Re: Lack of fraud reporting paths considered harmful.

2008-01-28 Thread James A. Donald

Perry E. Metzger wrote:
 The call-the-customer-and-reissue mechanism is a
 mediocre solution to the fraud problem, but it is the
 one we have these days.

Why is it a mediocre solution?

The credit card number is a widely shared secret.  It
has been known for centuries that widely shared secrets
have a short life expectancy and should be frequently
re-issued.

The only better solution is unshared secrets.  Is that
what you had in mind?  Instead of the customer sharing
his secret with the merchant, and the merchant checking
it with the bank, customer should prove to bank that the
person who knows the secret wishes to pay the merchant
for the identified promise.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-28 Thread Perry E. Metzger

James A. Donald [EMAIL PROTECTED] writes:
 Perry E. Metzger wrote:
 The call-the-customer-and-reissue mechanism is a
 mediocre solution to the fraud problem, but it is the
 one we have these days.

 Why is it a mediocre solution?

 The credit card number is a widely shared secret.  It
 has been known for centuries that widely shared secrets
 have a short life expectancy and should be frequently
 re-issued.

 The only better solution is unshared secrets.  Is that
 what you had in mind?

Naturally. However, given what we have now, reissue is the only
reasonable option.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-27 Thread Ian G

John Ioannidis wrote:

Perry E. Metzger wrote:


That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.




But how can the issuer know that the merchant's fraud detection systems 
work, for any value of work? This could just become one more avenue 
for denial of service, where a hacked online merchant suddenly reports 
millions of cards as compromised.  I'm sure there is some interesting 
work to be done here.



There is an interesting analogue in the area of SAR 
(suspicious activity report) filings through financial 
services.  This has been in place with various providers for 
maybe a decade or so.  I'm not aware of any serious economic 
analysis that would suggest copying the lessons, though.


There is a philosophical problem with suggesting an 
automated protocol method for reporting fraud, in that one 
might be better off ... fixing the underlying fraud.


iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-27 Thread Anne Lynn Wheeler

Perry E. Metzger wrote:

This evening, a friend of mine who shall remain nameless who works for
a large company that regularly processes customer credit card payments
informed me of an interesting fact.

His firm routinely discovers attempted credit card fraud. However,
since there is no way for them to report attempted fraud to the credit
card network (the protocol literally does not allow for it), all they
can do is refuse the transaction -- they literally have no mechanism
to let the issuing bank know that the card number was likely stolen.

This seems profoundly bad. I hope that someone on the list has the
right contacts to get the right people to do something about this.

   


some chance they are doing this to save money on transactions that aren't
likely to be approved ... i.e. rather than be charged for a transaction that
they send thru to the issuer that they are sure to be rejected ... they
reject it upfront.

now the associations have standard procedure to perform stand-in when
the network accepts a transaction from an acquirer but isn't able to forward
it to the issuer. stand-in allows the network to decide whether to approve
or reject the transaction using simplified rules. later, when contact is
re-established with the issuer ... the issuer has to be informed of all
the stand-in activity.

a possible simplified mechanism is to be able to generate a simulated 
stand-in

report of rejected transactions. the issue then in such a simulated stand-in
role ... for all the reasons that they chose to reject a transaction ... 
do they map

into the standard iso 8583 codes for reasons that the issuer would reject
the transaction.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-27 Thread Perry E. Metzger

Ian G [EMAIL PROTECTED] writes:
 There is a philosophical problem with suggesting an automated protocol
 method for reporting fraud, in that one might be better off ... fixing
 the underlying fraud.

Lets say you're a big company like Amazon or someone similar. You're
pretty sure someone is trying to use a stolen credit card. How do you
fix the underlying fraud? Last I checked, Amazon had no police
force. Lets say that the miscreants are in any one of several Eastern
European countries. Even reporting the fraud to the police in the
originating country won't fix it because the foreign police will do
absolutely nothing.

Perhaps you argue that the credit card system itself is flawed. I
agree, but as a company like Amazon you're not in a position to fix
that, either.

The point of providing a feedback channel is so the issuing bank can
be alerted to an attempted fraud, call the customer, say hi, did you
try to buy a container consumer electronics and have it shipped to
Belarus, hear back no, and issue a new credit card. This is done
right now when the issuing bank notices suspicious activity, but there
is a hole in the system in which a merchant might refuse a suspicious
charge and yet have no way of telling the issuing bank about it.

The call-the-customer-and-reissue mechanism is a mediocre solution to
the fraud problem, but it is the one we have these days. As it stands,
a merchant can't easily tell the issuing bank that it should have a
look to see if a card is being used fraudulently, so the merchant can
know that something weird is happening but the issuing bank can remain
ignorant. This is not a good situation. That is why a feedback path
would be of use.

I had long assumed such a feedback path already existed, and I was
rather shocked to discover it did not.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-26 Thread John Ioannidis

Perry E. Metzger wrote:


That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.




But how can the issuer know that the merchant's fraud detection systems 
work, for any value of work? This could just become one more avenue 
for denial of service, where a hacked online merchant suddenly reports 
millions of cards as compromised.  I'm sure there is some interesting 
work to be done here.


/ji

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-26 Thread mark seiden-via mac
yes, the reputation of/quality of reporters needs to be measured, and  
the reported information needs to be enough to

accomplish an auth or a card purchase.

the card issuer can then use a credible report as a hint to increase  
the level of attention to the reported cards.


it's in a merchant's interest to have high quality fraud detection  
because this report is
in association with an attempted purchase transaction and their report  
implies they
decline or refund the transaction they are turning down the revenue  
from that card,


if a bad guy wants to break into a merchant's site, i would welcome  
them to immediately report all the merchant's cards as stolen
rather than than stealing them and using them or waiting for the  
merchant to do so in a breach notice.




On Jan 25, 2008, at 3:11 PM, John Ioannidis wrote:


Perry E. Metzger wrote:

That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over  
the

phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.


But how can the issuer know that the merchant's fraud detection  
systems work, for any value of work? This could just become one  
more avenue for denial of service, where a hacked online merchant  
suddenly reports millions of cards as compromised.  I'm sure there  
is some interesting work to be done here.


/ji

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-25 Thread Perry E. Metzger

[EMAIL PROTECTED] writes:
 His firm routinely discovers attempted credit card fraud. However,
 since there is no way for them to report attempted fraud to the credit
 card network (the protocol literally does not allow for it), all they
 can do is refuse the transaction -- they literally have no mechanism
 to let the issuing bank know that the card number was likely stolen.

 A former boss has become Head of Fraud Technology (I asked him who
 was Head of Anti-Fraud Technology) and he answers like this.

   I am not really a cards man but I would have said the good
   old telephone, a call to the acquirer, would be the way. The
   acquirer would then pass that on to the issuer. Granted the
   merchant may not know for certain that had happened, but he
   has done his duty at that point.

That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-25 Thread lists
Perry wrote:

 His firm routinely discovers attempted credit card fraud. However,
 since there is no way for them to report attempted fraud to the credit
 card network (the protocol literally does not allow for it), all they
 can do is refuse the transaction -- they literally have no mechanism
 to let the issuing bank know that the card number was likely stolen.

A former boss has become Head of Fraud Technology (I asked him who
was Head of Anti-Fraud Technology) and he answers like this.

  I am not really a cards man but I would have said the good
  old telephone, a call to the acquirer, would be the way. The
  acquirer would then pass that on to the issuer. Granted the
  merchant may not know for certain that had happened, but he
  has done his duty at that point.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]