credit card conventional wisdom
I've been seeing a particular meme-nugget of conventional wisdom circulating in reference to credit cards that I'd like to debunk. (recently showed up in the WSJ, "Boardwatch" magazine editorial column, etc). these legends and thinkings are starting to annoy me to the point of becoming a pet peeve. the argument goes like this: secure credit card number uploading schemes (such as in Netscape) are not important on the internet because credit card numbers are already insecure. you give them to low-wage workers all the time who might steal the number from you anyway. there are a lot of fallacies with this. I find this to be a key cypherpunk issue, and I hope others will agree to the point of trying to attack this fallacy through letters to the editor, debates, etc., because it seems to rationalize weak security. - 1st point: yes, you do give credit cards to low wage workers in businesses, but this is not directly parallel to sending a credit card over the internet. the fuzzy thinking goes like this: "credit card numbers are already not secure. therefore, trying to secure them is frivolous". this is patently ridiculous on the face of it. it's circular reasoning. credit card numbers could become more secure if all businesses made them more secure. getting all businesses to make them secure is part of the battle. raising consciousness on the issue is part of the battle. saying, "there is no point" is a copout imho. - the insecurity of sending a card over the net could be far better or worse than that of handing it to an individual. 1st, when you send a number over the net, potentially anyone (including people other than the destination business) could spy on it. when you give it to someone in a company, only that representative (who would be trusted by the company) has access to it. or, alternately, maybe no one could *ever* see your card sent over the internet, including workers at the end site, who never deal with the numbers directly. such a system is possible and may become the norm. but not if shallow-thinking people can't imagine it as possible. - it is not impossible to have cards that don't have numbers but instead have magnetic stripes, and the only way for them to work is to be physically scanned. this would reduce fraud but would also reduce the convenience of sending numbers over the phone (mail order) for example. I'm not saying all cards should be this way, but it might make sense for some people to get a "scan only card" that cannot be used unless physically scanned. the point is that there are variations on the credit card theme that make them more secure, and there's a bit of a hurdle in getting Joe Sixpack to realize this, and realize it's desirable. - the boardwatch magazine editor argued that uploading credit card numbers over the internet in a secure fashion is a "non problem" because credit cards are already insecure. have you ever heard of PROGRESS, mr. bonehead? if the net began to make credit transactions more secure, perhaps that would create a momentum in which other offline businesses might become more strict or careful about credit card security. - credit card fraud is absolutely enormous in this country. and there are not really any very strong safeguards against it except a lot of "security through obscurity" (of credit card numbers). *everyone* pays the cost of this horrible fraud rate through increased transaction charges, higher interest rates, etc. just because you may not see it itemized on your credit card bill, does not mean you are not paying for it. (in much the same way that a sort of "shoplifting tax" is reflected in the cost of all merchandise). - the internet may eventually become completely secure. arguing that "we don't need security on the internet because we don't have it in the business world of daily credit card use, and they get along fine" is ridiculously simplistic and specious. the fact is that businesses do *not* really like many aspects of credit cards: low security, overhead costs, cost of interface devices to the credit card companies, etc. all these negative ingredients could be improved in cyberspace. but it won't happen if every time a new superior system comes along, someone argues, "but there's nothing wrong with what we have now!!!" when this is quite obviously mistaken to anyone with any minimal background& understanding in the area. furthermore, consumers are somewhat notorious for not really knowing what they want, and sometimes arguing against something they would buy or use in the future. == I'm continually amazed at how often security issues are mixed up in people's brains and reasoning. there are a lot of fallacies that work their way into respectable writing by reputable people that tend to mirror circular reasoning such as, "if something is insecure already, it makes no point to try to make a piece of it more secure". security is sometimes won slowly in increments, in which one could argue against each increment as useless or inconsequential, but the end result could lead to far better security. furthermore, there are a lot of different kinds of security weaknesses-- there is not a simple black-and-white measurement of "secure" vs. "insecure" but a lot of intermediate gradations. attempts to get secure credit card number transfer on the internet are not an end in themselves. they are the first steps toward an entirely new transaction system. those who see a single step and criticize it as feeble in the context of past systems are missing the point and apparently can't think past the present nanosecond of their lives.
On Tue Nov 14, 1995, Vladimir Z. Nuri wrote:
attempts to get secure credit card number transfer on the internet are not an end in themselves. they are the first steps toward an entirely new transaction system. those who see a single step and criticize it as feeble in the context of past systems are missing the point and apparently can't think past the present nanosecond of their lives.
