This is what happens when your business model says a certain amount of fraud is OK

Unless you have been living under a rock, you know that Target (and several others) have recently been hacked at their point of sale (POS) terminals to the tune of 10’s of millions of credit cards. Back in the ‘old days’ when it was a whole lot of work to take advantage of a stolen credit card it made a lot of sense for the credit card companies to simply bake in a percentage of fraud and just get the customers to deal with it (note that the real customers of the CC companies are the merchants, NOT the consumer). However, now that CCs can be stolen by the millions and monetized quickly and entirely remotely this strategy is now biting the CC companies on the ass. Sure, with data mining they can identify a lot of fraud and take steps to minimize it, but since they push this cost on to their customers at some point the customers are going to balk. The core of the problem is that when you use the CC at the POS the merchant (and by extension anyone who has hacked the merchant’s POS hardware) now has all the information to make any number of unauthorized purchases. If we had smart cards that produced a one-time encrypted, signed token, ‘stealing’ this information would be entirely pointless. While it is not trivial to make such a system bulletproof, even a naive implementation would immediately eliminate any value from stealing the CC information and likely make the cost of fraud orders of magnitude higher. Of course, in the real world it is very hard to get anyone to change AND there is a huge amount of money to be made in converting to a new system so none of the current actors actually want to have open standards. However, I predict that the current paradigm will end soon (decade or so) because the fraud costs are going up on nearly a daily basis and I am quite sure that merchants are about ready to switch to cash-only to avoid the increasing percentage the CC companies are charging them. Of course, the merchants simply pass this cost onto their customers (us), but because of the highly competitive nature of (true capitalistic (not that we really have a lot of that here in the good old USofA)) competition, if a merchant can give a consumer a 10% discount for paying with cash (and maintain the same or better margins) I bet that would attract a lot of attention.

I was motivated to write this post after reading this other blog post:

Dispute Resolution Systems for Security Protocols
https://www.schneier.com/blog/archives/2014/02/dispute_resolut.html

It is not totally relevant to my post, but here it is in case you are curious. I didn’t read the paper the post refers to, because, as mentioned in my post and a couple of the comments (as usual, the comments are very interesting (well, if you are interested in infosec, anyway)) the paper is addressing the wrong problem.

Author: Tfoui

He who spews forth data that could be construed as information...