[114064] in cryptography@c2.net mail archive
Re: Lack of fraud reporting paths considered harmful.
daemon@ATHENA.MIT.EDU (John Ioannidis)
Sat Jan 26 10:20:09 2008
Date: Fri, 25 Jan 2008 18:11:56 -0500
From: John Ioannidis <ji@tla.org>
To: cryptography@metzdowd.com
In-Reply-To: <873asl4ii4.fsf@snark.cb.piermont.com>
Perry E. Metzger wrote:
>
> That's not practical. If you're a large online merchant, and your
> automated systems are picking up lots of fraud, you want an automated
> system for reporting it. Having a team of people on the phone 24x7
> talking to your acquirer and reading them credit card numbers over the
> phone, and then expecting the acquirer to do something with them when
> they don't have an automated system either, is just not reasonable.
>
>
But how can the issuer know that the merchant's fraud detection systems
work, for any value of "work"? This could just become one more avenue
for denial of service, where a hacked online merchant suddenly reports
millions of cards as compromised. I'm sure there is some interesting
work to be done here.
/ji
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