You'll have a hard convincing folks that they need something better than what works perfectly well today. Here's another point that I didn't see in your list. Today it might be just as safe to send your CC# over the internet as giving it to a clerk, etc. This is mostly because the number of CC#'s sent over the net vs the whole traffic is small. It is therefore not very cost effective to try to steal credit card numbers over the net vs other means (searching through dumpsters, taping a phone line near LL Bean, etc.). If CC# purchases became common over the net, it would become much more valuable to try to steal them from the net and more people would. It would then become much less secure, not for any technical reason but because there will be more crooks exploiting the existing flaws. Where is it most common to steal cellular phone id's (I'm not sure what they are called, but the id's sent that someone can steal to build a forged cell phone)? At airports. Why? Because more cell phones are used there, everyone uses one as they get on or off a plane. If you want to troll for id's, go to where there are many. Howard
This may be a stupidly obvious question but..... We could argue until the cows come home, hell freezes over or the Cubs win the World Series, what ever comes first ;-) about whether giving your credit card number to a waiter or an 800 # clerk is any more or less secure than transmitting it encrypted or clear text over a data link. However, this misses a very large point. The reason I will give my credit number to a clerk is that the bank/credit card consortium will indemnify me against losses from fraudulent use of my card. Tearing up your carbons is more to protect the bank than it is to protect you. The risk to *me* is virtually zero if I am a good bank customer. I have seen no such statement from the Visa/MasterCard/bank consortiums regarding who is at risk if my card number is stolen and used in cyberspace. When I get a written indemnification from them stating clearly that using my credit card in cyberspace is no different from using in a local restaurant, then I see no risk to the user in using the card in cyberspace. The risk to the bank and merchant.......Now that is a different matter. Credit card usage on the net will never take off until this issue is solved to the satisfaction of the bank and the user. Until this happens arguing this issue is like arguing about how many angels can fit on the head of a pin. Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from <insert your favorite corporation of government agency>." On Wed, 15 Nov 1995, Howard Melman wrote:
On Tue Nov 14, 1995, Vladimir Z. Nuri wrote:
attempts to get secure credit card number transfer on the internet are not an end in themselves. they are the first steps toward an entirely new transaction system. those who see a single step and criticize it as feeble in the context of past systems are missing the point and apparently can't think past the present nanosecond of their lives.
Arley Carter <ac@hawk.twinds.com>
This may be a stupidly obvious question but..... We could argue until the cows come home, hell freezes over or the Cubs win the World Series, what ever comes first ;-) about whether giving your credit card number to a waiter or an 800 # clerk is any more or less secure than transmitting it encrypted or clear text over a data link.
the point of my post was that I AGREE. the only issue is that we should make internet security as superior as possible regardless of the security of credit cards in the real world. I was attacking the line of thought that goes, "credit card security is already marginal, therefore why should anyone try to improve it in cyberspace"? this is circular reasoning. "why should anyone try to make something more secure when it is already insecure?"
I have seen no such statement from the Visa/MasterCard/bank consortiums regarding who is at risk if my card number is stolen and used in cyberspace. When I get a written indemnification from them stating clearly that using my credit card in cyberspace is no different from using in a local restaurant, then I see no risk to the user in using the card in cyberspace.
a major point of my post was that even if you think the cost of fraud is invisible to you, it is not. it is in everyone's interest to reduce fraud. if you think you are not paying for it now, your are believing in an illusion. reducing fraud rates will decrease costs for everyone in the long run. it is true that credit card companies try to localize the costs to the areas where their risk is higher (for example, higher interest rates on credit risks, different charges to the merchant for "card present" vs. "card not present" as indicated by the other poster), however I still think it is obvious that these costs are still distributed over all customers. this is one of the main illusions I was trying to discredit in my original post. the thinking goes like this: "so-and-so does not appear to have any affect on me now, therefore to consider it is irrelevant." in the case of credit card users, they seem to think, "I can already cancel any transactions. illicit purchases made when somebody steals my card in cyberspace are no different". another line of thinking is, "credit cards are already insecure, so who cares if people steal them over the internet". all of these are very specious lines of thought. your own line is, familiarly, "nothing matters unless it shows up on my own credit card bill" is again in my opinion an invitation to disaster. you are paying for the insecurity of credit cards right now, if not to your credit card company than in slightly increased rates in the goods you buy (to cover the merchant's cost to the credit card company).
