Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-15 Thread Joseph Ashwood
- Original Message - 
From: Victor Duchovni [EMAIL PROTECTED]

Subject: Re: EMV [was: Re: Why Blockbuster looks at your ID.]



Whose loses do these numbers measure?

- Issuer Bank?

- Merchant?

- Consumer?

- Total?


I'd say that you've fairly well hit the nail on the head. I've actually been 
meaning to reply to this for about a week now. The truth is that each credit 
card transaction actually has either 3 or 4 parties; User U, Merchant M, 
Credit Card Issuer CCI, and Merchant Insurer MI (this is simplified there 
are generally multiple parties under CCI).


Under legitimate circumstances the process is fairly simple; Legitimate User 
LU agrees to pay CCI, CCI already has an agreement to pay M, and M supplies 
the product/service to LU. During billing LU pays CCI, CCI pays M, everyone 
is happy.


Things are different in the case of False User FU. FU goes to M, FU agrees 
for LU to pay CCI, CCI (believing FU is LU) agrees to pay M, M supplies the 
product/service to FU. During billing is where things get strange. LU 
reports the bad transaction to CCI. CCI informs M and does not pay M. FU 
gets the product, M accepts the loss. In the normal case MI and M are the 
same entity so the buck stops there, if MI is seperate from M, then MI 
reimburses M for some portion.


It's important to understand exactly who loses what when FU is in the 
picture. CCI loses the commision, generally a small flat fee on the order of 
$0.35, and a percentage generally 2%, this is not a large amount to lose, 
and the phone call to report the problem actually costs more than is lost, 
followed by the filing and tracking of the correct paperwork, this is the 
ACTUAL loss for CCI. MI loses the cost of the product/service reimbursed. LU 
loses basically nothing except time. FU obviously gains.


The point being that expecting CCI to foot a multi-billion dollar bill to 
change the process so that MI doesn't lose the money doesn't make sense. CCI 
will only work to increase CCIs profits. It is up to MI to pay for the 
upgraded systems by working with CCI towards CCIs goals (fewer losses for MI 
also means fewer reports to CCI so fewer losses). LU may be willing to foot 
part of the bill for the perceived improvements, CCI will only foot the 
portion that is in CCIs favor, MI will have to foot the majority of the bill 
and will only do so when it is in MIs favor. With credit card fraud 
decreasing, it is not in MIs favor to examine it at this time.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-11 Thread Anne Lynn Wheeler
Perry E. Metzger wrote:
 Why does the clerk at Blockbuster want to see your driver's license?
 Because his management has been told, by their bank, that if they do
 not attempt to verify the identity of credit card users they will risk
 their business relationship with the bank. Credit card fraud is far
 too prevalent, DVDs are easily resold, and the bank wants to make sure
 that they won't get defrauded. Blockbuster also wants to minimize
 fraudulent use of credit cards (which they end up eating in some
 instances) and the loss of their property (which will never be
 returned by someone renting a video with a stolen credit card).

the issue is lost/stolen credit cards ... your name is embossed on the
plastic and recorded on the mastripe. this provides for the
point-of-sale to check for lost/stolen card by attempting the
identification process of matching the name on the card with the name on
something else.

this moves the card out of the relm of authentication into the relm of
identification. there was a number of threads (mostly prior to 9/11)
about EU privacy directives for making retail electronic transactions as
anonymous as cash. basically this involved removing your name from the
plastic embossing and magstripe ... so that the card was purely an
authentication something you have  and didn't wander across the
line into identification. lost/stolen card risks then could be contained
by deactivating accounts when the owner reported the card lost/stolen

part of the issue has been the appearance of skimming/harvesting compromises
http://www.garlic.com/~lynn/subpubkey.html#harvest

where the crooks didn't actually have to physically steal the card, they
could electronically record the necessary information (w/o the owner's
knowledge) and then perform fraudulent transactions. The
skimming/harvesting compromises can involve tens of thousands of cards
... not just a single card at a time. Also, the fraud period instead of
being limited to possibly a few hrs (when the owner reports the missing
card), now could extend to a few weeks (since the owner doesn't notice
unitl they get around to examining the next statement). The
skimming/harvesting threat and vulnerability can magnify the fraud risk
by several orders of magnitude (compared to simple lost/stolen).

