Re: Lack of fraud reporting paths considered harmful.
Perry E. Metzger wrote: The call-the-customer-and-reissue mechanism is a mediocre solution to the fraud problem, but it is the one we have these days. Why is it a mediocre solution? The credit card number is a widely shared secret. It has been known for centuries that widely shared secrets have a short life expectancy and should be frequently re-issued. The only better solution is unshared secrets. Is that what you had in mind? Instead of the customer sharing his secret with the merchant, and the merchant checking it with the bank, customer should prove to bank that the person who knows the secret wishes to pay the merchant for the identified promise. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
James A. Donald [EMAIL PROTECTED] writes: Perry E. Metzger wrote: The call-the-customer-and-reissue mechanism is a mediocre solution to the fraud problem, but it is the one we have these days. Why is it a mediocre solution? The credit card number is a widely shared secret. It has been known for centuries that widely shared secrets have a short life expectancy and should be frequently re-issued. The only better solution is unshared secrets. Is that what you had in mind? Naturally. However, given what we have now, reissue is the only reasonable option. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
John Ioannidis wrote: Perry E. Metzger wrote: That's not practical. If you're a large online merchant, and your automated systems are picking up lots of fraud, you want an automated system for reporting it. Having a team of people on the phone 24x7 talking to your acquirer and reading them credit card numbers over the phone, and then expecting the acquirer to do something with them when they don't have an automated system either, is just not reasonable. But how can the issuer know that the merchant's fraud detection systems work, for any value of work? This could just become one more avenue for denial of service, where a hacked online merchant suddenly reports millions of cards as compromised. I'm sure there is some interesting work to be done here. There is an interesting analogue in the area of SAR (suspicious activity report) filings through financial services. This has been in place with various providers for maybe a decade or so. I'm not aware of any serious economic analysis that would suggest copying the lessons, though. There is a philosophical problem with suggesting an automated protocol method for reporting fraud, in that one might be better off ... fixing the underlying fraud. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
Perry E. Metzger wrote: This evening, a friend of mine who shall remain nameless who works for a large company that regularly processes customer credit card payments informed me of an interesting fact. His firm routinely discovers attempted credit card fraud. However, since there is no way for them to report attempted fraud to the credit card network (the protocol literally does not allow for it), all they can do is refuse the transaction -- they literally have no mechanism to let the issuing bank know that the card number was likely stolen. This seems profoundly bad. I hope that someone on the list has the right contacts to get the right people to do something about this. some chance they are doing this to save money on transactions that aren't likely to be approved ... i.e. rather than be charged for a transaction that they send thru to the issuer that they are sure to be rejected ... they reject it upfront. now the associations have standard procedure to perform stand-in when the network accepts a transaction from an acquirer but isn't able to forward it to the issuer. stand-in allows the network to decide whether to approve or reject the transaction using simplified rules. later, when contact is re-established with the issuer ... the issuer has to be informed of all the stand-in activity. a possible simplified mechanism is to be able to generate a simulated stand-in report of rejected transactions. the issue then in such a simulated stand-in role ... for all the reasons that they chose to reject a transaction ... do they map into the standard iso 8583 codes for reasons that the issuer would reject the transaction. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
Ian G [EMAIL PROTECTED] writes: There is a philosophical problem with suggesting an automated protocol method for reporting fraud, in that one might be better off ... fixing the underlying fraud. Lets say you're a big company like Amazon or someone similar. You're pretty sure someone is trying to use a stolen credit card. How do you fix the underlying fraud? Last I checked, Amazon had no police force. Lets say that the miscreants are in any one of several Eastern European countries. Even reporting the fraud to the police in the originating country won't fix it because the foreign police will do absolutely nothing. Perhaps you argue that the credit card system itself is flawed. I agree, but as a company like Amazon you're not in a position to fix that, either. The point of providing a feedback channel is so the issuing bank can be alerted to an attempted fraud, call the customer, say hi, did you try to buy a container consumer electronics and have it shipped to Belarus, hear back no, and issue a new credit card. This is done right now when the issuing bank notices suspicious activity, but there is a hole in the system in which a merchant might refuse a suspicious charge and yet have no way of telling the issuing bank about it. The call-the-customer-and-reissue mechanism is a mediocre solution to the fraud problem, but it is the one we have these days. As it stands, a merchant can't easily tell the issuing bank that it should have a look to see if a card is being used fraudulently, so the merchant can know that something weird is happening but the issuing bank can remain ignorant. This is not a good situation. That is why a feedback path would be of use. I had long assumed such a feedback path already existed, and I was rather shocked to discover it did not. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
