PIN's and credit cards.

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Tue, 19 Nov 2002 10:10:16 +0000 

> I have actually *heard* that the general security level (as well as 
> "attitude" when it comes to security) amongst cards issuers/acquirers 
> vary slightly between different countries. Maybe someone (Ross?) could 
> verify/comment on that?

Countries fall into roughly two categories - those, such as the USA,
where the onus of proof falls on the bank when a transaction is
disputed, and those, such as Britain, where the onus of proof falls
on the customer.

In the USA, most banks don't bother with fancy security precautions.
They do PIN encryption in server software rather than using crypto
boxes. They invest more in technologies such as ATM cameras that get
evidence of fraud after the fact.

In the UK, and other countries where the banks have the legal
whip-hand, they invest heavily in all the crypto boxes that VISA
recommends. If you complain, you are told that you must have done it
since a transaction cannot be made without a card and the
corresponding PIN. If it goes to court, there will be a huge big story
about how 3DES can't be broken, how the IBM 4753 is totally
tamper-proof and in any case takes three men to left, and so on. So
the security expenditure is much higher. (One exception is that the
banks here are not so keen on is ATM cameras: the Alliance and
leicester put them in almost ten years ago but removed them, I
understand, after pressure from other banks.)

Curiously, there is sugnificantly more debit card fraud in the UK.

This puzzled me for some time. How could spending more money on
security, and getting the laws written in your favour, end up leading
to more fraud?

Eventually Hal Varian came up with an explanation I believe: moral
hazard. Much debit card fraud involves dishonest or at least careless
insiders. In countries like Britain, where holy doctrine rules out
even the possibility of security failure, bank staff know that
customer complaints won't be investigated properly or at all. So the
best of them get careless, and the worst simply help themselves.

It's examples like this that convinced me of the importance of
studying the economics of security as well as the technology.

Ross