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-11 Thread Anne Lynn Wheeler
Perry E. Metzger wrote:
 If you have a sufficiently good token, you may no longer need to have
 identification information presented to the merchant, even by the
 token, to reduce misuse. It is true that the issuer will still know
 what transactions took place. However, you have at least reduced the
 number of entities that require proof of your identity and the number
 that have logs of your activity.

this is the EU privacy directive threads that went on (mostly prior to
9/11) and why couldn't they apply in the US also ... aka that electronic
retail transactions could be as anonymous as cash. names would be
removed from the plastic embossing and magstripe ... and the merchant
would not longer have to wander across the line from authentication into
identification (attempting to match the name on the card with other
credentials).

when we started x9.59 in the mid-90s,
http://www.garlic.com/~lynn/index.html#x959
http://www.garlic.com/~lynn/subpubkey.html#privacy

we frequently commented that it was privacy agnostic. it provided strong
authentication that didn't have skimming and harvesting threats and
vulnerabilities. there was a strong correlation with some account number
... and the degree that there was some trail from that account number to
an individual was dependent on a lot of things outside of the financial
transaction itself. however, the basic financial transaction didn't
require wandering across the line from authentication into identification.

this was also the period where it started to show up the shortcomings of
the x.509 identity certification paradigm that had somewhat tried to get
 some toe hold in the early 90s  including grossly overeloading the
certificates with personal information. basically that every digitally
signed transaction in the world would carry a huge x.509 identity
certificate grossly overloaded with personal information. Not only would
all such transactions carry such humongous personal information
repositories, while in flight  but all the transaction logs would be
heavily burdened with the same information. You might have tens of
thousands of transactions logs all over the world ... and every one
would include a humongous x.509 identity certificate grossly overloaded
with personal information.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-11 Thread Lance James

Adam Shostack wrote:


On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|  
|  A system in which the credit card was replaced by a small, calculator

|  style token with a smartcard style connector could effectively
|  eliminate most of the in person and over the net fraud we experience,
|  and thus get rid of large costs in the system and get rid of the need
|  for every Tom, Dick and Harry to see your drivers license when you
|  make a purchase. It would both improve personal privacy and help the
|  economy by massively reducing transaction costs.
| 
| I agree that it might well reduce costs and fraud - but how will it improve

| privacy? Your name is already on the card ... and the issuer will still have
| a list of your transactions.
| 
| Not having to show ID may save annoyance, but it doesn't significantly

| improve privacy.

Most credit card issuers will happily give you extra cards, so your
friends can spend your money.  In whatever name you want.  If you need
to show ID, this can become, umm, complicated.
 

This goes along with paypal's send a friend a debit card feature (I 
saw this two years ago, I don't know if this is still present), but this 
essentially allowed a user to add any name to the debit visa card 
(treated in most places like a credit card) which in some cases actually 
allowed online hijacking of domain names (depending on registrar) 
because the name was the same on the visa card used.



-Lance


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-11 Thread Hal Finney
Perry Metzger writes:
 So, what is to be done? I would propose that the replacement of the
 credit card infrastructure is needed. Fraud is prevalent because of a
 massive inherent security flaw in the current system, to whit,
 the account number is identical to the payment authenticator, and
 you can make a payment merely through possession of a piece of stolen
 plastic.

 A system in which the credit card was replaced by a small, calculator
 style token with a smartcard style connector could effectively
 eliminate most of the in person and over the net fraud we experience,
 and thus get rid of large costs in the system and get rid of the need
 for every Tom, Dick and Harry to see your drivers license when you
 make a purchase. It would both improve personal privacy and help the
 economy by massively reducing transaction costs.

