Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on For Credit Cards, Do As I Say, Not As I Do

From: David Farber <dave () farber net>
Date: Sat, 16 Jul 2005 08:02:06 -0400


Begin forwarded message:

From: Dana Blankenhorn <danablankenhorn () mindspring com>
Date: July 15, 2005 8:40:42 PM EDT
To: dave () farber net
Subject: Re: [IP] For Credit Cards, Do As I Say, Not As I Do
Reply-To: Dana Blankenhorn <dana () a-clue com>


I wrote this a few weeks ago, but it's relevant to the point.
http://www.corante.com/mooreslore/archives/2005/06/28/ identity_theft_turning_point.php 


dentity Theft Turning Point?
Posted by Dana Blankenhorn
The recent theft of 40 million card numbers at CardSystem Solutions is a turning point in the identity theft wars.
Previous thefts involved third parties, insiders or numbers left in bins, things that are easily fixed.
The CardSystems case stands out, first, because it happened at an actual processor and second, because it involved the use of a computer worm.
My wife works at a payment processor in Atlanta (most processors, for some reason, including CardSystems, are based here) that has (knock on wood) not been hit (yet).
But there is a very frightening trend in this industry that you should be aware of. (No, that's not her picture (thanks for asking), just an anime called Saint Seiya Atena our daughter may recognize. She does have long hair, but we're obscuring her identity this time for security reasons.)
Processing, once the province of obscure mainframes with proprietary operating systems running on X.25 networks unconnected to the "real" world, is moving into the computing mainstream. This means whole databases are being exposed to the public Internet, and that the underlying processing technology is becoming understandable by more- and-more thieves.
When the LOML (Love Of My Life) first began her job she worked in a version of assembly language. She actually wore out an octal calculator. Later, she moved to a more highly-advanced language, Cobol. Her next move will be to learn the same language you may use at home. (Nope, not gonna tell you. In this item I'm not even mentioning her employer's name.)
It's the presumed next step by crooks that is really frightening, a massive credit theft that uses no meat space at all. Numbers and PINs could be stolen, and used, entirely within cyberspace, and even detecting the crime will be difficult, probably happening only after victims receive their statements. And the criminals may never have to leave Russia (or wherever, but there are known cyber-criminal gangs in Russia) to do it.
Since my saintly wife (hence the use of the picture above) took her present job, over 20 years ago, I have watched the security at her place of business slowly improve. I have seen fences go up, guards check each ID, and shredders become a fixation. While she does bring a PC home with her, nothing on it would likely be of benefit to a thief and all her sessions with real systems are carefully logged so they can be checked.
But as the exposure of our processing networks to the public net continues to increase, and as crooks become more familiar with actual processing software, the risk continues to rise, and it's only a matter of time before someone gets hit very, very hard indeed. 



Dana Blankenhorn   danablankenhorn () mindspring com
Mooreslore Blog    http://www.corante.com/mooreslore/
ZDNet OpenSource    http://blogs.zdnet.com/open-source/index.php
A-Clue.Com    http://www.a-clue.com dana () a-clue com


----- Original Message ----- From: "David Farber" <dave () farber net>
To: "Ip ip" <ip () v2 listbox com>
Sent: Friday, July 15, 2005 7:57 PM
Subject: [IP] For Credit Cards, Do As I Say, Not As I Do






Begin forwarded message:

From: Ed Gerck <egerck () nma com>
Date: July 15, 2005 4:58:23 PM EDT
To: Dave Farber <dave () farber net>
Subject: For Credit Cards, Do As I Say, Not As I Do


[Dave, for IP as you see fit]
"CardSystems Exposes 40 Million Identities" as a harbinger? Now that we know more about the facts in this recent case, expect more to come.
Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, how about the "acceptable risk" concept that underlies the very security procedures of credit card companies themselves and pervades their relationships with their parties? Do As I Say, Not As I Do?
The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.
In fact, if they would reduce fraud to _zero_ today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.
This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: "A car stolen is a car sold." In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as "we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale.
Because fraud is an hemorrhage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems.
There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such security school of thought. Also sometimes referred to as "acceptable risk" -- acceptable indeed, because it is paid for. 

Regards,
Ed Gerck

[*] Unless the concept of trust in communication systems
is defined in terms of bits and machines, while also making
sense for humans, it really cannot be applied to e-commerce.
And there are some who use trust as a synonym for authorization.
This may work in a network, where a trusted user is a user
authorized by management to use some resources. But it does
not work across trust boundaries, or in the Internet, with no
common reporting point possible.




-------------------------------------
You are subscribed as danablankenhorn () mindspring com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting- people/ 


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: