This appeared in my November newsletter, CRYPTO-GRAM, but I thought it general enough interest to send it here. Bruce Electronic Commerce: The Future of Fraud Fraud has been perpetrated against every commerce system man has ever invented, from gold coin to stock certificates to paper checks to credit cards. Electronic commerce systems will be no different; if that's where the money is, that's where the crime will be. The threats are exactly the same. Most fraud against existing electronic commerce systems -- ATM machines, electronic check systems, stored value tokens -- has been low tech. No matter how bad the cryptographic and computer security safeguards, most criminals bypass them entirely and focus on procedural problems, human oversight, and old-fashioned physical theft. Why attack subtle information security systems when you can just haul an ATM machine away in a truck? This implies that new commerce systems don't have to be secure, but just better than what exists. Don't outrun the bear, just outrun the people you're with. Unfortunately, there are three features of electronic commerce that are likely to make fraud more devastating. One, the ease of automation. The same automation that makes electronic commerce systems more efficient than paper systems also makes fraud more efficient. A particular fraud that might have taken a criminal ten minutes to execute on paper can be completed with a single keystroke, or automatically while he sleeps. Low-value frauds, that fell below the radar in paper systems, become dangerous in the electronic world. No one cares if it is possible to counterfeit nickels. However, if a criminal can mint electronic nickels, he might make a million dollars in a week. A pickpocketing technique that works once in ten thousand tries would starve a criminal on the streets, but he might get thirty successes a day on the net. Two, the difficulty of isolating jurisdiction. The electronic world is a world without geography. A criminal doesn't have to be physically near a system he is defrauding; he can attack Citibank in New York from St. Petersburg. He can jurisdiction shop, and launch his attacks from countries with poor criminal laws, inadequate police forces, and lax extradition treaties. And three, the speed of propagation. News travels fast on the Internet. Counterfeiting paper money takes skill, equipment, and organization. If one or two or even a hundred people can do it, so what? It's a crime, but it won't affect the money supply. But if someone figures out how to defraud an electronic commerce system and posts a program on the Internet, a thousand people could have it in an hour, a hundred thousand in a week. This could easily bring down a currency. And only the first attacker needs skill; everyone else can just use software. "Click here to drop the deutsche mark." Cryptography has the potential to make electronic commerce systems safer than paper systems, but not in the ways most people think. Encryption and digital signatures are important, but secure audit trails are even more important. Systems based on long-term relationships, like credit cards and checking accounts, are safer than anonymous systems like cash. But identity theft is so easy that systems based solely on identity are doomed. Preventing crime in electronic commerce is important, but more important is to be able to detect it. We don't prevent crime in our society. We detect crime after the fact, gather enough evidence to convince a neutral third party of the criminal's guilt, and hope that the punishment provides a back-channel of prevention. Electronic commerce systems should have the same goals. They should be able to detect that fraud has taken place and finger the guilty. And more important, they should be able to provide irrefutable evidence that can convict the guilty in court. Perfect solutions are not required -- there are hundred of millions of dollars lost to credit card fraud every year -- but systems that can be broken completely are unacceptable. It's vital that attacks cannot be automated and reproduced without skill. Traditionally, fraud-prevention has been a game of catch-up. A commerce system is introduced, a particular type of fraud is discovered, and the system is patched. Money is made harder to counterfeit. Online credit card verification makes fraud harder. Checks are printed on special paper that makes them harder to alter. These patches reduce fraud for a while, until another attack is discovered. And the cycle continues. The electronic world moves too fast for this cycle. A serious flaw in an electronic commerce system could bankrupt a company in days. Today's systems must anticipate future attacks. Any successful electronic commerce system is likely to remain in use for ten years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won't be time to upgrade them in the field. Why Cryptography is Harder Than it Looks: http://www.counterpane.com/whycrypto.html Security Pitfalls in Cryptography: http://www.counterpane.com/pitfalls.html Subscribe to CRYPTO-GRAM: http://www.counterpane.com/crypto-gram.html ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com