Re: Lack of fraud reporting paths considered harmful.

2008-01-26 Thread John Ioannidis

Perry E. Metzger wrote:


That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.




But how can the issuer know that the merchant's fraud detection systems 
work, for any value of work? This could just become one more avenue 
for denial of service, where a hacked online merchant suddenly reports 
millions of cards as compromised.  I'm sure there is some interesting 
work to be done here.


/ji

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


crypto quotes

2008-01-26 Thread travis+ml-cryptography
http://www.amk.ca/quotations/cryptography/
-- 
URL:https://www.subspacefield.org/~travis/
The stream is deaf, yet sings its melody for all to hear.
For a good time on my email blacklist, email [EMAIL PROTECTED]


pgpqS3cxnwgDl.pgp
Description: PGP signature


German Government Skype interception methods leaked...

2008-01-26 Thread Perry E. Metzger

Wikileaks has released documents from the German police revealing
Skype interception technology. The leaks are currently creating a
storm in the German press[...]

http://yro.slashdot.org/article.pl?sid=08/01/26/1339249from=rss

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-26 Thread mark seiden-via mac
yes, the reputation of/quality of reporters needs to be measured, and  
the reported information needs to be enough to

accomplish an auth or a card purchase.

the card issuer can then use a credible report as a hint to increase  
the level of attention to the reported cards.


it's in a merchant's interest to have high quality fraud detection  
because this report is
in association with an attempted purchase transaction and their report  
implies they
decline or refund the transaction they are turning down the revenue  
from that card,


if a bad guy wants to break into a merchant's site, i would welcome  
them to immediately report all the merchant's cards as stolen
rather than than stealing them and using them or waiting for the  
merchant to do so in a breach notice.




On Jan 25, 2008, at 3:11 PM, John Ioannidis wrote:


Perry E. Metzger wrote:

That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over  
the

phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.


But how can the issuer know that the merchant's fraud detection  
systems work, for any value of work? This could just become one  
more avenue for denial of service, where a hacked online merchant  
suddenly reports millions of cards as compromised.  I'm sure there  
is some interesting work to be done here.


/ji

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]