[114075] in cryptography@c2.net mail archive
Re: Lack of fraud reporting paths considered harmful.
daemon@ATHENA.MIT.EDU (mark seiden-via mac)
Sat Jan 26 14:33:33 2008
Cc: cryptography@metzdowd.com
From: mark seiden-via mac <mis@seiden.com>
To: John Ioannidis <ji@tla.org>
In-Reply-To: <479A6CBC.6070208@tla.org>
Date: Sat, 26 Jan 2008 08:41:44 -0800
yes, the reputation of/quality of reporters needs to be measured, and
the reported information needs to be enough to
accomplish an auth or a card purchase.
the card issuer can then use a credible report as a hint to increase
the level of attention to the reported cards.
it's in a merchant's interest to have high quality fraud detection
because this report is
in association with an attempted purchase transaction and their report
implies they
decline or refund the transaction they are turning down the revenue
from that card,
if a bad guy wants to break into a merchant's site, i would welcome
them to immediately report all the merchant's cards as stolen
rather than than stealing them and using them or waiting for the
merchant to do so in a breach notice.
On Jan 25, 2008, at 3:11 PM, John Ioannidis wrote:
> Perry E. Metzger wrote:
>> That's not practical. If you're a large online merchant, and your
>> automated systems are picking up lots of fraud, you want an automated
>> system for reporting it. Having a team of people on the phone 24x7
>> talking to your acquirer and reading them credit card numbers over
>> the
>> phone, and then expecting the acquirer to do something with them when
>> they don't have an automated system either, is just not reasonable.
>
> But how can the issuer know that the merchant's fraud detection
> systems work, for any value of "work"? This could just become one
> more avenue for denial of service, where a hacked online merchant
> suddenly reports millions of cards as compromised. I'm sure there
> is some interesting work to be done here.
>
> /ji
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