Have you ever used an ATM/debit card for a purchase?  You swipe it and
then the merchant hands you a keypad to enter your PIN.  Yes, an insider
could hack the device and steal your PIN along with your card, or use
various other attacks to get the PIN, but it's much more complicated
than using an opportunistically stolen credit card.

These have come into common use in the past several years.  I don't
understand the commentary here which seems oblivious to the existence of
this widely used alternative payment system in the U.S.  All I am reading
is oh, we can't switch, no one will ever switch from credit cards.
People are switching; it's happening everywhere.

A video game chain store in town, I think it's EBX, only accepts these
cards, they won't take credit cards.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-11 Thread astiglic
 Perry E. Metzger wrote:

 A system in which the credit card was replaced by a small, calculator
 style token with a smartcard style connector could effectively
 eliminate most of the in person and over the net fraud we experience,
 and thus get rid of large costs in the system and get rid of the need
 for every Tom, Dick and Harry to see your drivers license when you
 make a purchase. It would both improve personal privacy and help the
 economy by massively reducing transaction costs.

 I agree that it might well reduce costs and fraud - but how will it
 improve
 privacy? Your name is already on the card ... and the issuer will still
 have
 a list of your transactions.

It's just that the drivers license number is a unique number that acts as
an index to another database (and often used as authentication material as
well), which the merchant has to business knowing.

--Anton



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-11 Thread astiglic


 On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:

 less attractive to commit credit card fraud. You are, however, not
 making it harder. That's why I believe the credit cards companies will
 indeed have a good, long look at smartcards. Probably not tomorrow or
 next week but in the near future.

 Actually, smart cards are here today. My local movie theatre in Berkeley,
 California is participating in a trial for MasterCard PayPass. There is
 a little antenna at the window; apparently you can just wave your card at
 the antena to pay for tickets. I haven't observed anyone using it in
 person, but the infrastructure is there right now.

Interesting, they have a card (smart card)? and key fob version.  I hope
their key fob version is not as insecure as the SpeedPass RFID transponder
token used by Exxon/Esso, which has recently been broken
http://rfidanalysis.org/
The SpeedPass implemented an authentication algorithm (I think it was a
CRC-like challenge response based on a secret that defined the polynomial
used) based on a 40-bit key.  Bono  al. figured out the algorithm (based
on a patent, which described the algorithm generically, they figured out
the constants that were chosen).
The question is why did they use a 40-bit secret?  Is there some
technological constraint preventing the use of something better?

The other thing is that many of the smart cards also have a magnetic
strip, so your security level is as strong as the weakest point (magnetic
stripe type payments).  Untill all the cards are smart cards, readers will
accept both type.

--Anton




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Adam Shostack
On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote:
| 
| Dan Kaminsky [EMAIL PROTECTED] writes:
|  Credit card fraud has gone *down* since 1992, and is actually falling:
| 
|  1992:  $2.6B
|  2003:  $882M
|  2004:  $788M
| 
|  We're on the order of 4.7 cents on the $100.
| 
|  
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
| 
|  If it's any consolation, I was rather surprised myself.
| 
| I seem to have gotten that one drastically wrong. Thanks for the
| more accurate figures.
| 
| A back of the envelope calculation makes me think that it is still
| more than enough money to provide a good incentive for a change in
| systems, though, especially when the cost of the anti-fraud measures
| needed at every part of the system are taken in to account.

I think those numbers are misleading.  The FTC reports ID theft as a
$50B problem, but I haven't seen that broken down by vector.  I
suspect most of it is CC (rather than cheque, mortgage/line of
credit/auto loan), but have no data.

