Credit Card Contracts

Nicholas Bohm nbohm at ernest.net
Mon, 16 Aug 1999 12:11:17 +0100 

At 11:25 AM 8/16/1999 +0100, Richard Clayton wrote:

>In article <3.0.5.32.19990816093740.0093f8a0@mail.netkonect.co.uk>,
>Nicholas Bohm <nbohm@ernest.net> writes
>
>>The reason they aren't interested in making sure you're dealing with
>>someone properly identified by a chain of certificates is simple:  unless a
>>merchant is signed up to the credit card system somewhere, directly or
>>indirectly, he can't get value from a card transaction.  The banks can vet
>>who they will allow into the system, and rely on one another to do it.  In
>>the UK, and other countries where the card issuer is jointly liable with
>>the merchant to the customer on the transaction, they are especially keen
>>to do a good job of vetting.  So certificate chains are irrelevant:  all
>>merchants are already identified by the banking system.
>
>ah... but you've missed an exposure here...
>
>I can construct a site called, for example, www.marksandspensers.co.uk
>(they own a whole lot of .com names, but not this particular .co.uk one)
>and set up credit card ordering upon it... [a net special!]
>
>I then spam a whole heap of newsgroups offering cheap underwear, five
>socks for the price of two, and half price woolly jumpers (just the sort
>of goods that we all buy from M&S and calculated, in stereotypical
>fashion, to appeal to the average reader of newsgroups).
>
>Behold, I get a whole heap of credit card numbers and other details
>because people trust me (I look like I'm M&S, remember).
>
>I then disappear (preferably quietly, so that there's not lots of
>publicity about what I've garnered). Chances are that M&S don't really
>wish to rush around publicising the apparently pointless scam...
>
>.... anyway, I have no relationship with the banks, or credit card owners
>and if I have any sense, I make sure I am not traceable through my
>website creation activities either.
>
>The following week I start using the credit card numbers I have to order
>goods and services. As I understand it, there is a significant trade in
>credit card numbers -- if I want to avoid risk I can just sell them into
>this black market.
>
>The credit card company abuse teams will not be able to detect the
>pattern because they will not be aware of the common factor (use of the
>fake M&S site) in a way that they could trace (eventually, through fancy
>pattern detection software) dumpster diving behind a restaurant or a
>crooked employee at a mail-order house.
>
>        [[[ Ultimately, it is this threat of patternless abuse that
>        makes credit card companies nervous about their numbers flowing
>        across the Internet in non-encrypted packets. ]]]

My point is that the risk of the resulting fraudulent transactions falls on
the merchants, not the card issuers.  I'm pleased to see the card issuers
looking after the interests of the merchants, of course, but it explains
why they aren't trying very hard.

>The classic way to prevent this scenario is to certificate websites.
>That way you know that Stephen Byers (or his successor) has promised
>that this is really M&S's website by means of approval for a CA who has
>checked out the credentials in a diligent manner.
>
>This works well for M&S (and that's why people tend to pay a lot of
>attention to certification schemes - because it is the big boys who are
>paying it attention today) but it suffers, like all certification
>schemes from the usual problem of a limited name space.

But I have no idea when my browser meets a certficated site, or meets one
that ought to be certificated but isn't, and I have no idea who decides
what certificates my browser will trust.  To make this work, the contract
terms of card issuers will have to require me to attend some compulsory
education in how to use the system before they get any real protection out
of it.

>When you look at the web site for your local paper shop then it may be
>hard to associate "Alan's Newsagents" (the trading name, with
>considerable local goodwill) with "Patel and Sons Newsagents (Dorking)
>1997 Limited" who are the actual company to own it.
>
>Anyway, I suspect that the credit card companies (or at least the two
>whose contracts have been mentioned in this thread) are not convinced
>(as I am) of the ultimate practical failure of name based certification
>schemes... but have currently discounted their exposure to
>impersonators.

It sounds to me as if they're following some central advice about desirable
contract terms, without much clue about the implications.  It'll be very
interesting to see what else your message turns up.

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF