[LINK] RFI: PayWave/PayPass Contactless Chip Cards

Roger Clarke Roger.Clarke at xamax.com.au
Fri Apr 13 12:20:07 AEST 2012 

At 17:54 -0700 12/4/12, Rick Welykochy wrote:
>Wouldn't it make more sense to return the risk of RFID card compromise
>to the provider of the card?
>Does it take a class action suit against a bank to raise their awareness
>that what they have provided their customers is insecure?

The problem is that instances of occurrence of the risk have to be 
detected.  Otherwise crooks prosper at the expense of consumers.

For a card-holder to take advantage of the card-issuer's 
(undertaking? obligation?) to reimburse loss, the following has to 
happen:

-   the consumer has to discover that one or more transactions have
     occurred for which they deny responsibility

-   that means in practice that they have to reconcile their statements,
     and do so within whatever 'statute of limitations' the card-issuer
     imposes on them - currently probably 60 days

-   in order to reconcile, they need something to reconcile against.
     But for a great many small transactions a receipt has to be
     requested.  And there are disincentives, such as:
     -   the look of disbelief on the cashier's face
     -   the pressure of the queue behind them
     -   in time, the lack of a working printer, or of any printer

-   in order to have the energy to reconcile, the consumer has to
     overcome the disincentives, including:
     -   the huge number of entries that are now on the statement,
         as a result of the use of the card for myriad small transactions
     -   the large numbers of unreconciled entries that need to be
         thought through, to try to reconstruct each days' activities
     -   the infrequency with which fraudulent entries are found
         because they
         -   will tend to cluster, e.g. when someone borrows the card;  or
         -   will tend to be isolated and semi-random, e.g.
             -   when the card passes too close to a reader in the
                 premises of a crooked merchant
             -   when the card passes too close to a third-party reader
                 installed in a (for the crim) convenient location.
                 The example I've used in seminars for the last few years
                 is embedded in the backs of the seats in auditoria such as
                 university lecture-theatres
     -   in time, the likely need to opt-in to receive a full statement,
         because most consumers will throw away the wads of paper, and
         card-issuers will seek to reduce their costs (and the usage of
         paper, electrons, etc.)

For the above reasons, it's likely that only a very small proportion 
of fraudulent transactions will ever be discovered.

That in turn will embolden the crims, creating a non-virtuous cycle 
of 'tried, didn't get caught, try some more', which in turn invites 
conversion from small-time criminality to organised-crime racket.


Constructive critiques of the above analysis gratefully received!!


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list