Re: mother's maiden names...
I think in the UK check signatures are not verified below £30,000 (about US $53,000). I presume it is just economics ... cost of infrastructure to verify vs value of verifying given the fraud rate. Adam On Fri, Jul 15, 2005 at 01:42:08PM +0100, Ben Laurie wrote: My bank doesn't even bother to move them around, as I discovered when I had a chequebook stolen and cheques for large sums forged, and honoured. When I spoke to a person who had found the cheque in their store I asked is it my signature? (yes, I am sufficiently absent-minded that I might have written a large cheque and forgotten about it). Their response was that they didn't know and had no way to find out. In the end they faxed me a copy so I could check it myself. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV and Re: mother's maiden names...
Thanks for some private comments. What I posted is a short summary of a number of arguments. It's not an absolute position, or an expose' of the credit card industry. Rather, it's a wake- up call -- The time has come to really face the issues of information security seriously, without isolating them with insurance at the cost of the consumers. Why? Because the insurance model will not scale as the Internet and ecommerce do. In other words, CardSystems Exposes 40 Million Identities as a harbinger. Now that we know more about the facts in this recent case, expect more to come unless we begin to improve our security paradigm. Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, as my comments show, how about the acceptable risk concept that turns fraud into sales? Do As I Say, Not As I Do? By weakly fighting fraud, aren't we allowing fraud systems to become stronger and stronger, just like any biological threat? The parasites are also fighting for survival. We're allowing even email to be so degraded that fax and snail mail are now becoming atractive again. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
Ian Brown [EMAIL PROTECTED] writes: Steven M. Bellovin wrote: Cambridge Trust puts your picture on the back of your VISA card, for instance. They have for more than a decade, maybe even two. One New York bank -- long since absorbed into some megabank -- did the same thing about 30 years ago. They gave up -- it was expensive then, and may not have solved any real problems. (Possibly, it simply didn't fit their real purpose of attracting more customers.) They don't for example seem to reduce fraud -- shop staff don't compare the photo to the customer carefully enough: R. Kemp, N. Towell, G. Pike, When seeing should not be believing: Photographs, credit cards and fraud, Applied Cognitive Psychology Vol 11(3) (1997) pp 211-222. For those who haven't seen this study, it's an important read (it's also been re-published in a somewhat more accessible journal, perhaps it was CACM?). What they did was send students into a supermarket with card photos of either them, someone who looked vaguely like them, or someone who looked nothing like them. Both the FRR and FAR were found to be such that the photo IDs were more or less worthless for fraud prevention. Some banks over here started to introduce photos on cards, but dropped the scheme based on this study and other research which showed that it wasn't worth it: The photos were too small to be useful, only customs immigration staff and to a lesser extent police have any formal training in matching faces to images, and your typical minimum-wage checkout operator couldn't care less if the image matched or not, their incentive was to move shoppers through quickly, not to check IDs. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
Peter Gutmann wrote: Perry E. Metzger [EMAIL PROTECTED] writes: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have forged? I don't know about photos specifically, but I know that signature imprints are often still moved around by laborious manual means because the background infrastructure to handle images doesn't exist. My bank doesn't even bother to move them around, as I discovered when I had a chequebook stolen and cheques for large sums forged, and honoured. When I spoke to a person who had found the cheque in their store I asked is it my signature? (yes, I am sufficiently absent-minded that I might have written a large cheque and forgotten about it). Their response was that they didn't know and had no way to find out. In the end they faxed me a copy so I could check it myself. Cheers, Ben. -- ApacheCon Europe http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMV and Re: mother's maiden names...
