The "acceptable risk" concept [writes guest financial cryptographer Ed Gerck] that appears in recent threads has been for a long time a euphemism for that business model that shifts the burden of fraud to the customer.
The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.
In fact, if they would reduce fraud to zero today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.
This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer.
Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: "A car stolen is a car sold." In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as "we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale.
That's because fraud is an hemorrhage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems.
There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such security school of thought. Also sometimes referred to as "acceptable risk" -- acceptable indeed, because it is paid for.
Cheers,
Ed Gerck
[*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust as a synonym for authorization. This may work in a network, where a trusted user is a user authorized by management to use some resources. But it does not work across trust boundaries, or in the Internet, with no common reporting point possible.
Posted by iang at July 16, 2005 09:02 AM | TrackBack"In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car."
I think that can be taken only so far, not that I know how far.
There is a limited demand for cheap (stolen) cars and parts in a country. Of course if they are being exported, due to big tariff differences, the demand would be bigger.
What if everybody had their cars stolen in say one week? In stead of a game of musical chairs being played, there would be a game of musical cars being played, or something like that. Or the demand for new cars would fall off a cliff because of the huge supply of stolen cars.
bob
Posted by: bob at July 16, 2005 07:42 AMHi Bob!
Of course, it's not an absolute position. There exists a range in which parasites can comfortably live by sucking off the host, and the host neither dies nor suffers enough to deal with the parasite.
Curiously, in the Netherlands we have just what you suggest with bicycles. There, bicycle theft is regular, routine, and practiced by a significant part of the population. Maybe not directly, but many many people will think it reasonable to purchase a bicycle that has probably been stolen the day before from someone else (price is about $20-$40).
What happens? Well, everyone ends up riding the same model of bicycle. The price of the bicycle is written off over 3 months not 3 years. And people work hard to make their new bicycles look tatty and undesirable.
It's a completely unanswered question as to where the new bicycles come from ... but when I lived in Amsterdam, I purchased a brand new bicycle that folded three ways into a 50x50x15cm package that could be carried without exciting negative attention. I took the asymmetric approach and stored it under my desk :-)
Posted by: Iang at July 16, 2005 07:59 AMInteresting point of view. But I see two flaws in the argument.
The first is that it overlooks the fact that insurance companies make a profit. Premiums paid to them must exceed the payouts. So even if the credit card customers are ultimately paying the premiums through higher charges, if they are charges the market will bear, then the difference between premiums and payouts represent potential revenue that is being lost to the credit card companies.
Unless of course there is government legislation that distorts the market by limiting the credit charges but excluding insurance premiums paid by the credit card companies from the calculation.
The other problem with the argument is that credit card companies are making an effort to reduce fraud - with chip-and-pin and picture on card being two relatively new (in the UK) innovations.
I think that the true reason behind the credit card companies being so ready to accept the cost of such a high level of fraud without trying to push the risk onto the customer is that profits are so huge that it is better for them to pay for the fraud than to risk damaging the market by reducing customer confidence. Why do you think offers of free pre-approved credit cards dominates junk mail, even from companies that are not traditionally financial institutions. Everyone from high street stores to web businesses to clubs now offer branded credit cards.
Of course the good news is that those of us that pay our credit card bills in full each month and don't take cash advances are getting a free ride - paid for by the imprudent that use the cards for credit, and those paying for their purchases with with cash or debit card who have to pay prices that have been inflated to cover the vendors costs incurred in credit card purchases, except in those rare instances where there is a surcharge on credit card purchases, which I believe the credit card companies try to prevent. I know that American Express, the most expensive of the cards for vendors to accept, had a policy where any vendor found guilty of applying a surcharge for use of an amex card (or discount for non-use) would lose the ability to accept the card.
Regards,
DigbyT
Thanks for all comments. What I published above is a short summary of a number of arguments. It's not an absolute position, or an expose' of the credit card industry. Rather, it's a wake-up call -- The time has come to really face the issues of information security seriously, without isolating them with insurance at the cost of the consumers. Why? Because the insurance model will not scale as the Internet and ecommerce do.
In other words, "CardSystems Exposes 40 Million Identities" as a harbinger. Now that we know more about the facts in this recent case, expect more to come unless we begin to improve our security paradigm.
Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, as my comments shows, how about the "acceptable risk" concept that turns fraud into sales? Do As I Say, Not As I Do?
By weakly fighting fraud, we are all allowing fraud systems to become stronger and stronger, just like any biological threat. The parasites are also fighting for survival. We're allowing even email to be so degraded that fax and snail mail are now becoming atractive again.
