IP: Electronic Commerce: The Future of Fraud from RISKS

[Dave Farber <farber () cis upenn edu>]

Date: Fri, 13 Nov 1998 18:31:03 -0600 
From: Bruce Schneier <schneier () counterpane com> 
Subject: Electronic Commerce: The Future of Fraud
[This appeared in my November newsletter, CRYPTO-GRAM, 
http://www.counterpane.com/crypto-gram.html, 
but I thought it is of general enough interest to send it here.]
Electronic Commerce: The Future of Fraud
Fraud has been perpetrated against every commerce system man has ever 
invented, from gold coin to stock certificates to paper checks to credit 
cards. Electronic commerce systems will be no different; if that's where 
the money is, that's where the crime will be. The threats are exactly the 
same.
Most fraud against existing electronic commerce systems -- ATM machines, 
electronic check systems, stored value tokens -- has been low tech. No 
matter how bad the cryptographic and computer security safeguards, most 
criminals bypass them entirely and focus on procedural problems, human 
oversight, and old-fashioned physical theft. Why attack subtle information 
security systems when you can just haul an ATM machine away in a truck?
This implies that new commerce systems don't have to be secure, but just 
better than what exists. Don't outrun the bear, just outrun the people 
you're with. Unfortunately, there are three features of electronic commerce 
that are likely to make fraud more devastating.
One, the ease of automation. The same automation that makes electronic 
commerce systems more efficient than paper systems also makes fraud more 
efficient. A particular fraud that might have taken a criminal ten minutes 
to execute on paper can be completed with a single keystroke, or 
automatically while he sleeps. Low-value frauds, that fell below the radar 
in paper systems, become dangerous in the electronic world. No one cares if 
it is possible to counterfeit nickels. However, if a criminal can mint 
electronic nickels, he might make a million dollars in a week. A 
pickpocketing technique that works once in ten thousand tries would starve a 
criminal on the streets, but he might get thirty successes a day on the net.
Two, the difficulty of isolating jurisdiction. The electronic world is a 
world without geography. A criminal doesn't have to be physically near a 
system he is defrauding; he can attack Citibank in New York from St. 
Petersburg. He can jurisdiction shop, and launch his attacks from countries 
with poor criminal laws, inadequate police forces, and lax extradition 
treaties.
And three, the speed of propagation. News travels fast on the Internet. 
Counterfeiting paper money takes skill, equipment, and organization. If one 
or two or even a hundred people can do it, so what? It's a crime, but it 
won't affect the money supply. But if someone figures out how to defraud an 
electronic commerce system and posts a program on the Internet, a thousand 
people could have it in an hour, a hundred thousand in a week. This could 
easily bring down a currency. And only the first attacker needs skill; 
everyone else can just use software. "Click here to drop the deutsche 
mark."
Cryptography has the potential to make electronic commerce systems safer 
than paper systems, but not in the ways most people think. Encryption and 
digital signatures are important, but secure audit trails are even more 
important. Systems based on long-term relationships, like credit cards and 
checking accounts, are safer than anonymous systems like cash. But 
identity theft is so easy that systems based solely on identity are doomed.
Preventing crime in electronic commerce is important, but more important is 
to be able to detect it. We don't prevent crime in our society. We detect 
crime after the fact, gather enough evidence to convince a neutral third 
party of the criminal's guilt, and hope that the punishment provides a 
back-channel of prevention. Electronic commerce systems should have the 
same goals. They should be able to detect that fraud has taken place and 
finger the guilty. And more important, they should be able to provide 
irrefutable evidence that can convict the guilty in court.
Perfect solutions are not required -- there are hundred of millions of 
dollars lost to credit card fraud every year -- but systems that can be 
broken completely are unacceptable. It's vital that attacks cannot be 
automated and reproduced without skill. Traditionally, fraud-prevention has 
been a game of catch-up. A commerce system is introduced, a particular type 
of fraud is discovered, and the system is patched. Money is made harder to 
counterfeit. Online credit card verification makes fraud harder. Checks 
are printed on special paper that makes them harder to alter. These patches 
reduce fraud for a while, until another attack is discovered. And the cycle 
continues.
The electronic world moves too fast for this cycle. A serious flaw in an 
electronic commerce system could bankrupt a company in days. Today's 
systems must anticipate future attacks. Any successful electronic commerce 
system is likely to remain in use for ten years or more. It must be able to 
withstand the future: smarter attackers, more computational power, and 
greater incentives to subvert a widespread system. There won't be time to 
upgrade them in the field.
[Note: Why Cryptography is Harder Than it Looks appeared in RISKS-18.59, 
and is also at http://www.counterpane.com/whycrypto.html ]
Security Pitfalls in Cryptography: http://www.counterpane.com/pitfalls.html
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 
Free crypto newsletter. See: http://www.counterpane.com

_____________________________________________________________________
David Farber         
The Alfred Fitler Moore Professor of Telecommunication Systems
University of Pennsylvania 
Home Page: http://www.cis.upenn.edu/~farber