The risk to the bank and merchant.......Now that is a different matter. Credit card usage on the net will never take off until this issue is solved to the satisfaction of the bank and the user. Until this happens arguing this issue is like arguing about how many angels can fit on the head of a pin.
part of getting to the point of satisfaction of the bank and user is improved internet security. another point of my post.
On Wed, 15 Nov 1995, Vladimir Z. Nuri wrote:
Arley Carter <ac@hawk.twinds.com>
This may be a stupidly obvious question but..... We could argue until the cows come home, hell freezes over or the Cubs win the World Series, what ever comes first ;-) about whether giving your credit card number to a waiter or an 800 # clerk is any more or less secure than transmitting it encrypted or clear text over a data link.
the point of my post was that I AGREE. the only issue is that we should make internet security as superior as possible regardless of the security of credit cards in the real world. I was attacking the line of thought that goes, "credit card security is already marginal, therefore why should anyone try to improve it in cyberspace"? this is circular reasoning. "why should anyone try to make something more secure when it is already insecure?"
In my post I am looking at this from an economics point of view. Simply put: If there is unlimited liability to the credit card holder because Mallet is stealing card numbers from the telco switch, encyrpted, plain text, it doesn't matter, there will no users. If there are no users then there will be no transaction fees generated, no transaction fees, then it won't be deployed. Therefore, there is no reason to develop the code or even read the latest and greatest specs. and we are all wasting out time. We must recognize that no matter what code we write, how secure it is, it won't be used until the banks that must clear the transactions agree to accept the risks of loss in return for their transactions fees. I haven't seen this from any of this consortiums and would like besides publishing their specs for the best system agree that this risk bearing is a necessary step for electronic commerce to become a reality. I would like to see members of the MasterCard and Visa coalitions comment on this aspect of the systems that are promulgating. The one who cracks this nut first without losing their shirt to Mallet will be the winner. The others that expect us to deploy systems based upon if Mallet breaks the system, the cardholder and or merchant pays is wasting our time. MasterCard/Visa, you're going to have to *earn* those transaction fees in cyberspace.
From the card holder's point of view all he cares about is that he can't lose money from using his card.
For anybody else that wants to argue about what is more dangerous, restaurant dumpsters or telco switches, take it to alt.who.the.hell.cares. Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from <insert your favorite corporation of government agency>."
I was attacking the line of thought that goes, "credit card security is already marginal, therefore why should anyone try to improve it in cyberspace"? this is circular reasoning. "why should anyone try to make something more secure when it is already insecure?"
In my post I am looking at this from an economics point of view. Simply put: If there is unlimited liability to the credit card holder because Mallet is stealing card numbers from the telco switch, encyrpted, plain text, it doesn't matter, there will no users. If there are no users then there will be no transaction fees generated, no transaction fees, then it won't be deployed. Therefore, there is no reason to develop the code or even read the latest and greatest specs. and we are all wasting out time.
I don't believe legal liability is the issue. many businesses operate despite the fact that they have large liability for what they perform. the issue is balancing the cost they are guaranteed through their charges with the liability they face. you are incorrect in thinking that individual credit card users buy credit cards based on the liability to themselves, from my point of view. individuals, even if they are theoretically liable for large fraud costs, simply are not going to be able to be held accountable for them. you seem to be saying that if credit card companies one day guaranteed they would be responsible for all fraud charges, we would have cybercash *now*. but credit card companies already do largely have to absorb the costs of fraud. they are *already* liable. and again, I don't think you will find the market really cares about liability prior to using the service. the individual generally assumes they are not personally responsible for fraud in the card, and the companies generally have to adhere to this paradigm. what if tomorrow a new credit card company started up saying, "we are not responsible for fraud. all fraud is the responsibility of the customer?" they would be laughed off the planet. such a plan is not even feasible. the consumer will simply cancel the credit card if they perceive they are being charged for fraud, and not pay the company insisting they are not liable (despite whatever agreement they signed).
We must recognize that no matter what code we write, how secure it is, it won't be used until the banks that must clear the transactions agree to accept the risks of loss in return for their transactions fees.
but this has *always* been the case. how is it not the case now? *all* banks are liable for the security of their schemes. why do you think they are not? why do you think they care so much about security?
