What’s Wrong with this Picture?
OK, so how does a credit card work? Well let’s see. We have a number, which we need to keep secret. If a “bad guy” learns it, they can use it to charge against us… and otherwise impersonate us.
However in order to use it we need to share it with individuals and organizations that we have no fundamental reason to trust! What’s wrong with this picture?
Yet, for years before the Internet boom, this business practice worked fine. Perhaps that was because in the event of fraud, it was easier to track it down as shared numbers couldn’t be zapped across the globe in a matter of seconds. There was “friction” in the transfer of information.
But the Internet has made the friction go away. So now we have attackers breaking into servers and stealing millions of card numbers. We have attacks where numbers are stolen quasi in-flight. There will be more ways card numbers are stolen in the future.
The payment card industry has attempted to address merchant security with its security standards. But these standards have to recognize practical limitations, so they leave holes (and in some cases they require steps that are costly, but add minimal security). The problem is once you have standards such as this, it isn’t about security anymore, but about compliance. You hear of companies who have positions with titles such as “Chief Compliance Officer.” Yet compliance doesn’t ensure security. In fact it can reduce it because it doesn’t value actions that improve security but do not improve compliance!
But let’s get back to the fundamentals. What’s Wrong with this Picture? There is a fundamental disconnect when we have a secret value that we *must* share widely. We need a better solution. And they are out there… but it will require a major change in how credit cards work. So the question is, how much more money needs to be lost and how many more people need to be inconvenienced before the trade-off leans toward solving this fundamental disconnect?
I understand and completely agree with your point. As you very well know - changing the system is extremely difficult since it, this fine credit card system, is essentially the basis for commerce. How can we use the current system to better employ security techniques in a way actually usable by human beings with limited understanding of the issues? I like what some banks are doing - offering (on the internet) the ability to obtain short-term credit card numbers with appropriate limits on time and dollars. This is essentially using my current card as a qualifier to obtain other short-term card uses. This is, of course, analogous to short-term PKI certs and so on. If we could do this in a way where the net was not so required - or distribute it via telephones (isn’t this what Bank of America and the MIT center for the future of banking should be doing?) so anyone could use it - then we might make the overall system better by limiting exposures. It ain’t perfect - but I think it is better.
/mrg
April 17th, 2008 at 10:05 amThe EMV (EuroCard, MasterCard, Visa) protocol which authenticates via a smart card chip in the card, has existed for years. All European cards have these. If/when the losses get big enough, people will move to such technologies.
Donald
August 23rd, 2008 at 10:49 pm