Re: EMV [was: Re: Why Blockbuster looks at your ID.]
- Original Message - From: Victor Duchovni [EMAIL PROTECTED] Subject: Re: EMV [was: Re: Why Blockbuster looks at your ID.] Whose loses do these numbers measure? - Issuer Bank? - Merchant? - Consumer? - Total? I'd say that you've fairly well hit the nail on the head. I've actually been meaning to reply to this for about a week now. The truth is that each credit card transaction actually has either 3 or 4 parties; User U, Merchant M, Credit Card Issuer CCI, and Merchant Insurer MI (this is simplified there are generally multiple parties under CCI). Under legitimate circumstances the process is fairly simple; Legitimate User LU agrees to pay CCI, CCI already has an agreement to pay M, and M supplies the product/service to LU. During billing LU pays CCI, CCI pays M, everyone is happy. Things are different in the case of False User FU. FU goes to M, FU agrees for LU to pay CCI, CCI (believing FU is LU) agrees to pay M, M supplies the product/service to FU. During billing is where things get strange. LU reports the bad transaction to CCI. CCI informs M and does not pay M. FU gets the product, M accepts the loss. In the normal case MI and M are the same entity so the buck stops there, if MI is seperate from M, then MI reimburses M for some portion. It's important to understand exactly who loses what when FU is in the picture. CCI loses the commision, generally a small flat fee on the order of $0.35, and a percentage generally 2%, this is not a large amount to lose, and the phone call to report the problem actually costs more than is lost, followed by the filing and tracking of the correct paperwork, this is the ACTUAL loss for CCI. MI loses the cost of the product/service reimbursed. LU loses basically nothing except time. FU obviously gains. The point being that expecting CCI to foot a multi-billion dollar bill to change the process so that MI doesn't lose the money doesn't make sense. CCI will only work to increase CCIs profits. It is up to MI to pay for the upgraded systems by working with CCI towards CCIs goals (fewer losses for MI also means fewer reports to CCI so fewer losses). LU may be willing to foot part of the bill for the perceived improvements, CCI will only foot the portion that is in CCIs favor, MI will have to foot the majority of the bill and will only do so when it is in MIs favor. With credit card fraud decreasing, it is not in MIs favor to examine it at this time. Joe - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Perry E. Metzger wrote: Why does the clerk at Blockbuster want to see your driver's license? Because his management has been told, by their bank, that if they do not attempt to verify the identity of credit card users they will risk their business relationship with the bank. Credit card fraud is far too prevalent, DVDs are easily resold, and the bank wants to make sure that they won't get defrauded. Blockbuster also wants to minimize fraudulent use of credit cards (which they end up eating in some instances) and the loss of their property (which will never be returned by someone renting a video with a stolen credit card). the issue is lost/stolen credit cards ... your name is embossed on the plastic and recorded on the mastripe. this provides for the point-of-sale to check for lost/stolen card by attempting the identification process of matching the name on the card with the name on something else. this moves the card out of the relm of authentication into the relm of identification. there was a number of threads (mostly prior to 9/11) about EU privacy directives for making retail electronic transactions as anonymous as cash. basically this involved removing your name from the plastic embossing and magstripe ... so that the card was purely an authentication something you have and didn't wander across the line into identification. lost/stolen card risks then could be contained by deactivating accounts when the owner reported the card lost/stolen part of the issue has been the appearance of skimming/harvesting compromises http://www.garlic.com/~lynn/subpubkey.html#harvest where the crooks didn't actually have to physically steal the card, they could electronically record the necessary information (w/o the owner's knowledge) and then perform fraudulent transactions. The skimming/harvesting compromises can involve tens of thousands of cards ... not just a single card at a time. Also, the fraud period instead of being limited to possibly a few hrs (when the owner reports the missing card), now could extend to a few weeks (since the owner doesn't notice unitl they get around to examining the next statement). The skimming/harvesting threat and vulnerability can magnify the fraud risk by several orders of magnitude (compared to simple lost/stolen). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Perry E. Metzger wrote: If you have a sufficiently good token, you may no longer need to have identification information presented to the merchant, even by the token, to reduce misuse. It is true that the issuer will still know what transactions took place. However, you have at least reduced the number of entities that require proof of your identity and the number that have logs of your activity. this is the EU privacy directive threads that went on (mostly prior to 9/11) and why couldn't they apply in the US also ... aka that electronic retail transactions could be as anonymous as cash. names would be removed from the plastic embossing and magstripe ... and the merchant would not longer have to wander across the line from authentication into identification (attempting to match the name on the card with other credentials). when we started x9.59 in the mid-90s, http://www.garlic.com/~lynn/index.html#x959 http://www.garlic.com/~lynn/subpubkey.html#privacy we frequently commented that it was privacy agnostic. it provided strong authentication that didn't have skimming and harvesting threats and vulnerabilities. there was a strong correlation with some account number ... and the degree that there was some trail from that account number to an individual was dependent on a lot of things outside of the financial transaction itself. however, the basic financial transaction didn't require wandering across the line from authentication into identification. this was also the period where it started to show up the shortcomings of the x.509 identity certification paradigm that had somewhat tried to get some toe hold in the early 90s including grossly overeloading the certificates with personal information. basically that every digitally signed transaction in the world would carry a huge x.509 identity certificate grossly overloaded with personal information. Not only would all such transactions carry such humongous personal information repositories, while in flight but all the transaction logs would be heavily burdened with the same information. You might have tens of thousands of transactions logs all over the world ... and every one would include a humongous x.509 identity certificate grossly overloaded with personal information. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Adam Shostack wrote: On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote: | Perry E. Metzger wrote: | | A system in which the credit card was replaced by a small, calculator | style token with a smartcard style connector could effectively | eliminate most of the in person and over the net fraud we experience, | and thus get rid of large costs in the system and get rid of the need | for every Tom, Dick and Harry to see your drivers license when you | make a purchase. It would both improve personal privacy and help the | economy by massively reducing transaction costs. | | I agree that it might well reduce costs and fraud - but how will it improve | privacy? Your name is already on the card ... and the issuer will still have | a list of your transactions. | | Not having to show ID may save annoyance, but it doesn't significantly | improve privacy. Most credit card issuers will happily give you extra cards, so your friends can spend your money. In whatever name you want. If you need to show ID, this can become, umm, complicated. This goes along with paypal's send a friend a debit card feature (I saw this two years ago, I don't know if this is still present), but this essentially allowed a user to add any name to the debit visa card (treated in most places like a credit card) which in some cases actually allowed online hijacking of domain names (depending on registrar) because the name was the same on the visa card used. -Lance -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Perry Metzger writes: So, what is to be done? I would propose that the replacement of the credit card infrastructure is needed. Fraud is prevalent because of a massive inherent security flaw in the current system, to whit, the account number is identical to the payment authenticator, and you can make a payment merely through possession of a piece of stolen plastic. A system in which the credit card was replaced by a small, calculator style token with a smartcard style connector could effectively eliminate most of the in person and over the net fraud we experience, and thus get rid of large costs in the system and get rid of the need for every Tom, Dick and Harry to see your drivers license when you make a purchase. It would both improve personal privacy and help the economy by massively reducing transaction costs. Have you ever used an ATM/debit card for a purchase? You swipe it and then the merchant hands you a keypad to enter your PIN. Yes, an insider could hack the device and steal your PIN along with your card, or use various other attacks to get the PIN, but it's much more complicated than using an opportunistically stolen credit card. These have come into common use in the past several years. I don't understand the commentary here which seems oblivious to the existence of this widely used alternative payment system in the U.S. All I am reading is oh, we can't switch, no one will ever switch from credit cards. People are switching; it's happening everywhere. A video game chain store in town, I think it's EBX, only accepts these cards, they won't take credit cards. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Perry E. Metzger wrote: A system in which the credit card was replaced by a small, calculator style token with a smartcard style connector could effectively eliminate most of the in person and over the net fraud we experience, and thus get rid of large costs in the system and get rid of the need for every Tom, Dick and Harry to see your drivers license when you make a purchase. It would both improve personal privacy and help the economy by massively reducing transaction costs. I agree that it might well reduce costs and fraud - but how will it improve privacy? Your name is already on the card ... and the issuer will still have a list of your transactions. It's just that the drivers license number is a unique number that acts as an index to another database (and often used as authentication material as well), which the merchant has to business knowing. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for MasterCard PayPass. There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. Interesting, they have a card (smart card)? and key fob version. I hope their key fob version is not as insecure as the SpeedPass RFID transponder token used by Exxon/Esso, which has recently been broken http://rfidanalysis.org/ The SpeedPass implemented an authentication algorithm (I think it was a CRC-like challenge response based on a secret that defined the polynomial used) based on a 40-bit key. Bono al. figured out the algorithm (based on a patent, which described the algorithm generically, they figured out the constants that were chosen). The question is why did they use a 40-bit secret? Is there some technological constraint preventing the use of something better? The other thing is that many of the smart cards also have a magnetic strip, so your security level is as strong as the weakest point (magnetic stripe type payments). Untill all the cards are smart cards, readers will accept both type. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote: | | Dan Kaminsky [EMAIL PROTECTED] writes: | Credit card fraud has gone *down* since 1992, and is actually falling: | | 1992: $2.6B | 2003: $882M | 2004: $788M | | We're on the order of 4.7 cents on the $100. | | http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm | | If it's any consolation, I was rather surprised myself. | | I seem to have gotten that one drastically wrong. Thanks for the | more accurate figures. | | A back of the envelope calculation makes me think that it is still | more than enough money to provide a good incentive for a change in | systems, though, especially when the cost of the anti-fraud measures | needed at every part of the system are taken in to account. I think those numbers are misleading. The FTC reports ID theft as a $50B problem, but I haven't seen that broken down by vector. I suspect most of it is CC (rather than cheque, mortgage/line of credit/auto loan), but have no data. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
May we see the back of that envelope? Upgrade to EMV (chip PIN) here in UK reportedly costs around 1.1 billion pounds (around $1.9 billion), and that is simply an upgrade to the existing infrastructure and only in a single country. To fundamentally change the system would require tens of billions and a concerted effort of banks, the associations and the merchants, with all the associated hidden agendas and underwater currents. It would be too big an undertaking with an uncomfortable C/B ratio, whereas $788m in losses is not that bad keeping in mind the amounts involved... On 7/8/05, Perry E. Metzger [EMAIL PROTECTED] wrote: Dan Kaminsky [EMAIL PROTECTED] writes: Credit card fraud has gone *down* since 1992, and is actually falling: 1992: $2.6B 2003: $882M 2004: $788M We're on the order of 4.7 cents on the $100. http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm If it's any consolation, I was rather surprised myself. I seem to have gotten that one drastically wrong. Thanks for the more accurate figures. A back of the envelope calculation makes me think that it is still more than enough money to provide a good incentive for a change in systems, though, especially when the cost of the anti-fraud measures needed at every part of the system are taken in to account. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Adam Shostack [EMAIL PROTECTED] writes: I think those numbers are misleading. The FTC reports ID theft as a $50B problem, but I haven't seen that broken down by vector. I suspect most of it is CC (rather than cheque, mortgage/line of credit/auto loan), but have no data. If you or anyone else has figures available, especially references to original source material on the subject, it would be very useful. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
At 1:16 PM -0400 7/8/05, Perry E. Metzger wrote: I seem to have gotten that one drastically wrong. Thanks for the more accurate figures. Don't worry. I would bet that identity theft will more than make up for it soon enough, as transaction settlement times converge to instantaneity. *That's* potentially *infinite* risk to the *consumer*, which is an interesting proposition. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
EMV [was: Re: Why Blockbuster looks at your ID.]
