---------- Forwarded message ---------- Date: Sat, 3 Nov 2001 09:51:10 -0700 From: lynn.wheeler@firstdata.com To: JohnE37179@aol.com Cc: cryptography@wasabisystems.com, Jason.Gruber@btinternet.com, JohnE37179@aol.com, rick_smith@securecomputing.com, vertigo@panix.com Subject: Re: Rubber hose attack i believe i said that ROI represented the total cost of the program to eliminate some fraud compared to the total amount of fraud. in the credit card scenerio it isn't enuf to know the cost per event. assuming that adding chips to those payment cards is a solution. in there US there are something less than a billion new cards sent out each year ... and adding a chip could cost on the order of $25 each. Just for the chips (ignoring for the moment the issue of reader provisioning) ... that cost might be somewhere in the $15b to $20b per annum range. There would have to be a huge number of $3500 per fraud events eliminated by a comprehensive chip program to justify it. so as referenced in the previous postings .... advances in technology can reduce the cost of dealing with fraud (in the chip card case ... it would be nice to reduce it from $20b/annum to maybe under $1b/annum; say a combination of significantly reduced chip costs as well as the number of new sent out each year) while at the same time increasing the amount of fraud (criminals find it easier to counterfiet existing cards increasing the amount of traud that happens). However, generically (except for some specific exceptions), the majority of fraud has tended to be insider fraud. Just improving things with strong authentication &/or identification doesn't directly address insider fraud, significant audit, command & control, and compensating procedures are needed to be in place to address significant amounts of insider fraud (who, effectively by definition, have already been authenticated and identified). JohnE37179@aol.com on 11/02/2001 08:26 pm wrote Again, this is only a very small part of the problem. The Inspector General's office reports that the average identity fraud in the Social Security Administration costs over $100,000. Texas Medicaid loses approximately 25% of its $4 billion budget to fraud. The ABA reports that the average cost of each credit card fraud for the issuer exceeds $3500. Each incident of identity fraud in recruiting costs DOD over $500,000. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com