Re: EMV [was: Re: Why Blockbuster looks at your ID.]

[Joseph Ashwood]

- Original Message - 
From: "Victor Duchovni" <[EMAIL PROTECTED]>

Subject: Re: EMV [was: Re: Why Blockbuster looks at your ID.]



Whose loses do these numbers measure?

- Issuer Bank?

- Merchant?

- Consumer?

- Total?


I'd say that you've fairly well hit the nail on the head. I've actually been 
meaning to reply to this for about a week now. The truth is that each credit 
card transaction actually has either 3 or 4 parties; User U, Merchant M, 
Credit Card Issuer CCI, and Merchant Insurer MI (this is simplified there 
are generally multiple parties under CCI).


Under legitimate circumstances the process is fairly simple; Legitimate User 
LU agrees to pay CCI, CCI already has an agreement to pay M, and M supplies 
the product/service to LU. During billing LU pays CCI, CCI pays M, everyone 
is happy.


Things are different in the case of False User FU. FU goes to M, FU agrees 
for LU to pay CCI, CCI (believing FU is LU) agrees to pay M, M supplies the 
product/service to FU. During billing is where things get strange. LU 
reports the bad transaction to CCI. CCI informs M and does not pay M. FU 
gets the product, M accepts the loss. In the normal case MI and M are the 
same entity so the buck stops there, if MI is seperate from M, then MI 
reimburses M for some portion.


It's important to understand exactly who loses what when FU is in the 
picture. CCI loses the commision, generally a small flat fee on the order of 
$0.35, and a percentage generally <2%, this is not a large amount to lose, 
and the phone call to report the problem actually costs more than is lost, 
followed by the filing and tracking of the correct paperwork, this is the 
ACTUAL loss for CCI. MI loses the cost of the product/service reimbursed. LU 
loses basically nothing except time. FU obviously gains.


The point being that expecting CCI to foot a multi-billion dollar bill to 
change the process so that MI doesn't lose the money doesn't make sense. CCI 
will only work to increase CCIs profits. It is up to MI to pay for the 
upgraded systems by working with CCI towards CCIs goals (fewer losses for MI 
also means fewer reports to CCI so fewer losses). LU may be willing to foot 
part of the bill for the perceived improvements, CCI will only foot the 
portion that is in CCIs favor, MI will have to foot the majority of the bill 
and will only do so when it is in MIs favor. With credit card fraud 
decreasing, it is not in MIs favor to examine it at this time.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: EMV [was: Re: Why Blockbuster looks at your ID.]

[astiglic]

>
>
> On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
>
>> less attractive to commit credit card fraud. You are, however, not
>> making it harder. That's why I believe the credit cards companies will
>> indeed have a good, long look at smartcards. Probably not tomorrow or
>> next week but in the near future.
>
> Actually, smart cards are here today. My local movie theatre in Berkeley,
> California is participating in a trial for "MasterCard PayPass." There is
> a little antenna at the window; apparently you can just wave your card at
> the antena to pay for tickets. I haven't observed anyone using it in
> person, but the infrastructure is there right now.

Interesting, they have a card (smart card)? and key fob version.  I hope
their key fob version is not as insecure as the SpeedPass RFID transponder
token used by Exxon/Esso, which has recently been broken
http://rfidanalysis.org/
The SpeedPass implemented an authentication algorithm (I think it was a
CRC-like challenge response based on a secret that defined the polynomial
used) based on a 40-bit key.  Bono & al. figured out the algorithm (based
on a patent, which described the algorithm generically, they figured out
the constants that were chosen).
The question is why did they use a 40-bit secret?  Is there some
technological constraint preventing the use of something better?

The other thing is that many of the smart cards also have a magnetic
strip, so your security level is as strong as the weakest point (magnetic
stripe type payments).  Untill all the cards are smart cards, readers will
accept both type.

--Anton




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[astiglic]

> Perry E. Metzger wrote:
>
>> A system in which the credit card was replaced by a small, calculator
>> style token with a smartcard style connector could effectively
>> eliminate most of the in person and over the net fraud we experience,
>> and thus get rid of large costs in the system and get rid of the need
>> for every Tom, Dick and Harry to see your drivers license when you
>> make a purchase. It would both improve personal privacy and help the
>> economy by massively reducing transaction costs.
>
> I agree that it might well reduce costs and fraud - but how will it
> improve
> privacy? Your name is already on the card ... and the issuer will still
> have
> a list of your transactions.

It's just that the drivers license number is a unique number that acts as
an index to another database (and often used as authentication material as
well), which the merchant has to business knowing.

--Anton



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[John Levine]

>| Not having to show ID may save annoyance, but it doesn't significantly
>| improve privacy.
>
>Most credit card issuers will happily give you extra cards, so your
>friends can spend your money.  In whatever name you want.  If you need
>to show ID, this can become, umm, complicated.