Dan Kaminsky [EMAIL PROTECTED] writes: Credit card fraud has gone *down* since 1992, and is actually falling: 1992: $2.6B 2003: $882M 2004: $788M We're on the order of 4.7 cents on the $100. Interesting statistics. Seems like it's the same thing in Canada http://www.rcmp.ca/scams/ccandpc_e.htm Reported $227M in credit card fraud in 1999, droped at $200M in 2003. But these are still considerable numbers, and the thinking that Banks manage the risk and it's not worth them going over to smart card technology so they won't, which was mentioned in a few replies, I think no longer holds (probably because of the falling cost of the technology, so even if fraud $ is down as mentioned, ratio of fraud cost / cost of technology that is more secure still leads financial institutions to want to go to a more secure technology). Europe already has EMV, and Canada plans to have an infrastructure (card readers) that support it by 2007. Probably U.S. will follow http://www.atmmarketplace.com/news_story_23380.htm http://www.atmmarketplace.com/news_story_22849.htm http://www.kioskmarketplace.com/news_printable.htm?id=23380 And here, for example, is a quote from Visa Canada http://www.visa.ca/en/about/mc_article.cfm?pid=2 Visa Canada Member financial institutions will implement chip at their own pace. It is expected that within seven years, almost every Visa card in Canada will feature chip technology and most merchants will have the equipment to accept and fully benefit from these cards. That was written in June 2003. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Jerrold Leichter wrote: | Credit card fraud has gone *down* since 1992, and is actually falling: | | 1992: $2.6B | 2003: $882M | 2004: $788M | | We're on the order of 4.7 cents on the $100. | | http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm | The article also mentions that the loss rate for 1992 was 15.7 cents per $100. Something doesn't add up. Combining the dollar values above with the loss rate per $100, I calculate that the total charges handled in 1992 was about $165 billion - which seems a bit low, but reasonable. However, the corresponding calculation for 2004 shows a total charges of about $16 billion, which is clearly nonsense. I don't actually see the $2.6B figure anywhere in the article. Where did it come from? I did the math. 15.7 / 4.7 ~= 3.34. 3.34 * $778M = $2.6B. There's a problem here, but I'll get to it in a sec. Hmm...lets verify the rest of this: 4.7 cents per 100 is 0.047 dollars per 100 dollars is 0.00047 dollars per dollar. x * 0.00047 = $778M x = $778M / 0.00047 x = 1655319M = 1.65T Looking at Federal Reserve data ( http://www.federalreserve.gov/releases/g19/Current/g19.htm ), there was about $2T in overall consumer credit. I can envision the vast majority, but not all of this being on plastic. So, $1.65T works. If you try to repeat this for 1992, though, you'll find an interesting bug...total transactions in 1992 were also about 1.65T. Gee, it's almost like I assumed credit card usage rates were constant over the 12 year period...oops :) But then there's inflation, which alters dollar figures substantially. So oops in the other direction. The fundamental point stands, though...credit fraud has been managed surprisingly well (though some people have said fraud is understated by ~~200%). --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote: We're on the order of 4.7 cents on the $100. Interesting statistics. Seems like it's the same thing in Canada http://www.rcmp.ca/scams/ccandpc_e.htm Reported $227M in credit card fraud in 1999, droped at $200M in 2003. Whose loses do these numbers measure? - Issuer Bank? - Merchant? - Consumer? - Total? -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
In message [EMAIL PROTECTED], John Levine writes: Why does the clerk at Blockbuster want to see your driver's license? Because his management has been told, by their bank, that if they do not attempt to verify the identity of credit card users they will risk their business relationship with the bank. It's been my impression that the way you're supposed to verify the ID of a credit card user is by checking the signature. I've heard of banks telling businesses not to demand separate ID. On the other hand, I can easily believe that Blockbuster came up with the ID idea all by themselves. I very rarely rent from Blockbuster, so I may have the details wrong; I can state for sure how things work at the local video store I usually patronize. When I signed up with them, I supplied a credit card number; they retained that for contingency charges if I fail to return a video. (Odd -- my local library doesn't do that. But I digress.) In return, they handed me an account-linked credential -- exactly the sort of thing that is often advocated on this list. From my perspective, the form factor of the credential wasn't ideal; it was one of those key ring-sized cards, and I soon lost it, probably during a wallet upgrade. No problem -- they're happy to fall back to the secondary authentication system, to whit my drivers' license. I show that to get access to the account, independent of how I actually pay for the rental. In other words, they are not using my license to authenticate my credit card. (I would add that the feeds are low enought that I almost always pay in cash; I have no idea if they even have the ability to use the stored credit card for rental fees if I don't present the card separately. Hmm -- the account is old enough that the expiration date on my credit card has long since expired. They've never asked me for an update. Maybe they're using a reputation system?) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Why Blockbuster looks at your ID.
