On 05/09/09 07:33, Jerry Leichter wrote:
On May 8, 2009, at 3:39 PM, Ian G wrote:
The difficulty with client certs is that I need them to also work on my
laptop. And my other laptop. And my phone.
So, how do I get hold of them when I'm on the road?
Good point. The difficulty with my passwords is that I have so many
that are so long that I can only manage them on my laptop, and have to
carry my laptop with me ...
We can imagine all sorts of techie solutions to this, but it does
appear that we are in a bit of a grey zone with auth at the moment,
and the full solution might take a while to emerge. Try them all?
This is part of a broader UI issue.
I had a discussion with a guy at a company that was proposing to create
secure credit cards by embedding a chip in the card and replacing some
number of digits with an LCD display. The card would generate a unique
card number for you when needed. They actually had the technology
working - the card was pretty much indistinguishable from any other. (Of
course, how rugged it would be in typical environments is another
question - but they claimed they had a solution.)
I pointed out that my wife knows one of her CC numbers by heart. The
regularly quotes it, both on phone calls and to web forms. The card
itself is buried in a thick wallet, which is buried in her pocketbook,
which is somewhere in the house - likely not near the phone or the
Hell, one of the nice things about on-line shopping is that I can do it
in my bathrobe - except that I *don't* know my CC by heart, so in fact I
tend to put off buying until later when I have my wallet with me. (This
does save me money)
When I'm in a store, I'm used to having to have my CC with me, because I
always had to have the wallet with money anyway. At home, it's a whole
different story. In any case, merchants are trying to make the in-store
experience as simple as possible, pushing for things like RFID credit
cards and even fingerprint recognition.
So many people would see these safer cards as a big step backwards in
usability. Why would they want such a thing? The card companies are
trying to sell safety, but in the US, where your liability is at most
$50 if your CC number is stolen (and where in practice it's $0), the
only cost you as an individual bear is the inconvenience of replacing a
card. Because replacements for security problems have gotten so common,
the CC companies have streamlined the process. It's really no big deal.
I've had CC numbers stolen a couple of times (by means unknown);
recently, two of my CC's were replaced by the companies based on some
information known only to them. In every case, the process was very
quick and painless. Hell, these days even on-line continuing charges
often update to the new number automatically (though I've learned to
keep track of those and check).
The person arguing for this claimed that CC companies could offer a
discount for users of the secure cards. But if you look at actual loss
rates - how much could you offer? (I'd guess it's about the same as
Discover offers: About a 1.5% rebate on most purchases. Not enough to
let Discover steal customers from Visa and MC. Given all the other
charges - and the absurdly high interest rates - on cards, anything like
this gets lost in the noise.)
Security that depends on people changing their habits in a way that is
inconvenient to them ... won't happen (unless you're in an environment
where you can *force* such changes).
at least the initial introduction of one-time-account number displays
had a problem because they couldn't meet the flexing specification
(like cards in mens wallet and getting sat on).
note that there has been big push to signature debit (similar interchange
fees and fraud as signature credit) with 15 times the fraud of PIN-debit
(which has significantly lower interchange fees compared to signature debit)
mentioned in this post from 2006
there has been some articles about unsafe cards being a profit item
for financial institutions ... since they charge merchants a significantly
higher interchange fee. there have been references that there can be
as much as a order of magnitude difference in fees between unsafer transaction
fees and safer transaction... with unsafe transaction fees
contributing significantly to reports that payment fees have represented
as much as 40% of bottom line for US consumer financial institutions
(an order of magnitude reduction would be a big hit). part of thread
on this subject in this mailing list from two years ago