I dunno about your bank, but my credit card banks want the name,
relationship, and SSN for each extra card, and they tell me in various
ways that if I lend the card to anyone else, anything bad that happens
is my problem.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

["Hal Finney"]

Perry Metzger writes:
> So, what is to be done? I would propose that the replacement of the
> credit card infrastructure is needed. Fraud is prevalent because of a
> massive inherent security flaw in the current system, to whit,
> the account number is identical to the payment authenticator, and
> you can make a payment merely through possession of a piece of stolen
> plastic.
>
> A system in which the credit card was replaced by a small, calculator
> style token with a smartcard style connector could effectively
> eliminate most of the in person and over the net fraud we experience,
> and thus get rid of large costs in the system and get rid of the need
> for every Tom, Dick and Harry to see your drivers license when you
> make a purchase. It would both improve personal privacy and help the
> economy by massively reducing transaction costs.

Have you ever used an ATM/debit card for a purchase?  You swipe it and
then the merchant hands you a keypad to enter your PIN.  Yes, an insider
could hack the device and steal your PIN along with your card, or use
various other attacks to get the PIN, but it's much more complicated
than using an opportunistically stolen credit card.

These have come into common use in the past several years.  I don't
understand the commentary here which seems oblivious to the existence of
this widely used alternative payment system in the U.S.  All I am reading
is "oh, we can't switch, no one will ever switch from credit cards."
People are switching; it's happening everywhere.

A video game chain store in town, I think it's EBX, only accepts these
cards, they won't take credit cards.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Lance James]

Adam Shostack wrote:


On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|  
| > A system in which the credit card was replaced by a small, calculator

| > style token with a smartcard style connector could effectively
| > eliminate most of the in person and over the net fraud we experience,
| > and thus get rid of large costs in the system and get rid of the need
| > for every Tom, Dick and Harry to see your drivers license when you
| > make a purchase. It would both improve personal privacy and help the
| > economy by massively reducing transaction costs.
| 
| I agree that it might well reduce costs and fraud - but how will it improve

| privacy? Your name is already on the card ... and the issuer will still have
| a list of your transactions.
| 
| Not having to show ID may save annoyance, but it doesn't significantly

| improve privacy.

Most credit card issuers will happily give you extra cards, so your
friends can spend your money.  In whatever name you want.  If you need
to show ID, this can become, umm, complicated.
 

This goes along with paypal's "send a friend a debit card" feature (I 
saw this two years ago, I don't know if this is still present), but this 
essentially allowed a user to add any name to the debit visa card 
(treated in most places like a credit card) which in some cases actually 
allowed online hijacking of domain names (depending on registrar) 
because the name was the same on the visa card used.



-Lance


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Anne & Lynn Wheeler]

Perry E. Metzger wrote:
> If you have a sufficiently good token, you may no longer need to have
> identification information presented to the merchant, even by the
> token, to reduce misuse. It is true that the issuer will still know
> what transactions took place. However, you have at least reduced the
> number of entities that require proof of your identity and the number
> that have logs of your activity.

this is the EU privacy directive threads that went on (mostly prior to
9/11) and why couldn't they apply in the US also ... aka that electronic
retail transactions could be as anonymous as cash. names would be
removed from the plastic embossing and magstripe ... and the merchant
would not longer have to wander across the line from authentication into
identification (attempting to match the name on the card with other
credentials).

when we started x9.59 in the mid-90s,
http://www.garlic.com/~lynn/index.html#x959
http://www.garlic.com/~lynn/subpubkey.html#privacy

we frequently commented that it was privacy agnostic. it provided strong
authentication that didn't have skimming and harvesting threats and
vulnerabilities. there was a strong correlation with some account number
... and the degree that there was some trail from that account number to
an individual was dependent on a lot of things outside of the financial
transaction itself. however, the basic financial transaction didn't
require wandering across the line from authentication into identification.

this was also the period where it started to show up the shortcomings of
the x.509 identity certification paradigm that had somewhat tried to get
 some toe hold in the early 90s  including grossly overeloading the
certificates with personal information. basically that every digitally
signed transaction in the world would carry a huge x.509 identity
certificate grossly overloaded with personal information. Not only would
all such transactions carry such humongous personal information
repositories, while in flight  but all the transaction logs would be
heavily burdened with the same information. You might have tens of
thousands of transactions logs all over the world ... and every one
would include a humongous x.509 identity certificate grossly overloaded
with personal information.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Anne & Lynn Wheeler]

Perry E. Metzger wrote:
> Why does the clerk at Blockbuster want to see your driver's license?
> Because his management has been told, by their bank, that if they do
> not attempt to verify the identity of credit card users they will risk
> their business relationship with the bank. Credit card fraud is far
> too prevalent, DVDs are easily resold, and the bank wants to make sure
> that they won't get defrauded. Blockbuster also wants to minimize
> fraudulent use of credit cards (which they end up eating in some
> instances) and the loss of their property (which will never be
> returned by someone renting a video with a stolen credit card).

the issue is lost/stolen credit cards ... your name is embossed on the
plastic and recorded on the mastripe. this provides for the
point-of-sale to check for lost/stolen card by attempting the
identification process of matching the name on the card with the name on
something else.

this moves the card out of the relm of authentication into the relm of
identification. there was a number of threads (mostly prior to 9/11)
about EU privacy directives for making retail electronic transactions as
anonymous as cash. basically this involved removing your name from the
plastic embossing and magstripe ... so that the card was purely an
authentication "something you have"  and didn't wander across the
line into identification. lost/stolen card risks then could be contained
by deactivating accounts when the owner reported the card lost/stolen

part of the issue has been the appearance of skimming/harvesting compromises
http://www.garlic.com/~lynn/subpubkey.html#harvest

where the crooks didn't actually have to physically steal the card, they
could electronically record the necessary information (w/o the owner's
knowledge) and then perform fraudulent transactions. The
skimming/harvesting compromises can involve tens of thousands of cards
... not just a single card at a time. Also, the fraud period instead of
being limited to possibly a few hrs (when the owner reports the missing
card), now could extend to a few weeks (since the owner doesn't notice
unitl they get around to examining the next statement). The
skimming/harvesting threat and vulnerability can magnify the fraud risk
by several orders of magnitude (compared to simple lost/stolen).

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Adam Shostack]

On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|  
| > A system in which the credit card was replaced by a small, calculator
| > style token with a smartcard style connector could effectively
| > eliminate most of the in person and over the net fraud we experience,
| > and thus get rid of large costs in the system and get rid of the need
| > for every Tom, Dick and Harry to see your drivers license when you
| > make a purchase. It would both improve personal privacy and help the
| > economy by massively reducing transaction costs.
| 
| I agree that it might well reduce costs and fraud - but how will it improve
| privacy? Your name is already on the card ... and the issuer will still have
| a list of your transactions.
| 
| Not having to show ID may save annoyance, but it doesn't significantly
| improve privacy.

Most credit card issuers will happily give you extra cards, so your
friends can spend your money.  In whatever name you want.  If you need
to show ID, this can become, umm, complicated.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Perry E. Metzger]

Peter Fairbrother <[EMAIL PROTECTED]> writes:
> Perry E. Metzger wrote:
>> A system in which the credit card was replaced by a small, calculator
>> style token with a smartcard style connector could effectively
>> eliminate most of the in person and over the net fraud we experience,
>> and thus get rid of large costs in the system and get rid of the need
>> for every Tom, Dick and Harry to see your drivers license when you
>> make a purchase. It would both improve personal privacy and help the
>> economy by massively reducing transaction costs.
>
> I agree that it might well reduce costs and fraud - but how will it improve
> privacy? Your name is already on the card ... and the issuer will still have
> a list of your transactions.
>
> Not having to show ID may save annoyance, but it doesn't significantly
> improve privacy.

If you have a sufficiently good token, you may no longer need to have
identification information presented to the merchant, even by the
token, to reduce misuse. It is true that the issuer will still know
what transactions took place. However, you have at least reduced the
number of entities that require proof of your identity and the number
that have logs of your activity.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Peter Fairbrother]

Jerrold Leichter wrote:

> There have been a couple of articles in RISKS recently about the fairly recent
> use of a two-factor system for bank cards in England.  There are already
> significant hacks -

yes ...

> and the banks managed to get the law changed so that, with
> this "guaranteed to be secure" new system, the liability is pushed back onto
> the customer.

 I'm not too sure what you mean.

 In the UK the merchant is not usually liable for card-present fraud.

 There has been / is about to be a change to the liability of the merchant,
usually to the effect that if a fraud is successful because the merchant
hasn't installed PIN equipment then they will be liable. A few banks are
making merchants liable for all fraud if PIN equipment has not been
installed.

EMV said the change would begin on 1st Jan, but the banks haven't all
implemented it yet. Many did so on 1st July.

The change occurs in the contract between the aquiring banks and the
merchants, not the law; the legality of the change is questionable, but as
it is basically just a way to encourage retailers to install PIN equipment
it has not been challenged afaik.

There is no change in the merchant's liability if he has installed Chip n'
PIN equipment - the tales circulating of all merchants becoming liable for
all frauds are simply not true.





 There will also be a change in the way fraud claims are dealt with, to the
almost certain disadvantage of the cardholder, as there is no physical
signature to contest and at least in the first instance the issuers
determine the "facts".


 However I am not aware of any changes to the law.


 There was a very recent Banking Ombudsman case where the cardholder had
been grossly negligent about her PIN security, but her liability was still
limited to £50 (which is a statutory limit and applies to credit cards, but
not to debit cards - although it is in practice applied to them too).
Usually the £50 limit is not charged by the issuing bank.





 However the customer eventually pays for fraud anyway, in the form of
higher prices, so the issuer - merchant liability split is not of immediate
relevance to the customer. It should be tilted firmly against the banks IMO
though, as they are responsible for the system, not the merchants, who have
no say, as EMV + AmEx is an effective monopoly.



 BTW, one of my banks recently sent me a leaflet which said Chip n' PIN was
going to be introduced worldwide. Anyone know more about that?


-- 
Peter Fairbrother


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Peter Fairbrother]

Perry E. Metzger wrote:
 
> A system in which the credit card was replaced by a small, calculator
> style token with a smartcard style connector could effectively
> eliminate most of the in person and over the net fraud we experience,
> and thus get rid of large costs in the system and get rid of the need
> for every Tom, Dick and Harry to see your drivers license when you
> make a purchase. It would both improve personal privacy and help the
> economy by massively reducing transaction costs.

I agree that it might well reduce costs and fraud - but how will it improve
privacy? Your name is already on the card ... and the issuer will still have
a list of your transactions.

Not having to show ID may save annoyance, but it doesn't significantly
improve privacy.