Adam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Edgar Danielyan
May we see the back of that envelope? Upgrade to EMV (chip  PIN) here
in UK reportedly costs around 1.1 billion pounds (around $1.9
billion), and that is simply an upgrade to the existing infrastructure
and only in a single country. To fundamentally change the system would
require tens of billions and a concerted effort of banks, the
associations and the merchants, with all the associated hidden agendas
and underwater currents. It would be too big an undertaking with an
uncomfortable C/B ratio, whereas $788m in losses is not that bad
keeping in mind the amounts involved...




On 7/8/05, Perry E. Metzger [EMAIL PROTECTED] wrote:
 
 Dan Kaminsky [EMAIL PROTECTED] writes:
  Credit card fraud has gone *down* since 1992, and is actually falling:
 
  1992:  $2.6B
  2003:  $882M
  2004:  $788M
 
  We're on the order of 4.7 cents on the $100.
 
  http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
 
  If it's any consolation, I was rather surprised myself.
 
 I seem to have gotten that one drastically wrong. Thanks for the
 more accurate figures.
 
 A back of the envelope calculation makes me think that it is still
 more than enough money to provide a good incentive for a change in
 systems, though, especially when the cost of the anti-fraud measures
 needed at every part of the system are taken in to account.
 
 Perry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Perry E. Metzger

Adam Shostack [EMAIL PROTECTED] writes:
 I think those numbers are misleading.  The FTC reports ID theft as a
 $50B problem, but I haven't seen that broken down by vector.  I
 suspect most of it is CC (rather than cheque, mortgage/line of
 credit/auto loan), but have no data.

If you or anyone else has figures available, especially references to
original source material on the subject, it would be very useful.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread R.A. Hettinga
At 1:16 PM -0400 7/8/05, Perry E. Metzger wrote:
I seem to have gotten that one drastically wrong. Thanks for the
more accurate figures.

Don't worry. I would bet that identity theft will more than make up for it
soon enough, as transaction settlement times converge to instantaneity.

*That's* potentially *infinite* risk to the *consumer*, which is an
interesting proposition.

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-09 Thread astiglic

 Dan Kaminsky [EMAIL PROTECTED] writes:
 Credit card fraud has gone *down* since 1992, and is actually falling:

 1992:  $2.6B
 2003:  $882M
 2004:  $788M

 We're on the order of 4.7 cents on the $100.


Interesting statistics.
Seems like it's the same thing in Canada
http://www.rcmp.ca/scams/ccandpc_e.htm
Reported $227M in credit card fraud in 1999, droped at $200M in 2003.

But these are still considerable numbers, and the thinking that Banks
manage the risk and it's not worth them going over to smart card
technology so they won't, which was mentioned in a few replies, I think no
longer holds (probably because of the falling cost of the technology, so
even if fraud $ is down as mentioned, ratio of fraud cost / cost of
technology that is more secure still leads financial institutions to want
to go to a more secure technology).
Europe already has EMV, and Canada plans to have an infrastructure (card
readers) that support it by 2007.  Probably U.S. will follow
http://www.atmmarketplace.com/news_story_23380.htm
http://www.atmmarketplace.com/news_story_22849.htm
http://www.kioskmarketplace.com/news_printable.htm?id=23380

And here, for example, is a quote from Visa Canada
http://www.visa.ca/en/about/mc_article.cfm?pid=2
Visa Canada Member financial institutions will implement chip at their
own pace.  It is expected that within seven years, almost every Visa card
in Canada will feature chip technology and most merchants will have the
equipment to accept and fully benefit from these cards.
That was written in June 2003.


--Anton




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Dan Kaminsky

Jerrold Leichter wrote:


|  Credit card fraud has gone *down* since 1992, and is actually falling:
| 
|  1992:  $2.6B
|  2003:  $882M
|  2004:  $788M
| 
|  We're on the order of 4.7 cents on the $100.
| 
|  
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
| 
The article also mentions that the loss rate for 1992 was 15.7 cents per $100.

