[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: credit card conventional wisdom

>>  I was attacking the line of thought
>> that goes, "credit card security is already marginal, therefore why 
>> should anyone try to improve it in cyberspace"? this is circular
>> reasoning. "why should anyone try to make something more secure when
>> it is already insecure?"
>In my post I am looking at this from an economics point of view. Simply
>put: If there is unlimited liability to the credit card holder because
>Mallet is stealing card numbers from the telco switch, encyrpted, plain text,
>it doesn't matter, there will no users.  If there are no users then
>there will be no transaction fees generated, no transaction fees, then it
>won't be deployed.  Therefore, there is no reason to develop the code 
>or even read the latest and greatest specs. and we are all wasting out 

I don't believe legal liability is the issue. many businesses operate
despite the fact that they have large liability for what they perform.
the issue is balancing the cost they are guaranteed through their
charges with the liability they face. you are incorrect in thinking that
individual credit card users buy credit cards based on the
liability to themselves, from my point of view. individuals, even
if they are theoretically liable for large fraud costs, simply are not 
going to be able to be held accountable for them.

you seem to be saying that if credit card companies one day guaranteed
they would be responsible for all fraud charges, we would have cybercash
*now*. but credit card companies already do largely have to absorb the
costs of fraud. they are *already* liable. and again, I don't think you
will find the market really cares about liability prior to using 
the service. the individual generally
assumes they are not personally responsible for fraud in the card, and
the companies generally have to adhere to this paradigm.

what if tomorrow a new credit card company started up saying, "we are
not responsible for fraud. all fraud is the responsibility of the 
customer?"  they would be laughed off the planet. such a plan is not
even feasible. the consumer will simply cancel the credit card if they
perceive they are being charged for fraud, and not pay the company 
insisting they are not liable (despite whatever agreement they signed).

>We must recognize that no matter what code we write, how secure it is,
>it won't be used until the banks that must clear the transactions
>agree to accept the risks of loss in return for their transactions fees.

but this has *always* been the case. how is it not the case now? *all*
banks are liable for the security of their schemes. why do you think they
are not? why do you think they care so much about security?

>I haven't seen this from any of this consortiums and would like besides 
>publishing their specs for the best system agree that this risk bearing
>is a necessary step for electronic commerce to become a reality.

why do you think that nobody does not already realize this? isn't it
patently obvious to anyone who starts such a system?

>I would like to see members of the MasterCard and Visa coalitions comment 
>on this aspect of the systems that are promulgating.  The one who cracks
>this nut first without losing their shirt to Mallet will be the winner. The
>others that expect us to deploy systems based upon if Mallet breaks the 
>system, the cardholder and or merchant pays is wasting our time. 

who is proposing that consumers or merchants pay if a system is broken?
why do you think that this is the case? what is more likely is that
these fraud costs will be hidden in transaction charges, just like
they are with current credit cards. the individual consumers and merchants
will then be given the "illusion" that they are not paying for fraud,
but this cost is actually invisibly included in their "transaction

for the above reasons I don't at all understand why you insist that acceptance 
of liability is the problem delaying introduction of digital cash standards.

but one distinction I do realize has to be made in all this is the
difference between "fraud" and "breaking a system". the latter is
a far more potentially serious problem with cryptographic security than
the former. in fact cryptographic security attempts to deal with all
fraud by making "breaking the system" impossible, and succeeds to the
degree it accomplishes this.