-- 
Peter Fairbrother


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: EMV [was: Re: Why Blockbuster looks at your ID.]

[David Alexander Molnar]

On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:


less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably not tomorrow or
next week but in the near future.


Actually, smart cards are here today. My local movie theatre in Berkeley, 
California is participating in a trial for "MasterCard PayPass." There is 
a little antenna at the window; apparently you can just wave your card at 
the antena to pay for tickets. I haven't observed anyone using it in 
person, but the infrastructure is there right now.


Here's the MasterCard fact sheet about PayPass:
http://www.paypass.com/fact_sheet.html

It appears to be a contactless smart card/RFID that uses the 
ISO 14443 standard for the RF interface. There is some documentation 
available, unfortunately most of it restricted to licensees.

https://mbe2stl101.mastercard.net/hsm2stl101/public/login/ebusiness/mobile_commerce/paypass/documentation/index.jsp

You can do some Google searching to find MasterCard's involvement in 
standards-setting for EMV via smart cards over the years. From that it is 
possible to guess what PayPass might be doing, but I would prefer to know 
for sure. By the way, Visa is doing it too:

http://usa.visa.com/personal/cards/contactless/
Chase appears to be issuing them now; you can apply for one online. 
www.chaseblink.com


From what I understand, contactless transactions are currently limited to 
$25 or less. This should reduce the incentive for someone to carry out the 
kind of relay/chess grandmaster attack described by Gerhard Hancke


"A Practical Relay Attack on ISO 14443 Proximity Cards"
http://www.cl.cam.ac.uk/~gh275/relay.pdf

Hancke and Markus Kuhn have a paper on "distance bounding" protocols to 
combat this kind of relay attack. Unfortunately it does not appear to be 
on Hancke's web page yet.


One of the nice things about these cards is that they also support the 
standard card number on the front and magstripe. So you could imagine a 
situation where the number is used as normal until fraud is detected, then 
revoked, but the contactless pay capability is not revoked. I have no idea 
if that is what they actually do, though.


-David Molnar

Re: Why Blockbuster looks at your ID.

[dan]

> 1992:  $2.6B
> 2003:  $882M
> 2004:  $788M
>
> We're on the order of 4.7 cents on the $100.


I consulted an oracle at a major third party
processor.  He said the number is more like
64-67 basis points, that you have to be very
precise about your definitions, i.e., very
precise about what goes in the numerator and
what goes in the denominator.  For example, 
if a dishonored transaction is the merchant's
fault and the merchant has to foot the bill
then the card association has not had a fraud
loss.  I doubt it is actually germane to this
list, but I can go back to said oracle if
requested.

BTW, if you ever have the opportunity to hear
Frank Abagnale's discussion of check forgery
by all means do so.

--dan


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: EMV [was: Re: Why Blockbuster looks at your ID.]

[J]

--- [EMAIL PROTECTED] wrote:

[decline in credit card fraud]
> Interesting statistics.

[...]

> But these are still considerable numbers, [...]

I totally agree. And I would just like to make a quick point: the
credit card companies (especially Visa/Mastercard) have been very
agressive in fraud prevention in the last ten years. 

And I don't mean algorithms that detect unusual activity and flag a
card, thereby prompting your bank to call and verify that that the
charges are good. They've been doing that for years, if not decades.

No, I mean literally detective work -- tracking people down, having
their sites closed and bank accounts freezed and actually pushing to
have people prosecuted. They have been quite active, trying to recruite
people in the law enforcement community and offering handsome salaries.


The whole thing works based on the premise that there are a lot of
small-time gangsters at any given time but only a few big fish. And if
you can increase the cost of doing business (either in terms of making
credit fraud more expensive or in terms of increasing the likelihood to
get caught) you can basically justify the expense of running a big
anti-fraud unit.

But, in a way, that's only dealing with the symptoms, whilst at the
same time ignoring the root cause of the problem. You're only making it
less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably not tomorrow or
next week but in the near future. 

  -Jörn

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Simple Nomad]

On Friday 08 July 2005 12:08, Dan Kaminsky wrote:
> >I'm think you wrong on that one. Financial cost and benefit are easily
> >assessed on this, and I think the numbers add up. Credit card fraud
> >costs in the hundreds of billions of dollars a year, much of which
> >could be eliminated by a change to the sort of system I
> >mention. That's not a small amount of money. Indeed, it is more than
> >enough incentive for a major change.
>
> Credit card fraud has gone *down* since 1992, and is actually falling:
>
> 1992:  $2.6B
> 2003:  $882M
> 2004:  $788M
>
> We're on the order of 4.7 cents on the $100.
>
> http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc02
>4.htm
>
> If it's any consolation, I was rather surprised myself.

I was very surprised, since my government says it is tons worse.

The U.S. Government is claiming a lot more than these figures when discussing 
identity theft, some high amount like $40b or so. Of course, if you factor in 
check fraud and debit card abuse, which credit card companies treat 
differently and so they may not include, that might account for some of the 
discrepancy, but not all.

The original Nilson Report quoting these figures was from March of this year 
(http://www.nilsonreport.com/issues/2005/830.htm has the cover page), I'd 
like to see the entire article. I wonder if the government's identity theft 
numbers include the cost to combat fraud as opposed to just losses (cost to 
secure transactions, cost to the consumer who has to take time off of work to 
close/reapply/cancel/change perhaps dozens of minute items of personal value 
stored in various databases, cost for the development of Prozac to help 
people cope with the stress of society which includes fraud and identity 
theft, etc).