Something doesn't add up.  Combining the dollar values above with the loss
rate per $100, I calculate that the total charges handled in 1992 was about
$165 billion - which seems a bit low, but reasonable.  However, the
corresponding calculation for 2004 shows a total charges of about $16 billion,
which is clearly nonsense.

I don't actually see the $2.6B figure anywhere in the article.  Where did it
come from?

 

I did the math.  15.7 / 4.7 ~= 3.34.  3.34 * $778M = $2.6B.  There's a 
problem here, but I'll get to it in a sec.


Hmm...lets verify the rest of this:

4.7 cents per 100 is 0.047 dollars per 100 dollars is 0.00047 dollars 
per dollar.


x * 0.00047 = $778M

x = $778M / 0.00047
x = 1655319M = 1.65T

Looking at Federal Reserve data ( 
http://www.federalreserve.gov/releases/g19/Current/g19.htm ), there was 
about $2T in overall consumer credit.  I can envision the vast majority, 
but not all of this being on plastic.  So, $1.65T works.


If you try to repeat this for 1992, though, you'll find an interesting 
bug...total transactions in 1992 were also about 1.65T.  Gee, it's 
almost like I assumed credit card usage rates were constant over the 12 
year period...oops :)  But then there's inflation, which alters dollar 
figures substantially.  So oops in the other direction.


The fundamental point stands, though...credit fraud has been managed 
surprisingly well (though some people have said fraud is understated by 
~~200%).


--Dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-09 Thread Victor Duchovni
On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote:

  We're on the order of 4.7 cents on the $100.
 
 
 Interesting statistics.
 Seems like it's the same thing in Canada
 http://www.rcmp.ca/scams/ccandpc_e.htm
 Reported $227M in credit card fraud in 1999, droped at $200M in 2003.
 

Whose loses do these numbers measure?

- Issuer Bank?

- Merchant?

- Consumer?

- Total?

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], John Levine writes:
Why does the clerk at Blockbuster want to see your driver's license?
Because his management has been told, by their bank, that if they do
not attempt to verify the identity of credit card users they will
risk their business relationship with the bank.

It's been my impression that the way you're supposed to verify the ID
of a credit card user is by checking the signature.  I've heard of
banks telling businesses not to demand separate ID.  On the other
hand, I can easily believe that Blockbuster came up with the ID idea
all by themselves.

I very rarely rent from Blockbuster, so I may have the details wrong; I 
can state for sure how things work at the local video store I usually 
patronize.

When I signed up with them, I supplied a credit card number; they 
retained that for contingency charges if I fail to return a video.  
(Odd -- my local library doesn't do that.  But I digress.)  In return, 
they handed me an account-linked credential -- exactly the sort of 
thing that is often advocated on this list.

From my perspective, the form factor of the credential wasn't ideal; it 
was one of those key ring-sized cards, and I soon lost it, probably 
during a wallet upgrade.  No problem -- they're happy to fall back to 
the secondary authentication system, to whit my drivers' license.  I 
show that to get access to the account, independent of how I actually 
pay for the rental.  In other words, they are not using my license to 
authenticate my credit card.  (I would add that the feeds are low 
enought that I almost always pay in cash; I have no idea if they even 
have the ability to use the stored credit card for rental fees if I 
don't present the card separately.  Hmm -- the account is old enough 
that the expiration date on my credit card has long since expired.  
They've never asked me for an update.  Maybe they're using a reputation 
system?)

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Why Blockbuster looks at your ID.

2005-07-09 Thread Cid Carlos

I was in England last week where I noticed that the banks are 
switching all UK credit cards to chip+pin technology.  We'll see.  
For that matter, French cards have all been chip+pin for years.  
Any idea what their fraud rates are like?  The French card machines 
will do magstripe with a signature, but it's mostly us foreigners who need
it.

