[IP] more on For Credit Cards, Do As I Say, Not As I Do
Begin forwarded message:
From: Dana Blankenhorn <danablankenhorn@xxxxxxxxxxxxxx>
Date: July 15, 2005 8:40:42 PM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] For Credit Cards, Do As I Say, Not As I Do
Reply-To: Dana Blankenhorn <dana@xxxxxxxxxx>
I wrote this a few weeks ago, but it's relevant to the point.
http://www.corante.com/mooreslore/archives/2005/06/28/
identity_theft_turning_point.php
dentity Theft Turning Point?
Posted by Dana Blankenhorn
The recent theft of 40 million card numbers at CardSystem Solutions
is a turning point in the identity theft wars.
Previous thefts involved third parties, insiders or numbers left in
bins, things that are easily fixed.
The CardSystems case stands out, first, because it happened at an
actual processor and second, because it involved the use of a
computer worm.
My wife works at a payment processor in Atlanta (most processors, for
some reason, including CardSystems, are based here) that has (knock
on wood) not been hit (yet).
But there is a very frightening trend in this industry that you
should be aware of. (No, that's not her picture (thanks for asking),
just an anime called Saint Seiya Atena our daughter may recognize.
She does have long hair, but we're obscuring her identity this time
for security reasons.)
Processing, once the province of obscure mainframes with proprietary
operating systems running on X.25 networks unconnected to the "real"
world, is moving into the computing mainstream. This means whole
databases are being exposed to the public Internet, and that the
underlying processing technology is becoming understandable by more-
and-more thieves.
When the LOML (Love Of My Life) first began her job she worked in a
version of assembly language. She actually wore out an octal
calculator. Later, she moved to a more highly-advanced language,
Cobol. Her next move will be to learn the same language you may use
at home. (Nope, not gonna tell you. In this item I'm not even
mentioning her employer's name.)
It's the presumed next step by crooks that is really frightening, a
massive credit theft that uses no meat space at all. Numbers and PINs
could be stolen, and used, entirely within cyberspace, and even
detecting the crime will be difficult, probably happening only after
victims receive their statements. And the criminals may never have to
leave Russia (or wherever, but there are known cyber-criminal gangs
in Russia) to do it.
Since my saintly wife (hence the use of the picture above) took her
present job, over 20 years ago, I have watched the security at her
place of business slowly improve. I have seen fences go up, guards
check each ID, and shredders become a fixation. While she does bring
a PC home with her, nothing on it would likely be of benefit to a
thief and all her sessions with real systems are carefully logged so
they can be checked.
But as the exposure of our processing networks to the public net
continues to increase, and as crooks become more familiar with actual
processing software, the risk continues to rise, and it's only a
matter of time before someone gets hit very, very hard indeed.
Dana Blankenhorn danablankenhorn@xxxxxxxxxxxxxx
Mooreslore Blog http://www.corante.com/mooreslore/
ZDNet OpenSource http://blogs.zdnet.com/open-source/index.php
A-Clue.Com http://www.a-clue.com dana@xxxxxxxxxx
----- Original Message ----- From: "David Farber" <dave@xxxxxxxxxx>
To: "Ip ip" <ip@xxxxxxxxxxxxxx>
Sent: Friday, July 15, 2005 7:57 PM
Subject: [IP] For Credit Cards, Do As I Say, Not As I Do
Begin forwarded message:
From: Ed Gerck <egerck@xxxxxxx>
Date: July 15, 2005 4:58:23 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Subject: For Credit Cards, Do As I Say, Not As I Do
[Dave, for IP as you see fit]
"CardSystems Exposes 40 Million Identities" as a harbinger? Now
that we know more about the facts in this recent case, expect more
to come.
Yes, public opinion and credit card companies can and will force
companies that process credit card data to increase their security.
However, how about the "acceptable risk" concept that underlies
the very security procedures of credit card companies themselves
and pervades their relationships with their parties? Do As I Say,
Not As I Do?
The dirty little secret of the credit card industry is that they
are very happy with 10% of credit card fraud, over the Internet or
not.
In fact, if they would reduce fraud to _zero_ today, their revenue
would decrease as well as their profits. So, there is really no
incentive to reduce fraud. On the contrary, keeping the status quo
is just fine.
This is so because of insurance -- up to a certain level, which is
well within the operational boundaries of course, a fraudulent
transaction does not go unpaid through VISA, American Express or
Mastercard servers. The transaction is fully paid, with its
insurance cost paid by the merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that
business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into
a sale. This is the same attitude reported to me by a car
manufacturer representative when I was talking to him about simple
techniques to reduce car theft -- to which he said: "A car stolen
is a car sold." In fact, a car stolen will need replacement that
will be provided by insurance or by the customer working again to
buy another car. While the stolen car continues to generate
revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the
defrauded is profiting from it. Because no company will accept a
continued loss without doing anything to reduce it. Arguments
such as "we don't want to reduce the fraud level because it would
cost more to reduce the fraud than the fraud costs" are just a
marketing way to say that a fraud has become a sale.
Because fraud is an hemorrhage that adds up, while efforts to fix
it -- if done correctly -- are mostly an up front cost that is
incurred only once. So, to accept fraud debits is to accept that
there is also a credit that continuously compensates the debit.
Which credit ultimately flows from the customer -- just like in
car theft.
What is to blame? Not only the twisted ethics behind this attitude
but also that traditional security school of thought which focus
on risk, surveillance and insurance as the solution to security
problems.
There is no consideration of what trust really would mean in terms
of bits and machines[*], no consideration that the insurance model
of security cannot scale in Internet volumes and cannot even be
ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such
security school of thought. Also sometimes referred to as
"acceptable risk" -- acceptable indeed, because it is paid for.
Regards,
Ed Gerck
[*] Unless the concept of trust in communication systems
is defined in terms of bits and machines, while also making
sense for humans, it really cannot be applied to e-commerce.
And there are some who use trust as a synonym for authorization.
This may work in a network, where a trusted user is a user
authorized by management to use some resources. But it does
not work across trust boundaries, or in the Internet, with no
common reporting point possible.
-------------------------------------
You are subscribed as danablankenhorn@xxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/