I'm not saying someone is lying, but someone is not defining context very 
well...

-- 
# Simple Nomad, C²ISSP  --  [EMAIL PROTECTED]#
# C1B1 E749 25DF 867C 36D4  1E14 247A A4BD 6838 F11D #
# http://www.nmrc.org/~thegnome/ #


pgp7HFoQpPvBb.pgp
Description: PGP signature

RE: Why Blockbuster looks at your ID.

[Cid Carlos]

>I was in England last week where I noticed that the banks are 
>switching all UK credit cards to chip+pin technology.  We'll see.  
>For that matter, French cards have all been chip+pin for years.  
>Any idea what their fraud rates are like?  The French card machines 
>will do magstripe with a signature, but it's mostly us foreigners who need
it.

Below is a link to an interesting site discussing the "chip and PIN"
technology and its introduction in the UK (the article "Chip and Spin" also
addresses the French experience):  

http://www.chipandspin.co.uk/

Carlos

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, John Levine writes:
>>Why does the clerk at Blockbuster want to see your driver's license?
>>Because his management has been told, by their bank, that if they do
>>not attempt to verify the identity of credit card users they will
>>risk their business relationship with the bank.
>
>It's been my impression that the way you're supposed to verify the ID
>of a credit card user is by checking the signature.  I've heard of
>banks telling businesses not to demand separate ID.  On the other
>hand, I can easily believe that Blockbuster came up with the ID idea
>all by themselves.

I very rarely rent from Blockbuster, so I may have the details wrong; I 
can state for sure how things work at the local video store I usually 
patronize.

When I signed up with them, I supplied a credit card number; they 
retained that for contingency charges if I fail to return a video.  
(Odd -- my local library doesn't do that.  But I digress.)  In return, 
they handed me an account-linked credential -- exactly the sort of 
thing that is often advocated on this list.

>From my perspective, the form factor of the credential wasn't ideal; it 
was one of those key ring-sized cards, and I soon lost it, probably 
during a wallet upgrade.  No problem -- they're happy to fall back to 
the secondary authentication system, to whit my drivers' license.  I 
show that to get access to the account, independent of how I actually 
pay for the rental.  In other words, they are not using my license to 
authenticate my credit card.  (I would add that the feeds are low 
enought that I almost always pay in cash; I have no idea if they even 
have the ability to use the stored credit card for rental fees if I 
don't present the card separately.  Hmm -- the account is old enough 
that the expiration date on my credit card has long since expired.  
They've never asked me for an update.  Maybe they're using a reputation 
system?)

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: EMV [was: Re: Why Blockbuster looks at your ID.]

[Victor Duchovni]

On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote:

> > We're on the order of 4.7 cents on the $100.
> 
> 
> Interesting statistics.
> Seems like it's the same thing in Canada
> http://www.rcmp.ca/scams/ccandpc_e.htm
> Reported $227M in credit card fraud in 1999, droped at $200M in 2003.
> 

Whose loses do these numbers measure?

- Issuer Bank?

- Merchant?

- Consumer?

- Total?

-- 

 /"\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[John Levine]

>Why does the clerk at Blockbuster want to see your driver's license?
>Because his management has been told, by their bank, that if they do
>not attempt to verify the identity of credit card users they will
>risk their business relationship with the bank.

It's been my impression that the way you're supposed to verify the ID
of a credit card user is by checking the signature.  I've heard of
banks telling businesses not to demand separate ID.  On the other
hand, I can easily believe that Blockbuster came up with the ID idea
all by themselves.

>A system in which the credit card was replaced by a small, calculator
>style token with a smartcard style connector could effectively
>eliminate most of the in person and over the net fraud we experience,

I was in England last week where I noticed that the banks are
switching all UK credit cards to chip+pin technology.  We'll see.  For
that matter, French cards have all been chip+pin for years.  Any idea
what their fraud rates are like?  The French card machines will do
magstripe with a signature, but it's mostly us foreigners who need it.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Dan Kaminsky]

Jerrold Leichter wrote:


| > Credit card fraud has gone *down* since 1992, and is actually falling:
| >
| > 1992:  $2.6B
| > 2003:  $882M
| > 2004:  $788M
| >
| > We're on the order of 4.7 cents on the $100.
| >
| > 
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
| >
The article also mentions that the loss rate for 1992 was 15.7 cents per $100.

Something doesn't add up.  Combining the dollar values above with the loss
rate per $100, I calculate that the total charges handled in 1992 was about
$165 billion - which seems a bit low, but reasonable.  However, the
corresponding calculation for 2004 shows a total charges of about $16 billion,
which is clearly nonsense.

I don't actually see the $2.6B figure anywhere in the article.  Where did it
come from?

 

I did the math.  15.7 / 4.7 ~= 3.34.  3.34 * $778M = $2.6B.  There's a 
problem here, but I'll get to it in a sec.


