[LINK] Consumer Credit-Card Risks

Steven Clark steven.clark at internode.on.net
Thu Jan 14 12:39:49 AEDT 2010 

On 13/01/2010 9:41 AM, Roger Clarke wrote:
> I'm continuing to work on the question of contactless cards.  I've 
> had a prompt response from Visa, including some useful info.  I've 
> not yet had any information from MasterCard or ASIC.
>
> It continues to appear that no risk assessment or risk management 
> plan from the consumer's perspective exists, and that at no stage has 
> consultation been undertaken with reps of and advocates for the 
> consumer interest.
>   

how often are risk assessments done on behalf of, or for the benefit of,
another party?

or, to put it another way - since privacy has become 'data protection',
once you've satisfied yourself that you're complying with the Privacy
Act, why would an organisation think it needed to go any further:
compliance is all that technically matters ...

> But there's also a large volume of undiscovered fraud that is borne 
> by consumers who fail to reconcile their accounts, are too lazy to 
> pursue mysterious transactions with their financial services 
> provider, or fail to sustain their concentration long enough to last 
> through their financial institution's processes - which can be 
> tortuous and very long-winded.
>   

i'd submit that the complexity of institutional processes (designed
entirely to protect the institution) is a significant factor in all
this. i doubt that the volume of 'reported' instances of fraud includes
those where the matter was not resolved in the clients favour.

with the burden of proof laid squarely on the consumer,
multi-billion-dollar institutions can just 'wait them out' ... tie you
up in processes until you go away. i'd add another category into your
list: consumers dissuaded from pursuing anomalies because the value lost
is not worth the effort to recover.

it is hard to properly evaluate the magnitude of electronically-mediated
fraud, beyond 'it's a serious problem ... for someone (else)'. it gets
messier when it's called 'identity theft' ...

> Interim conclusion:
>
> The contact-based chip and one-time password initiatives do appear to 
> be much more effective security features, and are very much to be 
> welcomed.
>   

contact-based 'smart' cards do at least require some voluntary action by
the customer that goes some way to affirming their consent and probable
awareness of the transaction they're consenting to.

i have a card that can conclude transactions up to $35 each by it's mere
proximity to a reader. though i have yet to see one ... or perhaps more
properly, yet to experience the overt application of one ...

> The SMH article doesn't mention two aspects of serious concern:
> -   contactless cards
> -   other transactions in which no authentication is undertaken as to
>      whether the person presenting the card is authorised to do so.
>
>      Visa tells me that this category is a lot more widespread that
>      I'd realised, and has been expanding since about 2004.  Visa tells
>      me that I'm a rare bird never to have done one in a car-park, and
>      that there are many other merchant-categories with such terminals.
>   

these are becoming more 'exciting' for vendors because they remove much
of the effort required to encourage the consumer to enter the
transaction - viz getting them to actually pay.

they're popular in carparks. >> insert ticket, insert card, done. (some
places skip the costly ticket and capture your credit card details on
the way in ... thus ensuring payment - a double win for the business).

i've also seen them on streets for short term parking bays, in hotels
and other places for hiring (and 'securing') lockers, and dvd rental
vending machines. i expect this kind of thing to become more common as
vendors cotton on to the 'transaction capture' effect - and the reduced
upfront costs for identifying transactions (not the customers, the
transaction).

> So  ...  my concerns are now much wider than contactless cards, and 
> include all of those transaction-types.
>   

it's the transactions that have always concerned me more than the tokens
(which are interating/worrying enough in their own right). once people
are habituated, the real exploitation begins.

i'm still working with the epassport system. every time i talk about it,
someone asks why they need worry about privacy ...  "it's not as though
it has my home address on it" ... "but i have to give them that
information so i can fly" ...

> Finally, a quote in the article seems very strange to me.
>
> Visa GM Chris Clark is quoted as saying:
>
> "The [contact-based] chip produces *an algorithm* that *authenticates 
> the user* once only.  The next time it is used its interaction with 
> the terminal generates *a new algorithm*.  That process makes it much 
> harder to copy customer details" (emphases added).
>
> Firstly, surely the chip generates a new number, not a new algorithm.
>   

it's easy enough to confuse the process with the product/result - people
do it all the time. even going so far as to not only conflate the two,
but substitute the process for the outcome (or vice versa). [see
"identity" or "identification"]

i suspect someone doesn't know what 'algorithm' means, but thinks they
do, and thus the incorrect usage. they've read (or misread) a briefing
paper and winged it from there.

> I can understand attempts to simplify complex technology, or 
> re-express it in ways consumers will understand (e.g. maybe pilots 
> with consumers have shown that they can grasp 'unique transaction 
> code' better than 'one-time password').
>   

(help-desk) people are used to the idea that a password lets you into
something.

oddly, unique transaction code is a better description. and it may be
that the term came out of the formal description of the process rather
than anyone's attempt to simplify language.

> Secondly, and much more importantly, the one-time code that's 
> generated authenticates *the card* (or, more correctly, *the chip*).
>   

vendor management are not the only ones who get this confused. it is not
uncommon to hear or read about 'proving identity' of a person when what
is really being done is authenticating a token, or perhaps going so far
as to authenticate a transaction.

and getting the terminology right doesn't suddenly make it harder for
the 'general public' to understand what's going on. i argue, and claim
from experience, that more precise use of language makes it easier for
laypeople to grasp otherwise complex issues.

> It's materially misleading to say that it "authenticates the user". 
> That can only be done through the use of something the person, and 
> only that person, 'has, knows, is, or is now'.  Having the card isn't 
> enough, because the card can find its way into the hands of an 
> unauthorised user.
>   

indeed. even the official jargon confuses things: proof of identity
(poi) documents are no such thing. at best they provide evidence that
could be used to authenticate ... but prove? identity?

> I'd have been disappointed if a nominally specialist reporter made 
> such an error, but I think it's remarkable, and pretty poor, that the 
> Visa GM appears to have made the mistake.
>   

whomever briefed him either didn't give him time to grasp the
distinction, or was confused themselves.

i don't expect management, even in tech-imbued businesses, to be
tech-aware - let alone understand tech in any deep way. [they're usually
too focussed on 'value adding' and 'value leverage' etc to stop and
ponder what they mean by 'value'.]

-- 
Steven

More information about the Link mailing list