants to minimize fraudulent use of credit cards (which they end up eating in some instances) and the loss of their property (which will never be returned by someone renting a video with a stolen credit card). So, because of this, they're under tremendous pressure to look at some form of identification to try to assure that the person presenting the credit card is the legitimate owner of the credit card. As an aside, businesses in European countries often do not operate with the same sort of business models US companies have to deal with in this regard. Many of them don't take credit cards at all, or only started to in the last decade and are not yet suffering from the same levels of fraud. In many instances, they are also legally constrained from requesting government issued ID. So, what is to be done? I would propose that the replacement of the credit card infrastructure is needed. Fraud is prevalent because of a massive inherent security flaw in the current system, to whit, the account number is identical to the payment authenticator, and you can make a payment merely through possession of a piece of stolen plastic. A system in which the credit card was replaced by a small, calculator style token with a smartcard style connector could effectively eliminate most of the in person and over the net fraud we experience, and thus get rid of large costs in the system and get rid of the need for every Tom, Dick and Harry to see your drivers license when you make a purchase. It would both improve personal privacy and help the economy by massively reducing transaction costs. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Forwarded] RealID: How to become an unperson.
On Tue, 5 Jul 2005 [EMAIL PROTECTED] wrote: > (currently in Boston, MA, after giving fingerprints at the > airport immigration) And you may have then noticed the interesting effect; in Germany we have mandatory cards - carry them round always - but virtually have to show them. And only to officials often. In the US they have no official card - yet even the lowest clerk at the blockbuster video asks for one... Dw. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A Note About Trust Anchor Key Distribution
nice paper. note that it claims this paper is being published to establish IPR claims. there is prior art in several vectors. you may wish to consider the following (although now expired) Internet Drafts: draft-ietf-dnsext-trustupdate-threshold-00 and a similar one authored by Mike StJohns. that cover the same basic ideas. at least one of these is being updated and revised. --bill manning - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]