Schneier on Security
A blog covering security and security technology.
« Identity Thief Steals House |
| Tamper-Evident Paper Mailings »
August 29, 2005
Security at Visa
Good article on security at Visa in light of the CardSystems fiasco. (The article echoes some of the security arguments I made in this post.)
Posted on August 29, 2005 at 1:57 PM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I hate to be the first to post, and risk being accused of Torres-syndrome, but here goes:
When I distill the NYT article, I find some harsh barbs aimed squarely at the credit system of the US:
Although the CC companies have established security rules for member banks, data processors and merchants, enforcement will be weak because of conflict-of-interest:
1) card companies are not incented to punish banks "because that would reduce the volume of transactions and cut into their fees"
2) banks are wary of losing their customers and therefore will not push strong merchants away, since these merchants are likely to just choose another bank
3) banks profit from fraud through "charge-back fees" and forcing merchants to "swallow the cost of the item purchased"
On top of that, the article says enforcement is spotty since no single established standard exists for security.
I have to say this last point is very annoying but unfortunately true. I spend far too much time discussing why "reasonable" security is actually reasonable...at some point it devolves into banter similar to "seatbelts save lives" and "don't drink and drive".
Perhaps the most interesting bit is a quote from Robert Manning "a longtime critic of the payments industry" who says "Visa and MasterCard are membership associations - and they have essentially failed in safeguarding the interests of consumers because they simply exist as an organization to protect the interest of their member banks."
So the article appears to say that Visa and MasterCard are (naturally) out to protect their membership brand first, and the good of the member banks second, with only the residual gain for consumers ostensibly to prevent government intervention (on consumers' behalf).
Bruce, could you explain which security arguments do you think this echoes in your prior post? I'm not sure I see the similarities to what you were quoting back then...
Visa seem to have their marketing engine in overdrive:
I cant see credit cards ever being 'secure' and relatively free of fraud without a huge overhaul of the mindset of both users and vendors. Large scale compromise of privacy is just part of the picture.
"I hate to be the first to post, and risk being accused of Torres-syndrome, but here goes:"
Don't worry about it. Your posts are always intelligent and well thought out.
cardsystems broke the rule on not keeping cardholder information after processing transactions. it said the reason was to research why some transactions didn't clear, who knows what the real reason was, except it probably involved selling the information to other companies or building a database for some strategic advantage.
visa cut them off, no longer allows them access to its system. mastercard still does business with them. think about this. these are associations of banks, and there is great overlap in the membership of these associations, they're almost identical.
now imagine i'm a white-collar criminal who makes a living committing fraud with my checking account. after a number of years, bank of america has finally wised up to my act and has booted me, but wells fargo down the street, knowing my history, still welcomes me with open arms. does this make sense? not in the context of individual customers, banks use another company (usually chex systems) to vet account applicants before they're turned loose with checks.
so why is mastercard still doing business with a demonstrably rogue entity? BECAUSE IT DOESN'T GIVE A SHIT ABOUT CARDHOLDER INFO, THAT'S WHY! this is all public relations fluff to keep the morons gulled. you there with the credit cards in your wallet, you're a rube, a mark, a chump. nobody cares if you get ripped off, not visa or mastercard, your bank, your congressman, nobody. the onus of securing yourself and earning the respect of your vendors falls on you. if enough people protested mastercard's stance by cutting up their mastercards and mailing them in with their next payment, mastercard would die. ain't gonna happen.
"Bruce, could you explain which security arguments do you think this echoes in your prior post? I'm not sure I see the similarities to what you were quoting back then..."
Simply that this is an economic problem, and that the solutions are economic.
On the lighter side of credit card security, I thought I'd mention the new series of pranks that John Hargrave has published on his website (zug.com) :
"The VISA Prank" :
The articles are based on the security questions that you get when you call VISA and they need to "authenticate" you.
The article is by the same guy who posted "The Credit Card Prank" last year, where he signed his CC receipts as "Zeus", "Beethoven" or "Mr. I-Stole-This-Card", to see what would happen.
"Don't worry about it. Your posts are always intelligent and well thought out."
Ok, I wasn't going to say anything but I can't resist...Mom, is that you?
As a security consultant, I am more often than not the person informing the IT Director about the PCI Data Security Standard. The information is not being communicated to the correct person. It is usually sitting on the CFO desk somewhere. I make the comparison to the FDIC security guidances... they don't care until there is money involved. Then you have to be compliant, or you pay to fix the problem. Another_bruce, you are correct. PCI isn't for the cardholder, is for the credit industry. If people lose trust in credit cards, then they look to lose alot of money.
"The information is not being communicated to the correct person"
That's for sure. Try asking any one of your current software vendors if they are OWASP compliant, let alone compliant with PCI Security Standards (that call out the OWASP top ten among other best practices).
"Simply that this is an economic problem, and that the solutions are economic."
Definitely, especially as we are discussing the credit and financial services industry. The card companies might even be following Bastiat's "broken window fallacy" or as Henry Hazlitt wrote in "Economics in One Lesson", "the art of economics consists in looking not merely at the immediate but at the longer effects of any act or policy; it consists in tracing the consequences of that policy not merely for one group but for all groups."
"...mastercard would die..."
I had a VISA card for a reason, cancelled it due to poor security, and finally was forced to get another one for my travels to U.S.A. In that country without a card hotel/car reservations or purchase of airlines tickets are just not possible.
ain't gonna happen is too weak, and relies on literate consumer community demanding that security. Without sequence of frauds, all hitting the front pages of newspapers, and for at least three times a month - ain't gonna happen!
Making merchants bear at least most of the cost of fraud with lost/stolen or forged cards is good sense, as they are in the best position to prevent it.
The exception is when the card was genuinely issued to a fraudulant application.
That said, the bank should lose at least some money for each fraudulant transaction. You suggest that they actually profit from fraud. Is that just hyperbole, or is it fact?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.