Hmm...lets verify the rest of this:

4.7 cents per 100 is 0.047 dollars per 100 dollars is 0.00047 dollars 
per dollar.


x * 0.00047 = $778M

x = $778M / 0.00047
x = 1655319M = 1.65T

Looking at Federal Reserve data ( 
http://www.federalreserve.gov/releases/g19/Current/g19.htm ), there was 
about $2T in overall consumer credit.  I can envision the vast majority, 
but not all of this being on plastic.  So, $1.65T works.


If you try to repeat this for 1992, though, you'll find an interesting 
bug...total transactions in 1992 were also about 1.65T.  Gee, it's 
almost like I assumed credit card usage rates were constant over the 12 
year period...oops :)  But then there's inflation, which alters dollar 
figures substantially.  So oops in the other direction.


The fundamental point stands, though...credit fraud has been managed 
surprisingly well (though some people have said fraud is understated by 
~~200%).


--Dan


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

EMV [was: Re: Why Blockbuster looks at your ID.]

[astiglic]

>
> Dan Kaminsky <[EMAIL PROTECTED]> writes:
>> Credit card fraud has gone *down* since 1992, and is actually falling:
>>
>> 1992:  $2.6B
>> 2003:  $882M
>> 2004:  $788M
>>
>> We're on the order of 4.7 cents on the $100.


Interesting statistics.
Seems like it's the same thing in Canada
http://www.rcmp.ca/scams/ccandpc_e.htm
Reported $227M in credit card fraud in 1999, droped at $200M in 2003.

But these are still considerable numbers, and the thinking that Banks
manage the risk and it's not worth them going over to smart card
technology so they won't, which was mentioned in a few replies, I think no
longer holds (probably because of the falling cost of the technology, so
even if fraud $ is down as mentioned, ratio of fraud cost / cost of
technology that is more secure still leads financial institutions to want
to go to a more secure technology).
Europe already has EMV, and Canada plans to have an infrastructure (card
readers) that support it by 2007.  Probably U.S. will follow
http://www.atmmarketplace.com/news_story_23380.htm
http://www.atmmarketplace.com/news_story_22849.htm
http://www.kioskmarketplace.com/news_printable.htm?id=23380

And here, for example, is a quote from Visa Canada
http://www.visa.ca/en/about/mc_article.cfm?pid=2
"Visa Canada Member financial institutions will implement chip at their
own pace.  It is expected that within seven years, almost every Visa card
in Canada will feature chip technology and most merchants will have the
equipment to accept and fully benefit from these cards."
That was written in June 2003.


--Anton




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[R.A. Hettinga]

At 1:16 PM -0400 7/8/05, Perry E. Metzger wrote:
>I seem to have gotten that one drastically wrong. Thanks for the
>more accurate figures.

Don't worry. I would bet that identity theft will more than make up for it
soon enough, as transaction settlement times converge to instantaneity.

*That's* potentially *infinite* risk to the *consumer*, which is an
interesting proposition.

Cheers,
RAH

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Jerrold Leichter]

| > Credit card fraud has gone *down* since 1992, and is actually falling:
| >
| > 1992:  $2.6B
| > 2003:  $882M
| > 2004:  $788M
| >
| > We're on the order of 4.7 cents on the $100.
| >
| > 
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
| >
The article also mentions that the loss rate for 1992 was 15.7 cents per $100.

Something doesn't add up.  Combining the dollar values above with the loss
rate per $100, I calculate that the total charges handled in 1992 was about
$165 billion - which seems a bit low, but reasonable.  However, the
corresponding calculation for 2004 shows a total charges of about $16 billion,
which is clearly nonsense.

I don't actually see the $2.6B figure anywhere in the article.  Where did it
come from?

| > If it's any consolation, I was rather surprised myself.
| I seem to have gotten that one drastically wrong. Thanks for the
| more accurate figures.
| 
| A back of the envelope calculation makes me think that it is still
| more than enough money to provide a good incentive for a change in
| systems, though, especially when the cost of the anti-fraud measures
| needed at every part of the system are taken in to account.
In doing this calculation, be careful about the assumptions you make about
how effective the countermeasures will be.  The new systems may be more secure,
but people will eventually come up with ways to break them.  The history of
security measures is hardly encouraging.  There have been a couple of articles
in RISKS recently about the fairly recent use of a two-factor system for
bank cards in England.  There are already significant hacks - and the banks
managed to get the law changed so that, with this "guaranteed to be secure" new
system, the liability is pushed back onto the customer.

It's a continuing battle, and the banker's approach is really the only one that
works over the long run:  Keep the loss rate low enough that you can live with
it while keeping the system easy enough to use that you don't lose customers.
(Of course, bankers also try to externalize their liability - an effort that
society must watch and control carefully.  The liabilities must always be
put on those in a position to actually do something about the risks.)

-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Perry E. Metzger]

Adam Shostack <[EMAIL PROTECTED]> writes:
> I think those numbers are misleading.  The FTC reports ID theft as a
> $50B problem, but I haven't seen that broken down by vector.  I
> suspect most of it is CC (rather than cheque, mortgage/line of
> credit/auto loan), but have no data.