Well, the acceptable risk concept that appears in these two threads has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer. The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not. In fact, if they would reduce fraud to _zero_ today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine. This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer. Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: A car stolen is a car sold. In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts. Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs are just a marketing way to say that a fraud has become a sale. Because fraud is an hemorrage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft. What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems. There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable. A fraud is a sale is the only outcome possible from using such security school of thought. Also sometimes referred to as acceptable risk -- acceptable indeed, because it is paid for. Cheers, Ed Gerck [*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust as a synonym for authorization. This may work in a network, where a trusted user is a user authorized by management to use some resources. But it does not work across trust boundaries, or in the Internet, with no common reporting point possible. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
In message [EMAIL PROTECTED], R.A. Hettinga writes: At 12:26 PM -0400 7/13/05, Perry E. Metzger wrote: Why do banks not collect simple biometric information like photographs of their customers yet? Some do. Cambridge Trust puts your picture on the back of your VISA card, for instance. They have for more than a decade, maybe even two. One New York bank -- long since absorbed into some megabank -- did the same thing about 30 years ago. They gave up -- it was expensive then, and may not have solved any real problems. (Possibly, it simply didn't fit their real purpose of attracting more customers.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
On Wednesday 13 July 2005 18:29, Mike Owen wrote: Back in 2000, I opened an account with BofA, and they took a photo of me, and added it to my debit/check card. Around that same time, American Express was doing the same with their Costco branded cards. I'm sure others are doing it, those are just the ones I have experience with. FYI, that's a feature of Costco, not AmEx. Costco requires a picture because the card is used in place of a normal Costco card to get admitted into the store. They are somewhat ruthless about sharing cards for personal memberships. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
Perry E. Metzger [EMAIL PROTECTED] writes: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have forged? I don't know about photos specifically, but I know that signature imprints are often still moved around by laborious manual means because the background infrastructure to handle images doesn't exist. Most banks are still using 3270-style interfaces, even if they have a screen-scraped GUI front-end. There simply isn't any provision for handling anything other than basic text records - the data-centre back-ends are text-record based (and in some cases the text is EBCDIC), the communications channels send and receive text records (often at a few kbps over leased lines, X.25, or PSTN dialup), and the branch software processes text records. So using images (of any kind) isn't just a case of making an executive decision to do so, it would involve a massive, end-to-end infrastructure upgrade to implement. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
On Wed, Jul 13, 2005 at 12:26:52PM -0400, Perry E. Metzger wrote: A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? Some, like Citibank do. I have a photo on my VISA from them, but I believe the photo is not linked to the account nor taken into consideration when doing identification at the bank. When I asked about it, the answer was something about that the photo is stored only by the credit card issuing center, and not in the main system. Random peeking on clerk's screen while I'm at the bank seems to confirm this - no place for customer picture in the account info. Sometimes they aren't allowed to do so, data privacy policy here says that a business may not request or store any personal information that is not directly needed to conduct business with that person; a national ID card is routinely xeroxed when establishing an account and the copy is kept at the bank, then the photo is blackened out; when the regulation came live bank staffs had working weekends sitting with black felt-tip pens, blacking out photos and other unneeded info on the ID xerocopies. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
[EMAIL PROTECTED] (Peter Gutmann) writes: Perry E. Metzger [EMAIL PROTECTED] writes: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have forged? I don't know about photos specifically, but I know that signature imprints are often still moved around by laborious manual means because the background infrastructure to handle images doesn't exist. Most banks are still using 3270-style interfaces, even if they have a screen-scraped GUI front-end. That's true. Several banks I deal with in New York use displays that are disturbingly 3270-like. That brings up another thing that has always tickled the back of my mind -- I have never actually had a professional opportunity to analyze any of the systems used by tellers in commercial banks, and I always wonder at what is securing the links between small branches and HQ, and how bad the protection of the user passwords etc. might be... So using images (of any kind) isn't just a case of making an executive decision to do so, it would involve a massive, end-to-end infrastructure upgrade to implement. Yah, true enough -- which also impedes things like letting branch managers to look at check images, signatures, etc. Groan... Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
Steven M. Bellovin wrote: Cambridge Trust puts your picture on the back of your VISA card, for instance. They have for more than a decade, maybe even two. One New York bank -- long since absorbed into some megabank -- did the same thing about 30 years ago. They gave up -- it was expensive then, and may not have solved any real problems. (Possibly, it simply didn't fit their real purpose of attracting more customers.) They don't for example seem to reduce fraud -- shop staff don't compare the photo to the customer carefully enough: R. Kemp, N. Towell, G. Pike, When seeing should not be believing: Photographs, credit cards and fraud, Applied Cognitive Psychology Vol 11(3) (1997) pp 211-222. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