Thanks for help stirring the pot.
Ed Gerck
I think there are a couple of points here...
Firstly, it is absolutely the case that in the payment systems world, there is an incentive to cartelise and to raise fees. This is standard practice in all industries, and tends to be more or less institutionalised in relation with the amount of regulation. Most payment systems business is the domain of the banks, and banking regulation is one of the most stringent, thus its also the most cartelised and hence the fees are high and stable. (The US is one notable exception, but that's another story).
We discover this in the net payments system world. One of the surprising things is that when we talk to those in the banking world about our "no-fee-basis-but-still-profitable" digital cash systems, we hit a brick wall. That's because we are asking them to go from fee bases of say 1-10% all the way down to 0% which means their profits shrink from say 10% of that number to 10% of nothing.
Even though they can make profits on our system, they have to forego the 100 times profits they were making. Not a compelling business proposition, and predictably, the no-fees system of Paypal now charges an outrageous 4.2% (at least as far as I can see)..... Just as Ed indicates, Paypal calls it fraud management. See yesterday's post, prior to this one! But, in this model, it's profits management. Same deal.
But there is a presumption here - there is a sort of belief that this is wrong and that something must be done. "This Must Be Stopped!" The problem with this presumption is that nobody knows how to stop it. Is it legislation? Fees manipulation? Making operators liable for fraud? Security people taking things seriously?
None of these have any concrete foundation, and indeed, any such proposal tends to look more or less as muddlingly purile as what the operators say. (Consider the debate on software liability in the US!)
The answer to this then is competition. The wise regulator knows that he can't stop the incumbents cartelising and raising fees to some comfortable level, using fraud (payments) or special services (emergency 999/911) or any of a thousand techniques. But what the wise regulator can do is encourage the new upstarts to come in and cherry pick.
And, you see exactly this. Two examples: The Federal Reserve in the USA and some others, have long signalled that they will welcome any digital currencies. That's why e-gold and Paypal survived - they were "protected" by an implicit permission from the 800lb gorilla. And that's why there was no Paypal equivalent in Europe even though DigiCash started the whole thing in Europe - because the Bundesbank said "No."
Exactly the same thing happened in telecoms. Vonage and Skype were protected for as long as possible by the FTC in the US. They full well knew that these operations were arbitraging the incumbents. And cheating on "rules" like emergency numbers. That was a sacrifice to create competition.
So what should be done about Ed's complaint that the major payment systems are encouraging fraud? Nothing, say I. Let them do it. If there is a market there for reduced fraud, then the majors being fat, happy, and blind will help the newcomer eat their lunch. After all, that's what Paypal did - started out with no-fees and now it's joined the majors.
Got a problem with that? Start a new payment system.
Posted by: Iang at July 17, 2005 09:36 AMDigbyt,
Something I've heard from a friend who works in the appropriate area in the insurance business is that the bulk of the profit they make comes not from the premiums themselves, but from investments funded by these. I found this, and the fact that they bump up premiums when the market tanks and they lose significant value there, to be unbelievable. This is especially bad since all the while they're justifying the jump in premiums by the increase in large settlements. It was from the horse's mouth though, so I have to believe it.
I think Ed might have a very valid point.
Posted by: tangan at July 17, 2005 07:15 PMIs this the spreading gangrene of Gerckian Fraud? Microsoft-ordained Obsolescence by Malware? A replacement for the end of the Intel-Microsoft MegaHertz race? you decide ... but be quick, your computer is being infected as you read.
Corrupted PC's Find New Home in the Dumpster
By MATT RICHTEL and JOHN MARKOFF
SAN FRANCISCO, July 15 - Add personal computers to the list of throwaways in the disposable society.
On a recent Sunday morning when Lew Tucker's Dell desktop computer was overrun by spyware and adware - stealth software that delivers intrusive advertising messages and even gathers data from the user's machine - he did not simply get rid of the offending programs. He threw out the whole computer.
Mr. Tucker, an Internet industry executive who holds a Ph.D. in computer science, decided that rather than take the time to remove the offending software, he would spend $400 on a new machine.
He is not alone in his surrender in the face of growing legions of digital pests, not only adware and spyware but computer viruses and other Internet-borne infections as well. Many PC owners are simply replacing embattled machines rather than fixing them.
....
Copyright 2005 The New York Times Company
http://www.nytimes.com/2005/07/17/technology/17spy.html