Perry E. Metzger wrote: That's not practical. If you're a large online merchant, and your automated systems are picking up lots of fraud, you want an automated system for reporting it. Having a team of people on the phone 24x7 talking to your acquirer and reading them credit card numbers over the phone, and then expecting the acquirer to do something with them when they don't have an automated system either, is just not reasonable. But how can the issuer know that the merchant's fraud detection systems work, for any value of work? This could just become one more avenue for denial of service, where a hacked online merchant suddenly reports millions of cards as compromised. I'm sure there is some interesting work to be done here. /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
yes, the reputation of/quality of reporters needs to be measured, and the reported information needs to be enough to accomplish an auth or a card purchase. the card issuer can then use a credible report as a hint to increase the level of attention to the reported cards. it's in a merchant's interest to have high quality fraud detection because this report is in association with an attempted purchase transaction and their report implies they decline or refund the transaction they are turning down the revenue from that card, if a bad guy wants to break into a merchant's site, i would welcome them to immediately report all the merchant's cards as stolen rather than than stealing them and using them or waiting for the merchant to do so in a breach notice. On Jan 25, 2008, at 3:11 PM, John Ioannidis wrote: Perry E. Metzger wrote: That's not practical. If you're a large online merchant, and your automated systems are picking up lots of fraud, you want an automated system for reporting it. Having a team of people on the phone 24x7 talking to your acquirer and reading them credit card numbers over the phone, and then expecting the acquirer to do something with them when they don't have an automated system either, is just not reasonable. But how can the issuer know that the merchant's fraud detection systems work, for any value of work? This could just become one more avenue for denial of service, where a hacked online merchant suddenly reports millions of cards as compromised. I'm sure there is some interesting work to be done here. /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
[EMAIL PROTECTED] writes: His firm routinely discovers attempted credit card fraud. However, since there is no way for them to report attempted fraud to the credit card network (the protocol literally does not allow for it), all they can do is refuse the transaction -- they literally have no mechanism to let the issuing bank know that the card number was likely stolen. A former boss has become Head of Fraud Technology (I asked him who was Head of Anti-Fraud Technology) and he answers like this. I am not really a cards man but I would have said the good old telephone, a call to the acquirer, would be the way. The acquirer would then pass that on to the issuer. Granted the merchant may not know for certain that had happened, but he has done his duty at that point. That's not practical. If you're a large online merchant, and your automated systems are picking up lots of fraud, you want an automated system for reporting it. Having a team of people on the phone 24x7 talking to your acquirer and reading them credit card numbers over the phone, and then expecting the acquirer to do something with them when they don't have an automated system either, is just not reasonable. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
Perry wrote: His firm routinely discovers attempted credit card fraud. However, since there is no way for them to report attempted fraud to the credit card network (the protocol literally does not allow for it), all they can do is refuse the transaction -- they literally have no mechanism to let the issuing bank know that the card number was likely stolen. A former boss has become Head of Fraud Technology (I asked him who was Head of Anti-Fraud Technology) and he answers like this. I am not really a cards man but I would have said the good old telephone, a call to the acquirer, would be the way. The acquirer would then pass that on to the issuer. Granted the merchant may not know for certain that had happened, but he has done his duty at that point. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Lack of fraud reporting paths considered harmful.
This evening, a friend of mine who shall remain nameless who works for a large company that regularly processes customer credit card payments informed me of an interesting fact. His firm routinely discovers attempted credit card fraud. However, since there is no way for them to report attempted fraud to the credit card network (the protocol literally does not allow for it), all they can do is refuse the transaction -- they literally have no mechanism to let the issuing bank know that the card number was likely stolen. This seems profoundly bad. I hope that someone on the list has the right contacts to get the right people to do something about this. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]