[LINK] Consumer Credit-Card Risks

Roger Clarke Roger.Clarke at xamax.com.au
Wed Jan 13 12:11:36 AEDT 2010

>Date: Wed, 13 Jan 2010 11:49:39 +1100
>From: Stephen Wilson <swilson at lockstep.com.au>
>To: privacy at lists.efa.org.au
>Cc: link at anu.edu.au
>Subject: Re: [LINK] Consumer Credit-Card Risks
>Nudged, nudged, Roger!
>I think your analysis is fine.

[Thanks Steve!  I've inserted a couple of comments in your text.]

>I too am bemused by the misuse of the term "algorithm".  It's curious
>that business people often decry technologists' difficult terminology,
>but then occasionally co-opt jargon and get it wrong. It's actually very
>common in biometrics for the template generated from scanning a body
>part to be wrongly called an "algorithm".
>But having said that, I don't actually think Chris Clark's explanation
>of one-time codes is all that misleading for lay people, so personally I
>would forgive him using "algorithm".
>More importantly, I don't think he is actually talking about one time
>passcodes as most of us know them (the codes generated by key fobs for
>online authentication).  Rather he seems to be referring to the one-time
>dynamic cryptograms exchanged between the chipcard and the terminal,
>under the covers.  This is the mechanism that defeats skimming.

[Yes, I agree that that's what Chris was talking about.  In tring to 
use simple words like 'number', my expression ended up a bit too 

>Yes, un-authenticated use of cards in vending machines is increasingly
>common esp. in carparks.  What astounds me is that when I used a credit
>card face-to-face with a person at the Sydney Opera House carpark, there
>was nothing to sign either.  Seems to be a new category of "Card
>Present, Merchant Asleep" transaction.

[As I understand it, at least some of those merchants are *permitted* 
by Visa/MC and the acquirer and/or network-operator to be asleep, 
i.e. the scope of the agreements extends beyond 
sales-person-not-present circumstances to include some conventional 
counter/POS contexts.

[They're presumably low-value, high-volume, rapid, convenient 
payments that have been risk-assessed and demonstrated (or just 
deemed) to be low-risk.

[After my discussions with Visa, it appears that there may be no 
documents that demonstrate what risk assessment has been undertaken 
from the consumer perspective, and what risk management measures have 
been instituted to address those risks;  and that no-one representing 
consumers has been engaged with the design.  All of which (sorry 
about the repetition) is a major part of my concern about what's 
going on!]

>Indidentally, I was greatly relieved to not see any mention of
>biometrics in the article.  Does anyone know of any biometric payment
>security scheme that has survived its pilot?  IMHO biometrics remain
>totally academic in retail or consumer security.
>So I agree Roger that we should welcome the advent of chip cards in
>Now, do you mind if I push the envelope a little?  The reason chip cards
>are important in payments is that, one way or another, they protect the
>integrity of the cardholder account number and other details, as
>transmitted with the user's consent (PIN), from the card to the
>terminal.  The details are encrypted (signed if you will) between the
>chip and the terminal, which stops replay attack and thwarts ID theft.
>More subtly, by increasing the dependability of those details, it means
>that in princple less personal information is needed to corroborate a
>These properties are sorely needed in e-government and e-health.  If
>we're keen on chip cards in payment security, then we should also be
>looking for properly designed smartcards to secure e-health records and
>the like.  Different cards for different domains of course.
>I declare an interest: my company Lockstep Technologies sells a
>smartcard based ID solution.  But I don't believe that programs like
>longitudinal e-health records and personal health records are safe
>unless they have smartcards protecting users' IDs.
>Stephen Wilson
>Managing Director
>Lockstep Group
>Phone +61 (0)414 488 851
>www.lockstep.com.au <http://www.lockstep.com.au>
>Lockstep Consulting provides independent specialist advice and analysis
>on digital identity and privacy.  Lockstep Technologies develops unique
>new smart ID solutions that enhance privacy and prevent identity theft.
>Link mailing list
>Link at mailman.anu.edu.au
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list