I was in England last week where I noticed that the banks are switching all UK credit cards to chip+pin technology. We'll see. For that matter, French cards have all been chip+pin for years. Any idea what their fraud rates are like? The French card machines will do magstripe with a signature, but it's mostly us foreigners who need it. Below is a link to an interesting site discussing the chip and PIN technology and its introduction in the UK (the article Chip and Spin also addresses the French experience): http://www.chipandspin.co.uk/ Carlos - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
--- [EMAIL PROTECTED] wrote: [decline in credit card fraud] Interesting statistics. [...] But these are still considerable numbers, [...] I totally agree. And I would just like to make a quick point: the credit card companies (especially Visa/Mastercard) have been very agressive in fraud prevention in the last ten years. And I don't mean algorithms that detect unusual activity and flag a card, thereby prompting your bank to call and verify that that the charges are good. They've been doing that for years, if not decades. No, I mean literally detective work -- tracking people down, having their sites closed and bank accounts freezed and actually pushing to have people prosecuted. They have been quite active, trying to recruite people in the law enforcement community and offering handsome salaries. The whole thing works based on the premise that there are a lot of small-time gangsters at any given time but only a few big fish. And if you can increase the cost of doing business (either in terms of making credit fraud more expensive or in terms of increasing the likelihood to get caught) you can basically justify the expense of running a big anti-fraud unit. But, in a way, that's only dealing with the symptoms, whilst at the same time ignoring the root cause of the problem. You're only making it less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. -Jörn __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
1992: $2.6B 2003: $882M 2004: $788M We're on the order of 4.7 cents on the $100. I consulted an oracle at a major third party processor. He said the number is more like 64-67 basis points, that you have to be very precise about your definitions, i.e., very precise about what goes in the numerator and what goes in the denominator. For example, if a dishonored transaction is the merchant's fault and the merchant has to foot the bill then the card association has not had a fraud loss. I doubt it is actually germane to this list, but I can go back to said oracle if requested. BTW, if you ever have the opportunity to hear Frank Abagnale's discussion of check forgery by all means do so. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Perry E. Metzger wrote: A system in which the credit card was replaced by a small, calculator style token with a smartcard style connector could effectively eliminate most of the in person and over the net fraud we experience, and thus get rid of large costs in the system and get rid of the need for every Tom, Dick and Harry to see your drivers license when you make a purchase. It would both improve personal privacy and help the economy by massively reducing transaction costs. I agree that it might well reduce costs and fraud - but how will it improve privacy? Your name is already on the card ... and the issuer will still have a list of your transactions. Not having to show ID may save annoyance, but it doesn't significantly improve privacy. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Jerrold Leichter wrote: There have been a couple of articles in RISKS recently about the fairly recent use of a two-factor system for bank cards in England. There are already significant hacks - yes ... and the banks managed to get the law changed so that, with this guaranteed to be secure new system, the liability is pushed back onto the customer. I'm not too sure what you mean. In the UK the merchant is not usually liable for card-present fraud. There has been / is about to be a change to the liability of the merchant, usually to the effect that if a fraud is successful because the merchant hasn't installed PIN equipment then they will be liable. A few banks are making merchants liable for all fraud if PIN equipment has not been installed. EMV said the change would begin on 1st Jan, but the banks haven't all implemented it yet. Many did so on 1st July. The change occurs in the contract between the aquiring banks and the merchants, not the law; the legality of the change is questionable, but as it is basically just a way to encourage retailers to install PIN equipment it has not been challenged afaik. There is no change in the merchant's liability if he has installed Chip n' PIN equipment - the tales circulating of all merchants becoming liable for all frauds are simply not true. There will also be a change in the way fraud claims are dealt with, to the almost certain disadvantage of the cardholder, as there is no physical signature to contest and at least in the first instance the issuers determine the facts. However I am not aware of any changes to the law. There was a very recent Banking Ombudsman case where the cardholder had been grossly negligent about her PIN security, but her liability was still limited to £50 (which is a statutory limit and applies to credit cards, but not to debit cards - although it is in practice applied to them too). Usually the £50 limit is not charged by the issuing bank. However the customer eventually pays for fraud anyway, in the form of higher prices, so the issuer - merchant liability split is not of immediate relevance to the customer. It should be tilted firmly against the banks IMO though, as they are responsible for the system, not the merchants, who have no say, as EMV + AmEx is an effective monopoly. BTW, one of my banks recently sent me a leaflet which said Chip n' PIN was going to be introduced worldwide. Anyone know more about that? -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Peter Fairbrother [EMAIL PROTECTED] writes: Perry E. Metzger wrote: A system in which the credit card was replaced by a small, calculator style token with a