[IP] For Credit Cards, Do As I Say, Not As I Do
Begin forwarded message:
From: Ed Gerck <egerck@xxxxxxx>
Date: July 15, 2005 4:58:23 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Subject: For Credit Cards, Do As I Say, Not As I Do
[Dave, for IP as you see fit]
"CardSystems Exposes 40 Million Identities" as a harbinger? Now that
we know more about the facts in this recent case, expect more to come.
Yes, public opinion and credit card companies can and will force
companies that process credit card data to increase their security.
However, how about the "acceptable risk" concept that underlies the
very security procedures of credit card companies themselves and
pervades their relationships with their parties? Do As I Say, Not As
I Do?
The dirty little secret of the credit card industry is that they are
very happy with 10% of credit card fraud, over the Internet or not.
In fact, if they would reduce fraud to _zero_ today, their revenue
would decrease as well as their profits. So, there is really no
incentive to reduce fraud. On the contrary, keeping the status quo is
just fine.
This is so because of insurance -- up to a certain level, which is
well within the operational boundaries of course, a fraudulent
transaction does not go unpaid through VISA, American Express or
Mastercard servers. The transaction is fully paid, with its
insurance cost paid by the merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that
business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into a
sale. This is the same attitude reported to me by a car manufacturer
representative when I was talking to him about simple techniques to
reduce car theft -- to which he said: "A car stolen is a car sold."
In fact, a car stolen will need replacement that will be provided by
insurance or by the customer working again to buy another car. While
the stolen car continues to generate revenue for the manufacturer in
service and parts.
Whenever we see continued fraud, we should be certain: the defrauded
is profiting from it. Because no company will accept a continued
loss without doing anything to reduce it. Arguments such as "we don't
want to reduce the fraud level because it would cost more to reduce
the fraud than the fraud costs" are just a marketing way to say that
a fraud has become a sale.
Because fraud is an hemorrhage that adds up, while efforts to fix it
-- if done correctly -- are mostly an up front cost that is incurred
only once. So, to accept fraud debits is to accept that there is
also a credit that continuously compensates the debit. Which credit
ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude
but also that traditional security school of thought which focus on
risk, surveillance and insurance as the solution to security problems.
There is no consideration of what trust really would mean in terms of
bits and machines[*], no consideration that the insurance model of
security cannot scale in Internet volumes and cannot even be
ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such
security school of thought. Also sometimes referred to as
"acceptable risk" -- acceptable indeed, because it is paid for.
Regards,
Ed Gerck
[*] Unless the concept of trust in communication systems
is defined in terms of bits and machines, while also making
sense for humans, it really cannot be applied to e-commerce.
And there are some who use trust as a synonym for authorization.
This may work in a network, where a trusted user is a user
authorized by management to use some resources. But it does
not work across trust boundaries, or in the Internet, with no
common reporting point possible.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/