[114165] in cryptography@c2.net mail archive
Re: Lack of fraud reporting paths considered harmful.
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Jan 28 11:40:30 2008
Date: Mon, 28 Jan 2008 14:28:54 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: "Perry E. Metzger" <perry@piermont.com>
CC: Ian G <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <87r6g3q6b2.fsf@snark.cb.piermont.com>
Perry E. Metzger wrote:
> The call-the-customer-and-reissue mechanism is a
> mediocre solution to the fraud problem, but it is the
> one we have these days.
Why is it a mediocre solution?
The credit card number is a widely shared secret. It
has been known for centuries that widely shared secrets
have a short life expectancy and should be frequently
re-issued.
The only better solution is unshared secrets. Is that
what you had in mind? Instead of the customer sharing
his secret with the merchant, and the merchant checking
it with the bank, customer should prove to bank that the
person who knows the secret wishes to pay the merchant
for the identified promise.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
