John Ioannidis wrote:
Perry E. Metzger wrote:
That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.
But how can the issuer know that the merchant's fraud detection systems
work, for any value of "work"? This could just become one more avenue
for denial of service, where a hacked online merchant suddenly reports
millions of cards as compromised. I'm sure there is some interesting
work to be done here.
There is an interesting analogue in the area of SAR
(suspicious activity report) filings through financial
services. This has been in place with various providers for
maybe a decade or so. I'm not aware of any serious economic
analysis that would suggest copying the lessons, though.
There is a philosophical problem with suggesting an
automated protocol method for reporting fraud, in that one
might be better off ... fixing the underlying fraud.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