Below is a link to an interesting site discussing the chip and PIN
technology and its introduction in the UK (the article Chip and Spin also
addresses the French experience):  

http://www.chipandspin.co.uk/

Carlos

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-09 Thread J
--- [EMAIL PROTECTED] wrote:

[decline in credit card fraud]
 Interesting statistics.

[...]

 But these are still considerable numbers, [...]

I totally agree. And I would just like to make a quick point: the
credit card companies (especially Visa/Mastercard) have been very
agressive in fraud prevention in the last ten years. 

And I don't mean algorithms that detect unusual activity and flag a
card, thereby prompting your bank to call and verify that that the
charges are good. They've been doing that for years, if not decades.

No, I mean literally detective work -- tracking people down, having
their sites closed and bank accounts freezed and actually pushing to
have people prosecuted. They have been quite active, trying to recruite
people in the law enforcement community and offering handsome salaries.


The whole thing works based on the premise that there are a lot of
small-time gangsters at any given time but only a few big fish. And if
you can increase the cost of doing business (either in terms of making
credit fraud more expensive or in terms of increasing the likelihood to
get caught) you can basically justify the expense of running a big
anti-fraud unit.

But, in a way, that's only dealing with the symptoms, whilst at the
same time ignoring the root cause of the problem. You're only making it
less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably not tomorrow or
next week but in the near future. 

  -Jörn

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread dan

 1992:  $2.6B
 2003:  $882M
 2004:  $788M

 We're on the order of 4.7 cents on the $100.


I consulted an oracle at a major third party
processor.  He said the number is more like
64-67 basis points, that you have to be very
precise about your definitions, i.e., very
precise about what goes in the numerator and
what goes in the denominator.  For example, 
if a dishonored transaction is the merchant's
fault and the merchant has to foot the bill
then the card association has not had a fraud
loss.  I doubt it is actually germane to this
list, but I can go back to said oracle if
requested.

BTW, if you ever have the opportunity to hear
Frank Abagnale's discussion of check forgery
by all means do so.

--dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Peter Fairbrother
Perry E. Metzger wrote:
 
 A system in which the credit card was replaced by a small, calculator
 style token with a smartcard style connector could effectively
 eliminate most of the in person and over the net fraud we experience,
 and thus get rid of large costs in the system and get rid of the need
 for every Tom, Dick and Harry to see your drivers license when you
 make a purchase. It would both improve personal privacy and help the
 economy by massively reducing transaction costs.

I agree that it might well reduce costs and fraud - but how will it improve
privacy? Your name is already on the card ... and the issuer will still have
a list of your transactions.

Not having to show ID may save annoyance, but it doesn't significantly
improve privacy.



-- 
Peter Fairbrother


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Peter Fairbrother
Jerrold Leichter wrote:

 There have been a couple of articles in RISKS recently about the fairly recent
 use of a two-factor system for bank cards in England.  There are already
 significant hacks -

yes ...

 and the banks managed to get the law changed so that, with
 this guaranteed to be secure new system, the liability is pushed back onto
 the customer.

 I'm not too sure what you mean.

 In the UK the merchant is not usually liable for card-present fraud.

 There has been / is about to be a change to the liability of the merchant,
usually to the effect that if a fraud is successful because the merchant
hasn't installed PIN equipment then they will be liable. A few banks are
making merchants liable for all fraud if PIN equipment has not been
installed.

EMV said the change would begin on 1st Jan, but the banks haven't all
implemented it yet. Many did so on 1st July.

The change occurs in the contract between the aquiring banks and the
merchants, not the law; the legality of the change is questionable, but as
it is basically just a way to encourage retailers to install PIN equipment
it has not been challenged afaik.

There is no change in the merchant's liability if he has installed Chip n'
PIN equipment - the tales circulating of all merchants becoming liable for
all frauds are simply not true.





 There will also be a change in the way fraud claims are dealt with, to the
almost certain disadvantage of the cardholder, as there is no physical
signature to contest and at least in the first instance the issuers
determine the facts.


