skip to main bit
a man slumped on his desk, from 'The Sleep of Reason Produces



“living on the edge” returns; the ridiculousness of credit card security

I’m giving my “Living on the Edge” talk next week at OSCON. I keep telling myself it will be the same as last year’s OpenTech presentation (I pitched it to O’Reilly as “the same talk, with some of the jokes in a different order”), but of course a year has passed, and someone will launch something on Monday, and I will have to re-write it all three times, and change “Ruby” to “Haskell” in the topical jokes.

The highlight from last year’s talk was being constructively heckled by e-money expert David Birch (I believe I idly posited the switch to the Euro as the sort of centralised, high-co-ordination venture that I, out of a foolish consistency, believe can never succeed, and yet regularly do. He yelled that actually it hadn’t. My other example is Unicode, which only today I discovered has some issues of its own.)

I read David now because I can never accurately predict his opinion, which means either it’s all signal, or he is in fact a natural source of randomness, both of which are highly valuable. Here is his latest piece on the history of credit card fraud, which posits that given that everyone knows that credit cards are nigh un-protectable, it’s time we came up with something better.

That’s not a new viewpoint, but he makes a novel (to me) point. Fraud is a few points of cost for retailers and banks, which they are generally okay to swallow, but because fraud is now more scalable, those few points — which round up to billions when taken nationally or globally — have become a public order, organized crime, issue. (Not sure if I entirely believe this yet, but that doesn’t stop it being interesting). Some other nuggets are Paypal’s counterintuitively low fraud rate compared to traditional payment systems, and a link to a fantastic piece by Stephen Wilson summarizing the reasons why credit card security is lousy, and why organizations use all the wrong private data on you to confirm who you are. Quoting from Wilson’s list of personal data:

Biographical information, like name, address and DOB, needed by a bank or service provider to establish and maintain a relationship with distinct customers

Identifiers, like bank account numbers, that serve as a proxy for biographical data to manage different customers.

[BTW I contend that the major Internet security and privacy problems would be remedied if pure identifiers could be relied upon, so we didn't need to ask customers for piles of corroborating details.]

Authentication data, like passwords, PINs and biometric templates, whether static or one-time, used to establish the legitimacy of someone claiming to be associated with biographical data or an identifier [Note that the CVCs started out as authenticators but now they're so widely divulged and leaked that they're really just identifiers. Asking for CVCs over the web is frankly inane, symptomatic of sloppy ad hoc security; we might as well move to 19 digit credit card numbers].

Service history, like account balance and transaction details, which are private between the customer and the service provider, and in the case of banking actually represents the entirety of the product.

And all the other personal information (family details, telephone numbers, work details, preferences, affiliations …) that accumulates, and which can be used for good (like tailoring customer service, or cross-selling with consent) or evil (cross-selling without consent, spamming, surreptitious linking across different domains, identity theft etc).

I love that throwaway comment that service history is “the entirety” of the banking product. That’s so profoundly true.

5 Responses to ““living on the edge” returns; the ridiculousness of credit card security”

  1. David McBride Says:

    I’m still waiting for banks to:

    * Start issuing secondary account numbers which can only be used to deposit funds, not withdraw them.
    * Provide a service whereby I can procure one-time account numbers which can only be used to withdraw a specific amount of money within a time-limit.

  2. James Says:

    David: virtual credit cards are a fairly well-established one-time account number withdrawal product in the US – PayPal, Citibank and Discover offer them.

  3. Peter Stuifzand Says:

    I’ve been looking online for your talk about “Living on the Edge”. I think the ideas you’re talking about are really important for people in the coming years.

    One important part of the changes that will have to be made is the conversion to IPv6. It’s the addressability part of your talk. It’ll let people decouple themselves from companies (and websites). Or a home computer that will replace the home telephone using some kind of voip software. It could even redirect to the person that would like to get the call. Let’s replace PSTN phones and SMS, just like we replaced typewriters and faxes.

    I’m not sure why I’m writing this here. But it seems innovation is hold back by not having (easy) addressability. We need to take back the web :)

  4. James Says:

    Addressability is only half the battle – being able to easily open incoming ports is the other. Default allow for IPv6 in the Airport Extreme got Apple smacked down by Homeland Security. Also how to automatically configure subnets for your residential PPPoE user with wireless and wired network segments.

  5. Saltation Says:

    >service history is “the entirety” of the banking product. That’s so profoundly true.


    the older you get, the more you realise the trite-sounding oversimplified-sounding claims of the old bankers are the most accurate.


petit disclaimer:
My employer has enough opinions of its own, without having to have mine too.