smartcard style connector could effectively eliminate most of the in person and over the net fraud we experience, and thus get rid of large costs in the system and get rid of the need for every Tom, Dick and Harry to see your drivers license when you make a purchase. It would both improve personal privacy and help the economy by massively reducing transaction costs. I agree that it might well reduce costs and fraud - but how will it improve privacy? Your name is already on the card ... and the issuer will still have a list of your transactions. Not having to show ID may save annoyance, but it doesn't significantly improve privacy. If you have a sufficiently good token, you may no longer need to have identification information presented to the merchant, even by the token, to reduce misuse. It is true that the issuer will still know what transactions took place. However, you have at least reduced the number of entities that require proof of your identity and the number that have logs of your activity. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote: | Perry E. Metzger wrote: | | A system in which the credit card was replaced by a small, calculator | style token with a smartcard style connector could effectively | eliminate most of the in person and over the net fraud we experience, | and thus get rid of large costs in the system and get rid of the need | for every Tom, Dick and Harry to see your drivers license when you | make a purchase. It would both improve personal privacy and help the | economy by massively reducing transaction costs. | | I agree that it might well reduce costs and fraud - but how will it improve | privacy? Your name is already on the card ... and the issuer will still have | a list of your transactions. | | Not having to show ID may save annoyance, but it doesn't significantly | improve privacy. Most credit card issuers will happily give you extra cards, so your friends can spend your money. In whatever name you want. If you need to show ID, this can become, umm, complicated. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
I'm think you wrong on that one. Financial cost and benefit are easily assessed on this, and I think the numbers add up. Credit card fraud costs in the hundreds of billions of dollars a year, much of which could be eliminated by a change to the sort of system I mention. That's not a small amount of money. Indeed, it is more than enough incentive for a major change. Credit card fraud has gone *down* since 1992, and is actually falling: 1992: $2.6B 2003: $882M 2004: $788M We're on the order of 4.7 cents on the $100. http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm If it's any consolation, I was rather surprised myself. --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
Dan Kaminsky [EMAIL PROTECTED] writes: Credit card fraud has gone *down* since 1992, and is actually falling: 1992: $2.6B 2003: $882M 2004: $788M We're on the order of 4.7 cents on the $100. http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm If it's any consolation, I was rather surprised myself. I seem to have gotten that one drastically wrong. Thanks for the more accurate figures. A back of the envelope calculation makes me think that it is still more than enough money to provide a good incentive for a change in systems, though, especially when the cost of the anti-fraud measures needed at every part of the system are taken in to account. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote: [...] Actually, the people who would have to pay the investment -- the banks and merchants -- have an excellent incentive. The loss because of fraud is stunningly large. The real issue is that *consumers* have little incentive to cooperate with such a system, because thanks to the regulations, they suffer virtually no losses if their accounts are hijacked. As I understand it, the merchants bear the entire cost of fraud - the banks bear almost none - and thus the consumers end up paying for it indirectly through higher prices. The merchants, however, have very little control over the infrastructure, which is provided by the banks, who have little incentive to actually control fraud because they would bear all of the costs of such, and none of the risk is theirs. So the assertion is that consumers and banks have little incentive to cooperate with such a system, but (some of***) the merchants REALLY WANT it. However, the system is useless if the consumers don't have it, and the banks have no incentive to give something to consumers that's better, because it would cost them money and save them money that they can currently simply charge the merchants for (fraud). *** The merchants can be divided into two groups - most of them who have not been bitten by fraud and will continue to try to pay as little as possible for credit processing services regardless of the risk because every little bit eats more into their profit, and those who have been bitten by fraud, understand the risks, and will go for paying for for a service that frees them from additional liability. Consumers, on the other hand, still have limited incentive to participate. I'd suspect the NewBanks(TM) would simply have to lure them with lower interest rates, which they'd find hard to do because it would cut into their profits, making it difficult to pay for all of the additional infrastructure they'd need to build. The system is, of course, pretty much worthless if it's not in the hands of the vast majority of consumers. As I said, any sea change like this has to either replace the traditional credit granting/honoring agencies, or take away enough of their business that they have no choice but to go along with it. Assuming that they don't use their considerable existing wealth and influence to simply make the new products illegal from the get go. -- - Adam ** I can fix your database problems: http://www.everylastounce.com/mysql.html ** Blog... [ http://www.aquick.org/blog ] Links.. [ http://del.icio.us/fields ] Photos. [ http://www.aquick.org/photoblog ] Experience. [ http://www.adamfields.com/resume.html ] Product Reviews: .. [ http://www.buyadam.com/blog ] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