If you or anyone else has figures available, especially references to
original source material on the subject, it would be very useful.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Edgar Danielyan]

May we see the back of that envelope? Upgrade to EMV (chip & PIN) here
in UK reportedly costs around 1.1 billion pounds (around $1.9
billion), and that is simply an upgrade to the existing infrastructure
and only in a single country. To fundamentally change the system would
require tens of billions and a concerted effort of banks, the
associations and the merchants, with all the associated hidden agendas
and underwater currents. It would be too big an undertaking with an
uncomfortable C/B ratio, whereas $788m in losses is not that bad
keeping in mind the amounts involved...




On 7/8/05, Perry E. Metzger <[EMAIL PROTECTED]> wrote:
> 
> Dan Kaminsky <[EMAIL PROTECTED]> writes:
> > Credit card fraud has gone *down* since 1992, and is actually falling:
> >
> > 1992:  $2.6B
> > 2003:  $882M
> > 2004:  $788M
> >
> > We're on the order of 4.7 cents on the $100.
> >
> > http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
> >
> > If it's any consolation, I was rather surprised myself.
> 
> I seem to have gotten that one drastically wrong. Thanks for the
> more accurate figures.
> 
> A back of the envelope calculation makes me think that it is still
> more than enough money to provide a good incentive for a change in
> systems, though, especially when the cost of the anti-fraud measures
> needed at every part of the system are taken in to account.
> 
> Perry
>

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Adam Shostack]

On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote:
| 
| Dan Kaminsky <[EMAIL PROTECTED]> writes:
| > Credit card fraud has gone *down* since 1992, and is actually falling:
| >
| > 1992:  $2.6B
| > 2003:  $882M
| > 2004:  $788M
| >
| > We're on the order of 4.7 cents on the $100.
| >
| > 
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
| >
| > If it's any consolation, I was rather surprised myself.
| 
| I seem to have gotten that one drastically wrong. Thanks for the
| more accurate figures.
| 
| A back of the envelope calculation makes me think that it is still
| more than enough money to provide a good incentive for a change in
| systems, though, especially when the cost of the anti-fraud measures
| needed at every part of the system are taken in to account.

I think those numbers are misleading.  The FTC reports ID theft as a
$50B problem, but I haven't seen that broken down by vector.  I
suspect most of it is CC (rather than cheque, mortgage/line of
credit/auto loan), but have no data.

Adam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Adam Fields]

On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote:
[...]
> Actually, the people who would have to pay the investment -- the banks
> and merchants -- have an excellent incentive. The loss because of
> fraud is stunningly large. The real issue is that *consumers* have
> little incentive to cooperate with such a system, because thanks to
> the regulations, they suffer virtually no losses if their accounts are
> hijacked.

As I understand it, the merchants bear the entire cost of fraud - the
banks bear almost none - and thus the consumers end up paying for it
indirectly through higher prices. The merchants, however, have very
little control over the infrastructure, which is provided by the
banks, who have little incentive to actually control fraud because
they would bear all of the costs of such, and none of the risk is
theirs.

So the assertion is that consumers and banks have little incentive to
cooperate with such a system, but (some of***) the merchants REALLY
WANT it. However, the system is useless if the consumers don't have
it, and the banks have no incentive to give something to consumers
that's better, because it would cost them money and save them money
that they can currently simply charge the merchants for (fraud).

*** The merchants can be divided into two groups - most of them who
have not been bitten by fraud and will continue to try to pay as
little as possible for credit processing services regardless of
the risk because every little bit eats more into their profit, and
those who have been bitten by fraud, understand the risks, and
will go for paying for for a service that frees them from
additional liability.

Consumers, on the other hand, still have limited incentive to
participate. I'd suspect the NewBanks(TM) would simply have to lure
them with lower interest rates, which they'd find hard to do because
it would cut into their profits, making it difficult to pay for all of
the additional infrastructure they'd need to build.

The system is, of course, pretty much worthless if it's not in the
hands of the vast majority of consumers.

As I said, any sea change like this has to either replace the
traditional credit granting/honoring agencies, or take away enough of
their business that they have no choice but to go along with
it. Assuming that they don't use their considerable existing wealth
and influence to simply make the new products illegal from the get go.

--
- Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog... [ http://www.aquick.org/blog ]
Links.. [ http://del.icio.us/fields ]
Photos. [ http://www.aquick.org/photoblog ]
Experience. [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Perry E. Metzger]

Dan Kaminsky <[EMAIL PROTECTED]> writes:
> Credit card fraud has gone *down* since 1992, and is actually falling:
>
> 1992:  $2.6B
> 2003:  $882M
> 2004:  $788M
>
> We're on the order of 4.7 cents on the $100.
>
> http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
>
> If it's any consolation, I was rather surprised myself.

I seem to have gotten that one drastically wrong. Thanks for the
more accurate figures.

A back of the envelope calculation makes me think that it is still
more than enough money to provide a good incentive for a change in
systems, though, especially when the cost of the anti-fraud measures
needed at every part of the system are taken in to account.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Dan Kaminsky]

I'm think you wrong on that one. Financial cost and benefit are easily
assessed on this, and I think the numbers add up. Credit card fraud
costs in the hundreds of billions of dollars a year, much of which
could be eliminated by a change to the sort of system I
mention. That's not a small amount of money. Indeed, it is more than
enough incentive for a major change.

 


Credit card fraud has gone *down* since 1992, and is actually falling:

1992:  $2.6B
2003:  $882M
2004:  $788M

We're on the order of 4.7 cents on the $100.

http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm

If it's any consolation, I was rather surprised myself.