On Wed, 13 Jul 2005, Perry E. Metzger wrote: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have forged? While we are very good at recognizing somebody we know on a picture, it is in fact very hard to answer the following question: is the person in front of you is the same person who is depicted on the photo? AFAIR there were experiments which show that if you just get a random photo of a person with the same race, age, and gender as you have you have very good probability to successfully pretend that you are the person on the picture. As a result the criminal don't really need to change the photo to be able to pretend that he is you. -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
--- Dan Kaminsky [EMAIL PROTECTED] wrote: Bank Of America put my photo on my ATM card back in '97. They're shipping me a new one right now, so I assume they kept it in the DB. My local bank asked me apply for a Visa photo credit card back in 1998. There were two problems though: 1.) Their request really was just that, a request. They told me that I was free to get a regular card if I was in any way uncomfortable with the photo card. In retrospect, it seemed more like a we'd appreciate it if you could do us a big favor thing, and not so much like look, we're doing this for your own protection. The manager I talked to about this also informed me that they were only asking customers with high credit lines (whatever that's supposed to mean) to get credit cards with pictures since they were more expensive (apparently, the bank had to eat the majority of the cost; I recall only paying a $5 one-time fee). 2.) Secondly, checkout clerks just don't care. Well, they actually did notice the picture on the back of the credit card and asked what it was about maybe 6 out of 10 times. In most cases, the question resulted in very pleasant but pointless chit-chat. Noone ever asked me why I didn't look like the guy in the picture (I had since grown a beard and the picture was really grainy and low-quality). Noone ever called a manager to verify my identity despite the fact that it clearly said Please verify cardholder's picture. on the back. (I still have one photo credit card and it no longer says that and has a more up-to-date picture.) The problem here was that most check out clerks these days are teenagers making minimum wage. They care about getting paid, not getting robbed and not getting hassled. And, frankly, I can understand that attitude because I felt the same way when I was in high school. Having too little cash in the register at the end of the shift stands out and is likely to get a cashier in trouble. Having a credit card purchase flagged as fraudulant a week after the fact doesn't cause as much trouble. That's why there's no incentive to check CCs. It's also why the Zug.com credit card prank worked so well back in the day. My gym(!) has quite a different policy - they take a picture of every member when apply. You may bring a guest but the member has to be authenticated first and the guest has to sign in. If you forget your RFID card, they just check the database (or, most likely, they will recognize you). Any employee who lets people in withot an ID check or without signing in, gets a warning. Employees get fired after three warnings. Draconian? Yes. But it does work. And it wouldn't be too hard for the credit card companies to print MUST VERIFY ID onto the back of new credit cards. These days, I am on a first name basis with most of the cashiers at the local grocery stores (which is due to the fact that I'm friends with their parents who pretty much all live in the same neighborhood as we do - suburbia and all). But I do remember when we moved here and back then cashiers really noticed the credit card I had written PLEASE ASK FOR ID. THANK YOU. onto. At that time, it was mostly a social experiment. And, frankly, it didn't work. They noticed (as in huh, that's weird) but they never bothered to ask me for ID (as huh, that's weird, may I see your ID please, Sir?). __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
mother's maiden names...
A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? If I walk into a branch complaining that I've been robbed and that I don't have my bank card any more, the branch manager will look at some externally generated credential (like a driver's license) and ask me something like my mother's maiden name. Of course, my mother's maiden name is widely available in public records, and bank clerks aren't well trained in identifying forged licenses (though presumably they are rare). Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have forged? Heck, that would also provide a secondary check for a teller when processing an in-person transaction -- the customer's picture could just come up as soon as you open their account and you could eyeball them. Digital cameras are also pretty cheap, and opening an account is a sufficiently tedious manual process that another few seconds would make no practical difference to the customer or bank employee. My guess is that the reason is a) they've never done things this way before and b) fraud rates are low enough that they haven't had the stimulus. However, I think it is something people might want to consider in designing security systems for institutions like this. Photographs, iris scans, fingerprints, etc. are all awful ways of handling identification over the internet, but they work very nicely if they can be checked in person by someone. If you need to have a good sense that you are in fact talking (in person) to the real customer, a picture and/or digitally stored fingerprints collected when the account was opened seem like a simple and cheap way of improving security. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
At 12:26 PM -0400 7/13/05, Perry E. Metzger wrote: Why do banks not collect simple biometric information like photographs of their customers yet? Some do. Cambridge Trust puts your picture on the back of your VISA card, for instance. They have for more than a decade, maybe even two. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: mother's maiden names...
A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? Bank Of America put my photo on my ATM card back in '97. They're shipping me a new one right now, so I assume they kept it in the DB. --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]