home | articles | links | fun | about Up to: CS432 Information Security

E-commerce (12/03/02)

Trading money for stuff at a distance

Hard part: handling the money

Players in a transaction

        [customer] <----------> [merchant]
                \               /
                 \             /
                   [  bank(s) ]

Online (3-party, includes bank) vs offline (2-party, no bank). Credit card (online) and cash transfer (offline).

The problem: fraud

Can't prevent entirely, can only manage it (actually, there's an optimal level of fraud, where the marginal cost = marginal benefit. Sometimes gets too expensive to prevent more fraud: spend $1million to prevent $1000 in fraud? ).

Want fraud to be:

• low % of total transcation value
• spread "fairly" (all users pay a little, i.e. pay first $50 of fradulent charges. If $10M in fraud, spread among 100M users (not 10!). Don't scare people from getting card). Sometimes more economical to allow some fraud.
• paid for by party who can prevent it (good principle in general)
  • incentive to prevent fraud: merchange eats cost
  • ATM cards: in US, if disputed transaction, bank ate cost. In UK, if disputed, customer ate cost. Result: in US, banks put in security cameras, and fraud dropped. In UK, customers couldn't prevent fraud.
• Economics: make person who can make change feel the burn

Traditional Credit Cards

• Bank issues card number to individual (card easy to duplicate)
• Customer, merchant meet in person
• Merchant calls bank to check card status (credit limit - velocity control. Check if card valid, not stolen)
• Bank responsible for collection
• merchant eats some fraud costs

loss management techniques

• credit limit
• AI-based scanning of transaction stream; call customer if anything odd noted.
• customer incentive to challenge bad charges

Characteristics of fraud

• mostly due to merchant-side problems
  • double or over-charging (incentive: double-charge, then take cash out of drawer)
  • dumpster-diving
• few dollars per card per year (built into transcation fees)
• traffic in stolen card numbers (card #'s not long enough, easy to make up. Checksum not crypto strong).

  Why not X out all but last 4 #'s?

  • to trace back transactions (more common to have computer record)
  • historical

Smart credit cards

Chip on card; stable memory; powered externally

Stronger authentication of the card. Not really worht cost at present (cost a few dollars/card... and that's how much fraud costs. Would have to drive fraud to near zero to be economical).

Different elsewhere in the world

• US has cheap, reliable phone service
• smartcards have some offline checks

One-time cards

Key space not large enough

• each card used once -- can't double charge
• but what it provides (anonymity), customer's don't really want

Credit cards on the phone or net

Main diff from in-person: no signature from customer. Safeguard: ship to billing address of end

Merchants take calculated risks

When selling digital bits, fraud likely. Sell software by download: less common now.

On the net: use SSL, mimic phone transaction

• prev SECSEP protocol. Advanced, but slow. Not adapted
• client-side certificates never took off. $10-20 per year, tough to use, customer doesn't care about fraud.

FICTION: signatures are not forgeable

• people rarely check
• can challenge transaction: store shows signature. Reminds honest person.
• digital signature, with those special pads: track pressure, timing, not just image itself.

Kalid at [email protected]