--Dan


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Perry E. Metzger]

Edgar Danielyan <[EMAIL PROTECTED]> writes:
>> A system in which the credit card was replaced by a small, calculator
>> style token with a smartcard style connector could effectively
>> eliminate most of the in person and over the net fraud we experience,
>> and thus get rid of large costs in the system and get rid of the need
>> for every Tom, Dick and Harry to see your drivers license when you
>> make a purchase. It would both improve personal privacy and help the
>> economy by massively reducing transaction costs.
>
> Yes. And it will not happen. The cost and hassle of introducing such a
> system will be so high that it wouldn't make sense financially, at
> least not in the foreseeable future.

I'm think you wrong on that one. Financial cost and benefit are easily
assessed on this, and I think the numbers add up. Credit card fraud
costs in the hundreds of billions of dollars a year, much of which
could be eliminated by a change to the sort of system I
mention. That's not a small amount of money. Indeed, it is more than
enough incentive for a major change.

The cost of deploying such a system has also gone down very
fast. Fifteen years ago, the hardware and communications costs would
have been prohibitively large. I believe that this is no longer the
case.

So, in summary, with fraud costs extraordinarily high, and the price
of a new system falling, it would not take much time to amortize the
costs of a new system, after which every dollar saved is pure
profit. The incentive is now in place.

> The banks and other credit card issuers accept that there are some
> losses they will have, they try to minimise/control them and offload
> a portion of the remaining risk to cardholders, merchants and
> insurance companies.

"Minimization" at the moment means accepting massive losses in the
system. The cost of deploying a better system would swiftly pay for
itself. I suspect that the time is finally right for such a thing.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Perry E. Metzger]

Adam Fields <[EMAIL PROTECTED]> writes:
> On Fri, Jul 08, 2005 at 10:42:02AM -0400, Perry E. Metzger wrote:
> [...]
>> A system in which the credit card was replaced by a small, calculator
>> style token with a smartcard style connector could effectively
>> eliminate most of the in person and over the net fraud we experience,
>> and thus get rid of large costs in the system and get rid of the need
>> for every Tom, Dick and Harry to see your drivers license when you
>> make a purchase. It would both improve personal privacy and help the
>> economy by massively reducing transaction costs.
>
> Haven't we been saying this for years?

Yes. The only unusual point that I am making is that the lack of such
a system is precisely the reason why the clerk at the store often asks
for your ID when you make a purchase in the US. (The other major case
is alcohol or tobacco purchases, where, again, it is a question of
liability, but in this case, liability to the government which holds
you responsible if you do not check government issued IDs.)

> The standard argument I hear against it is "the people who would have
> to pay for the very large initial investment have no economic
> incentive to do so". They obviously don't think they have a long-term
> need to do so now, and in the short term, this only replaces fraud
> costs (a relatively known entity) with infrastructure costs (a
> completely unknown one).

Actually, the people who would have to pay the investment -- the banks
and merchants -- have an excellent incentive. The loss because of
fraud is stunningly large. The real issue is that *consumers* have
little incentive to cooperate with such a system, because thanks to
the regulations, they suffer virtually no losses if their accounts are
hijacked.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Adam Fields]

On Fri, Jul 08, 2005 at 10:42:02AM -0400, Perry E. Metzger wrote:
[...]
> A system in which the credit card was replaced by a small, calculator
> style token with a smartcard style connector could effectively
> eliminate most of the in person and over the net fraud we experience,
> and thus get rid of large costs in the system and get rid of the need
> for every Tom, Dick and Harry to see your drivers license when you
> make a purchase. It would both improve personal privacy and help the
> economy by massively reducing transaction costs.

Haven't we been saying this for years?

The standard argument I hear against it is "the people who would have
to pay for the very large initial investment have no economic
incentive to do so". They obviously don't think they have a long-term
need to do so now, and in the short term, this only replaces fraud
costs (a relatively known entity) with infrastructure costs (a
completely unknown one).

I don't see it happening. This is the same industry that convinced
people it was a good idea to give out their ATM pin number to make
purchases with a debit card... for what exactly?

I think that you made the explicit point of talking about replacing
the credit card infrastructure, when what you really meant was
replacing the credit card companies with others that would make more
rational business decisions in favor of consumer security and privacy.

-- 
- Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog... [ http://www.aquick.org/blog ]
Links.. [ http://del.icio.us/fields ]
Photos. [ http://www.aquick.org/photoblog ]
Experience. [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[Edgar Danielyan]

Yes. And it will not happen. The cost and hassle of introducing such a
system will be so high that it wouldn't make sense financially, at
least not in the foreseeable future. The banks and other credit card
issuers accept that there are some losses they will have, they try to
minimise/control them and offload a portion of the remaining risk to
cardholders, merchants and insurance companies. The world is perfect




> A system in which the credit card was replaced by a small, calculator
> style token with a smartcard style connector could effectively
> eliminate most of the in person and over the net fraud we experience,
> and thus get rid of large costs in the system and get rid of the need
> for every Tom, Dick and Harry to see your drivers license when you
> make a purchase. It would both improve personal privacy and help the
> economy by massively reducing transaction costs.
> 
> Perry
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
>

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]