I haven't seen this from any of this consortiums and would like besides publishing their specs for the best system agree that this risk bearing is a necessary step for electronic commerce to become a reality.
why do you think that nobody does not already realize this? isn't it patently obvious to anyone who starts such a system?
I would like to see members of the MasterCard and Visa coalitions comment on this aspect of the systems that are promulgating. The one who cracks this nut first without losing their shirt to Mallet will be the winner. The others that expect us to deploy systems based upon if Mallet breaks the system, the cardholder and or merchant pays is wasting our time.
who is proposing that consumers or merchants pay if a system is broken? why do you think that this is the case? what is more likely is that these fraud costs will be hidden in transaction charges, just like they are with current credit cards. the individual consumers and merchants will then be given the "illusion" that they are not paying for fraud, but this cost is actually invisibly included in their "transaction tax". for the above reasons I don't at all understand why you insist that acceptance of liability is the problem delaying introduction of digital cash standards. but one distinction I do realize has to be made in all this is the difference between "fraud" and "breaking a system". the latter is a far more potentially serious problem with cryptographic security than the former. in fact cryptographic security attempts to deal with all fraud by making "breaking the system" impossible, and succeeds to the degree it accomplishes this.
Vladimir: Calm down. This is why I started my post with "Maybe this is stupidly obvious question but....." I am trying to illustrate some simple points and ask some simple questions: 1. Risk to a cardholder is on a vastly different scale than risk to the Bank Consortiums that run the credit card business. Charge offs and fraud are of course as you point out a cost of doing business. If it is not an acceptable risk to the card holder and the bank it won't happen. The bank won't deploy a system that they view as exposing them to unacceptable loss. The cardholder will not use a system that offers him no recourse to recover losses. End of Story. 2. The Bank Consortiums are doing a poor job of explaining to cardholders merchants and developers such as you and me that are supposed to implement these "open" specs exactly *what* our risks are in developing and deploying these systems on our servers. The bank consortiums will have contracts or usage agreements governing the clearing of transactions in cyberspace. When a loss is claimed by a cardholder, how will the loss (if there is one) be allocated between the cardholder, merchant, the company operating the server that processed the credit card and the bank be allocated. 3. I'm getting tired of seeing posts this list about what is more dangerous cyberspace or restaurantspace. Let's focus on the real mechanics of how the ground rules of credit card clearing will operate in cyberspace. The credit card consortiums can advance the cause of electronic commerce by stating in unambigous terms what their views are of these ground rules. Developers, cardholders and merchants can then make a judgement on whether those risks are acceptable to each party respectively. Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from <insert your favorite corporation of government agency>."
the point of my post was that I AGREE. the only issue is that we should make internet security as superior as possible regardless of the security of credit cards in the real world. I was attacking the line of thought that goes, "credit card security is already marginal, therefore why should anyone try to improve it in cyberspace"? this is circular reasoning. "why should anyone try to make something more secure when it is already insecure?"
Precisely. It reminds me of a talk given by Dr. John McQuilan (I think it was at one of his High Performance Networks Conferences) where he said that the big administrative headache for high speed networks vs. low speed networks was simply the speed with which you could get in trouble..... The analogy holds quite true in physical credit cards vs. net credit.... ------------------------------+----------------------------------------------- Vinod Valloppillil | LibertarianismTelecommunicationsFreeMarketEnvi Engineering/Wharton | ronmentalismTechnologyCryptographyElectronicCa University of Pennsylvania | shInteractiveTelevisionEconomicsPhilosophyDigi vvallopp@eniac.seas.upenn.edu | talPrivacyAnarchoCapitalismRuggedIndividualism ------------------------------+-----------------------------------------------
The articile misses the point. What the credit card cos are worried about is the disclosure of credit card numbers in bulk by merchant servers connected incompetently to the internet. The issue of customer exposure is a non issue, regulation E means that there is no customer risk. There is in fact a distinction between "card present" and "card not present" transactions. AMEX cards for example have an extra group of four digits which are not part of the embossed card number. They are used as additional verification to prove that a card is present. In general a merchant pays a lower commission for card present transactions to reflect the reduced risk. The point of the article is that people running roung like headless chickens because of Internet insecurity miss the main point, the security is no worse than the real world we just have rather higher standards. What it does mean is that people like myself will be able to make a nice living explaining to people what security issues to forget and which ones to worry like hell about. Phill
participants (5)
-
Arley Carter -
hallam@w3.org -
Howard Melman -
Vinod Valloppillil -
Vladimir Z. Nuri