 However I am not aware of any changes to the law.


 There was a very recent Banking Ombudsman case where the cardholder had
been grossly negligent about her PIN security, but her liability was still
limited to £50 (which is a statutory limit and applies to credit cards, but
not to debit cards - although it is in practice applied to them too).
Usually the £50 limit is not charged by the issuing bank.





 However the customer eventually pays for fraud anyway, in the form of
higher prices, so the issuer - merchant liability split is not of immediate
relevance to the customer. It should be tilted firmly against the banks IMO
though, as they are responsible for the system, not the merchants, who have
no say, as EMV + AmEx is an effective monopoly.



 BTW, one of my banks recently sent me a leaflet which said Chip n' PIN was
going to be introduced worldwide. Anyone know more about that?


-- 
Peter Fairbrother


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Perry E. Metzger

Peter Fairbrother [EMAIL PROTECTED] writes:
 Perry E. Metzger wrote:
 A system in which the credit card was replaced by a small, calculator
 style token with a smartcard style connector could effectively
 eliminate most of the in person and over the net fraud we experience,
 and thus get rid of large costs in the system and get rid of the need
 for every Tom, Dick and Harry to see your drivers license when you
 make a purchase. It would both improve personal privacy and help the
 economy by massively reducing transaction costs.

 I agree that it might well reduce costs and fraud - but how will it improve
 privacy? Your name is already on the card ... and the issuer will still have
 a list of your transactions.

 Not having to show ID may save annoyance, but it doesn't significantly
 improve privacy.

If you have a sufficiently good token, you may no longer need to have
identification information presented to the merchant, even by the
token, to reduce misuse. It is true that the issuer will still know
what transactions took place. However, you have at least reduced the
number of entities that require proof of your identity and the number
that have logs of your activity.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Adam Shostack
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|  
|  A system in which the credit card was replaced by a small, calculator
|  style token with a smartcard style connector could effectively
|  eliminate most of the in person and over the net fraud we experience,
|  and thus get rid of large costs in the system and get rid of the need
|  for every Tom, Dick and Harry to see your drivers license when you
|  make a purchase. It would both improve personal privacy and help the
|  economy by massively reducing transaction costs.
| 
| I agree that it might well reduce costs and fraud - but how will it improve
| privacy? Your name is already on the card ... and the issuer will still have
| a list of your transactions.
| 
| Not having to show ID may save annoyance, but it doesn't significantly
| improve privacy.

Most credit card issuers will happily give you extra cards, so your
friends can spend your money.  In whatever name you want.  If you need
to show ID, this can become, umm, complicated.




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Why Blockbuster looks at your ID.

2005-07-08 Thread Perry E. Metzger

Dirk-Willem van Gulik [EMAIL PROTECTED] writes:
 And you may have then noticed the interesting effect; in Germany we have
 mandatory cards - carry them round always - but virtually have to show
 them. And only to officials often.

 In the US they have no official card - yet even the lowest clerk at the
 blockbuster video asks for one...

Dirk-Willem implicitly asks an interesting question. Answering it
brings us back to security again.

Why does the clerk at Blockbuster want to see your driver's license?
Because his management has been told, by their bank, that if they do
not attempt to verify the identity of credit card users they will risk
their business relationship with the bank. Credit card fraud is far
too prevalent, DVDs are easily resold, and the bank wants to make sure
that they won't get defrauded. Blockbuster also wants to minimize
fraudulent use of credit cards (which they end up eating in some
instances) and the loss of their property (which will never be
returned by someone renting a video with a stolen credit card).

So, because of this, they're under tremendous pressure to look at some
form of identification to try to assure that the person presenting the
credit card is the legitimate owner of the credit card.

As an aside, businesses in European countries often do not operate
with the same sort of business models US companies have to deal with
in this regard. Many of them don't take credit cards at all, or only
started to in the last decade and are not yet suffering from the same
levels of fraud. In many instances, they are also legally constrained
from requesting government issued ID.

