2009-07-14»
“living on the edge” returns; the ridiculousness of credit card securityยปI’m giving my “Living on the Edge” talk next week at OSCON. I keep telling myself it will be the same as last year’s OpenTech presentation (I pitched it to O’Reilly as “the same talk, with some of the jokes in a different order”), but of course a year has passed, and someone will launch something on Monday, and I will have to re-write it all three times, and change “Ruby” to “Haskell” in the topical jokes.
The highlight from last year’s talk was being constructively heckled by e-money expert David Birch (I believe I idly posited the switch to the Euro as the sort of centralised, high-co-ordination venture that I, out of a foolish consistency, believe can never succeed, and yet regularly do. He yelled that actually it hadn’t. My other example is Unicode, which only today I discovered has some issues of its own.)
I read David now because I can never accurately predict his opinion, which means either it’s all signal, or he is in fact a natural source of randomness, both of which are highly valuable. Here is his latest piece on the history of credit card fraud, which posits that given that everyone knows that credit cards are nigh un-protectable, it’s time we came up with something better.
That’s not a new viewpoint, but he makes a novel (to me) point. Fraud is a few points of cost for retailers and banks, which they are generally okay to swallow, but because fraud is now more scalable, those few points — which round up to billions when taken nationally or globally — have become a public order, organized crime, issue. (Not sure if I entirely believe this yet, but that doesn’t stop it being interesting). Some other nuggets are Paypal’s counterintuitively low fraud rate compared to traditional payment systems, and a link to a fantastic piece by Stephen Wilson summarizing the reasons why credit card security is lousy, and why organizations use all the wrong private data on you to confirm who you are. Quoting from Wilson’s list of personal data:
Biographical information, like name, address and DOB, needed by a bank or service provider to establish and maintain a relationship with distinct customers
Identifiers, like bank account numbers, that serve as a proxy for biographical data to manage different customers.
[BTW I contend that the major Internet security and privacy problems would be remedied if pure identifiers could be relied upon, so we didn’t need to ask customers for piles of corroborating details.]
Authentication data, like passwords, PINs and biometric templates, whether static or one-time, used to establish the legitimacy of someone claiming to be associated with biographical data or an identifier [Note that the CVCs started out as authenticators but now they’re so widely divulged and leaked that they’re really just identifiers. Asking for CVCs over the web is frankly inane, symptomatic of sloppy ad hoc security; we might as well move to 19 digit credit card numbers].
Service history, like account balance and transaction details, which are private between the customer and the service provider, and in the case of banking actually represents the entirety of the product.
And all the other personal information (family details, telephone numbers, work details, preferences, affiliations …) that accumulates, and which can be used for good (like tailoring customer service, or cross-selling with consent) or evil (cross-selling without consent, spamming, surreptitious linking across different domains, identity theft etc).
I love that throwaway comment that service history is “the entirety” of the banking product. That’s so profoundly true.