Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-15 Thread Joseph Ashwood
- Original Message - 
From: Victor Duchovni [EMAIL PROTECTED]

Subject: Re: EMV [was: Re: Why Blockbuster looks at your ID.]



Whose loses do these numbers measure?

- Issuer Bank?

- Merchant?

- Consumer?

- Total?


I'd say that you've fairly well hit the nail on the head. I've actually been 
meaning to reply to this for about a week now. The truth is that each credit 
card transaction actually has either 3 or 4 parties; User U, Merchant M, 
Credit Card Issuer CCI, and Merchant Insurer MI (this is simplified there 
are generally multiple parties under CCI).


Under legitimate circumstances the process is fairly simple; Legitimate User 
LU agrees to pay CCI, CCI already has an agreement to pay M, and M supplies 
the product/service to LU. During billing LU pays CCI, CCI pays M, everyone 
is happy.


Things are different in the case of False User FU. FU goes to M, FU agrees 
for LU to pay CCI, CCI (believing FU is LU) agrees to pay M, M supplies the 
product/service to FU. During billing is where things get strange. LU 
reports the bad transaction to CCI. CCI informs M and does not pay M. FU 
gets the product, M accepts the loss. In the normal case MI and M are the 
same entity so the buck stops there, if MI is seperate from M, then MI 
reimburses M for some portion.


It's important to understand exactly who loses what when FU is in the 
picture. CCI loses the commision, generally a small flat fee on the order of 
$0.35, and a percentage generally 2%, this is not a large amount to lose, 
and the phone call to report the problem actually costs more than is lost, 
followed by the filing and tracking of the correct paperwork, this is the 
ACTUAL loss for CCI. MI loses the cost of the product/service reimbursed. LU 
loses basically nothing except time. FU obviously gains.


The point being that expecting CCI to foot a multi-billion dollar bill to 
change the process so that MI doesn't lose the money doesn't make sense. CCI 
will only work to increase CCIs profits. It is up to MI to pay for the 
upgraded systems by working with CCI towards CCIs goals (fewer losses for MI 
also means fewer reports to CCI so fewer losses). LU may be willing to foot 
part of the bill for the perceived improvements, CCI will only foot the 
portion that is in CCIs favor, MI will have to foot the majority of the bill 
and will only do so when it is in MIs favor. With credit card fraud 
decreasing, it is not in MIs favor to examine it at this time.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-11 Thread astiglic


 On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:

 less attractive to commit credit card fraud. You are, however, not
 making it harder. That's why I believe the credit cards companies will
 indeed have a good, long look at smartcards. Probably not tomorrow or
 next week but in the near future.

 Actually, smart cards are here today. My local movie theatre in Berkeley,
 California is participating in a trial for MasterCard PayPass. There is
 a little antenna at the window; apparently you can just wave your card at
 the antena to pay for tickets. I haven't observed anyone using it in
 person, but the infrastructure is there right now.

Interesting, they have a card (smart card)? and key fob version.  I hope
their key fob version is not as insecure as the SpeedPass RFID transponder
token used by Exxon/Esso, which has recently been broken
http://rfidanalysis.org/
The SpeedPass implemented an authentication algorithm (I think it was a
CRC-like challenge response based on a secret that defined the polynomial
used) based on a 40-bit key.  Bono  al. figured out the algorithm (based
on a patent, which described the algorithm generically, they figured out
the constants that were chosen).
The question is why did they use a 40-bit secret?  Is there some
technological constraint preventing the use of something better?

The other thing is that many of the smart cards also have a magnetic
strip, so your security level is as strong as the weakest point (magnetic
stripe type payments).  Untill all the cards are smart cards, readers will
accept both type.

--Anton




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-09 Thread Victor Duchovni
On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote:

  We're on the order of 4.7 cents on the $100.
 
 
 Interesting statistics.
 Seems like it's the same thing in Canada
 http://www.rcmp.ca/scams/ccandpc_e.htm
 Reported $227M in credit card fraud in 1999, droped at $200M in 2003.
 

Whose loses do these numbers measure?

- Issuer Bank?

- Merchant?

- Consumer?

- Total?

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EMV [was: Re: Why Blockbuster looks at your ID.]

2005-07-09 Thread J
--- [EMAIL PROTECTED] wrote:

[decline in credit card fraud]
 Interesting statistics.

[...]

 But these are still considerable numbers, [...]

I totally agree. And I would just like to make a quick point: the
credit card companies (especially Visa/Mastercard) have been very
agressive in fraud prevention in the last ten years. 

And I don't mean algorithms that detect unusual activity and flag a
card, thereby prompting your bank to call and verify that that the
charges are good. They've been doing that for years, if not decades.

No, I mean literally detective work -- tracking people down, having
their sites closed and bank accounts freezed and actually pushing to
have people prosecuted. They have been quite active, trying to recruite
people in the law enforcement community and offering handsome salaries.


The whole thing works based on the premise that there are a lot of
small-time gangsters at any given time but only a few big fish. And if
you can increase the cost of doing business (either in terms of making
credit fraud more expensive or in terms of increasing the likelihood to
get caught) you can basically justify the expense of running a big
anti-fraud unit.

But, in a way, that's only dealing with the symptoms, whilst at the
same time ignoring the root cause of the problem. You're only making it
less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably not tomorrow or
next week but in the near future. 

  -Jörn

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]