So, what is to be done? I would propose that the replacement of the
credit card infrastructure is needed. Fraud is prevalent because of a
massive inherent security flaw in the current system, to whit,
the account number is identical to the payment authenticator, and
you can make a payment merely through possession of a piece of stolen
plastic.

A system in which the credit card was replaced by a small, calculator
style token with a smartcard style connector could effectively
eliminate most of the in person and over the net fraud we experience,
and thus get rid of large costs in the system and get rid of the need
for every Tom, Dick and Harry to see your drivers license when you
make a purchase. It would both improve personal privacy and help the
economy by massively reducing transaction costs.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Dan Kaminsky



I'm think you wrong on that one. Financial cost and benefit are easily
assessed on this, and I think the numbers add up. Credit card fraud
costs in the hundreds of billions of dollars a year, much of which
could be eliminated by a change to the sort of system I
mention. That's not a small amount of money. Indeed, it is more than
enough incentive for a major change.

 


Credit card fraud has gone *down* since 1992, and is actually falling:

1992:  $2.6B
2003:  $882M
2004:  $788M

We're on the order of 4.7 cents on the $100.

http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm

If it's any consolation, I was rather surprised myself.

--Dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Perry E. Metzger

Dan Kaminsky [EMAIL PROTECTED] writes:
 Credit card fraud has gone *down* since 1992, and is actually falling:

 1992:  $2.6B
 2003:  $882M
 2004:  $788M

 We're on the order of 4.7 cents on the $100.

 http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm

 If it's any consolation, I was rather surprised myself.

I seem to have gotten that one drastically wrong. Thanks for the
more accurate figures.

A back of the envelope calculation makes me think that it is still
more than enough money to provide a good incentive for a change in
systems, though, especially when the cost of the anti-fraud measures
needed at every part of the system are taken in to account.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Adam Fields
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote:
[...]
 Actually, the people who would have to pay the investment -- the banks
 and merchants -- have an excellent incentive. The loss because of
 fraud is stunningly large. The real issue is that *consumers* have
 little incentive to cooperate with such a system, because thanks to
 the regulations, they suffer virtually no losses if their accounts are
 hijacked.

As I understand it, the merchants bear the entire cost of fraud - the
banks bear almost none - and thus the consumers end up paying for it
indirectly through higher prices. The merchants, however, have very
little control over the infrastructure, which is provided by the
banks, who have little incentive to actually control fraud because
they would bear all of the costs of such, and none of the risk is
theirs.

So the assertion is that consumers and banks have little incentive to
cooperate with such a system, but (some of***) the merchants REALLY
WANT it. However, the system is useless if the consumers don't have
it, and the banks have no incentive to give something to consumers
that's better, because it would cost them money and save them money
that they can currently simply charge the merchants for (fraud).

*** The merchants can be divided into two groups - most of them who
have not been bitten by fraud and will continue to try to pay as
little as possible for credit processing services regardless of
the risk because every little bit eats more into their profit, and
those who have been bitten by fraud, understand the risks, and
will go for paying for for a service that frees them from
additional liability.

Consumers, on the other hand, still have limited incentive to
participate. I'd suspect the NewBanks(TM) would simply have to lure
them with lower interest rates, which they'd find hard to do because
it would cut into their profits, making it difficult to pay for all of
the additional infrastructure they'd need to build.

The system is, of course, pretty much worthless if it's not in the
hands of the vast majority of consumers.

As I said, any sea change like this has to either replace the
traditional credit granting/honoring agencies, or take away enough of
their business that they have no choice but to go along with
it. Assuming that they don't use their considerable existing wealth
and influence to simply make the new products illegal from the get go.

--
- Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog... [ http://www.aquick.org/blog ]
Links.. [ http://del.icio.us/fields ]
Photos. [ http://www.aquick.org/photoblog ]
Experience. [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]