For Credit Cards, Do As I Say, Not As I Do

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ed Gerck <egerck () nma com>
Date: July 15, 2005 4:58:23 PM EDT
To: Dave Farber <dave () farber net>
Subject: For Credit Cards, Do As I Say, Not As I Do


[Dave, for IP as you see fit]

"CardSystems Exposes 40 Million Identities" as a harbinger? Now that  
we know more about the facts in this recent case, expect more to come.

Yes, public opinion and credit card companies can and will force  
companies that process credit card data to increase their security.   
However, how about the "acceptable risk" concept that underlies the  
very security procedures of credit card companies themselves and  
pervades their relationships with their parties? Do As I Say, Not As  
I Do?

The dirty little secret of the credit card industry is that they are  
very happy with 10% of credit card fraud, over the Internet or not.

In fact, if they would reduce fraud to _zero_ today, their revenue  
would decrease as well as their profits. So, there is really no  
incentive to reduce fraud. On the contrary, keeping the status quo is  
just fine.

This is so because of insurance -- up to a certain level, which is  
well  within the operational boundaries of course, a fraudulent  
transaction does not go unpaid through VISA, American Express or  
Mastercard servers.  The transaction is fully paid, with its  
insurance cost paid by the merchant and, ultimately, by the customer.

"Acceptable risk" has been for a long time an euphemism for that  
business model that shifts the burden of fraud to the customer.

Thus, the credit card industry has successfully turned fraud into a  
sale.  This is the same attitude reported to me by a car manufacturer  
representative when I was talking to him about simple techniques to  
reduce car theft -- to which he said: "A car stolen is a car sold."  
In fact, a car stolen will need replacement that will be provided by  
insurance or by the customer working again to buy another car.  While  
the stolen car continues to generate revenue for the manufacturer in  
service and parts.

Whenever we see continued fraud, we should be certain: the defrauded  
is profiting from it.  Because no company will accept a continued   
loss without doing anything to reduce it. Arguments such as "we don't  
want to reduce the fraud level because it would cost more to reduce  
the fraud than the fraud costs" are just a marketing way to say that  
a fraud has become a sale.

Because fraud is an hemorrhage that adds up, while efforts to fix it  
-- if done correctly -- are mostly an up front cost that is incurred  
only once.  So, to accept fraud debits is to accept that there is  
also a credit that continuously compensates the debit. Which credit  
ultimately flows from the customer -- just like in car theft.

What is to blame? Not only the twisted ethics behind this attitude  
but also that traditional security school of thought which focus on  
risk, surveillance and insurance as the solution to security problems.

There is no consideration of what trust really would mean in terms of  
bits and machines[*], no  consideration that the insurance model of  
security cannot scale in Internet volumes and cannot even be  
ethically justifiable.

"A fraud is a sale" is the only outcome possible from using such  
security school of thought.  Also sometimes referred to as  
"acceptable risk" -- acceptable indeed, because it is paid for.

Regards,
Ed Gerck

[*] Unless the concept of trust in communication systems
is defined in terms of bits and machines, while also making
sense for humans, it really cannot be applied to e-commerce.
And there are some who use trust as a synonym for authorization.
This may work in a network, where a trusted user is a user
authorized by management to use some resources. But it does
not work across trust boundaries, or in the Internet, with no
common reporting point possible.




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/