Embed Size (px)
Citation preview
Online and Electronic Fraud –Incentives and Regulation
Ross Anderson
Cambridge
Payment Systems
• Early modern period: merchant bankers carried risks of financing trade
• 19th century: industrialised by letters of credit, insurance certificates, bills of lading, inspection certificates, the telegraph
• People could do business with remote merchants• Late 20th century: the Internet and credit cards • Would the banks earn lots as the trust provider?
A Natural Experiment
• Stronger US consumer protection – Judd v Citibank 1980– Reg E
• Weaker UK consumer protection– McConville et al v Barclays et al 1993– Banking code, Financial Ombudsman Service
• Other countries spread out: F, De, E, ZA …• Payment Services Directive trying to harmonise• Some system issues becoming clear
Security economics• Systems are often insecure because the people
who could fix them have no incentive to• 2001: people spent less on antivirus than expected,
while UK banks spent more on security than US banks despite easier liability rules. Why?
• By 2001, computer viruses were already attacking third parties, not the machine owner
• Now 100+ researchers in security economics!• What can we say now about payment networks?
Information goods and services
• Information goods and services markets tend to have three features– High fixed costs, low marginal costs– Network externalities– Technical lock-in
• Together, these increase the likelihood of dominant-firm market structures where the winner takes all
• What does this mean for security?
Information goods and services (2)
• To win a two-sided market race, you have to appeal to complementers – that is, app writers– Windows – no security at first (Win 3, Win 95, Win 98)
then too much for lockin (Vista)
– Symbian – ditto; UIQ2 then UIQ3
– Facebook – same pattern (compounded by tension between customers and users)
• Why should we expect payment networks to be any different?
EMV (‘Chip and PIN’)
• Now deployed in Europe and elsewhere
• ‘Liability shift’ – disputes charged to cardholder if pin used, else to merchant
• Changed many things, not always in the ways banks expected!
A normal EMV transaction
Fraud in the UK since EMV
EMV shifted the landscape…
• It caused the fraud to find new channels• Card-not-present fraud shot up rapidly• Counterfeit took a couple of years, then
took off once the crooks realised:– It’s easier to steal card and pin details once pins
are used everywhere– You can still use mag-strip fallback overseas– Tamper-resistance doesn’t work
Tamper-proofing of the PED
• In EMV, PIN sent from PIN Entry Device (PED) to card
• Card data flow the other way• PED supposed to be tamper
resistant according to VISA, APACS (UK banks), PCI
• Evaluations follow Common Criteria
• Should cost $25,000 per PED to defeat
Tamper meshes (Ingenico i3300)
Security economics (2)
• Acquirers and issuers have different incentives
• PEDs ‘evaluated under the Common Criteria’ were trivial to tap
• APACS said (Feb 08) it wasn’t a problem…
• The Dubai fraud
In a country where we don’t have Reg E or breach reporting laws…
• CA: 14% of households have suffered fraud losses• BCS: fraud now accounts for 2-3m incidents a
year versus 1m for traditional acquisitive crime
The ‘No PIN’ attack
• This attack lets crooks use a stolen card without knowing the pin
• Insert bad device between card & terminal
• Card thinks: signature; terminal thinks: pin
• Video: http://youtu.be/JPAX32lgkrw
A ‘No-PIN’ transaction
Blocking the ‘No PIN’ attack
• The card tells the issuer ‘signature used’ while the terminal tells the acquirer ‘pin used’
• In theory: might block at terminal, acquirer, issuer• In practice has to be the issuer (as with terminal
tampering, acquirer incentives are poor)• Barclays did this July 2010; removed by Dec 2010• Real problem: EMV spec now vastly too complex
(with 100+ vendors, 20,000 banks, millions of merchants) … a tragedy of the commons
Proceeds of crime
• Card networks used to collect bad money– High-profile: child sex abuse images– High-volume: fake antivirus software– Controversial: gambling – …
• Previous attempts to blacklist merchants• Following the money preferable • Wikileaks shows it’s possible!• What’s the optimal regulatory regime?
Coordination problems
• Brand-protection companies obtain feeds from many places (including PhishTank)
• Their contractors don’t share feeds• Takedown company A, who sells services to
bank A, will be unaware of many sites detected by company B
• Banks would be better off if they got their contractors to share feeds, compete on takedown
• The villain’s bottleneck – mule recruitment – is pretty much ignored
Regulators and Fraud• Regulators were too ready to believe bank
assurances about credit risk management• There is a similar problem with operational
security risk management• Wherever regulators let them, banks are dumping
the risk of fraud on customers – merchants and cardholders – and even on each other
• Where they don’t the tussle is between issuer and acquirers (the most concentrated wins)
• This is starting to create systemic risk
What I’d do
• Don’t ever water down consumer protection!• Fed should allow PIN-based EMV only if
– No liability shift
– Spec version 5.0 fixes the known bugs
• Start thinking about online, nonbanks, proceeds of crime
• Publish decent statistics• Foster research – economics and engineering!• Newest problem: mobile wallets…
More …
• Kansas City Fed payments conference, Mar 29–30 2012
• Workshop on the Economics of Information Security: Berlin June 25–26 2012
• Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html
• My web page www.ross-anderson.com has not just security economics but also technical material on fraud
