PIN's and credit cards.

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Wed, 27 Nov 2002 13:38:08 -0000 

> -----Original Message-----
> From: Ross Anderson [mailto:Ross.Anderson@cl.cam.ac.uk]=20
> Sent: 19 November 2002 10:10
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: PIN's and credit cards.=20
>=20
>=20
[snip]
>=20
> Curiously, there is sugnificantly more debit card fraud in the UK.
>=20
> This puzzled me for some time. How could spending more money=20
> on security, and getting the laws written in your favour, end=20
> up leading to more fraud?
>=20
> Eventually Hal Varian came up with an explanation I believe:=20
> moral hazard. Much debit card fraud involves dishonest or at=20
> least careless insiders. In countries like Britain, where=20
> holy doctrine rules out even the possibility of security=20
> failure, bank staff know that customer complaints won't be=20
> investigated properly or at all. So the best of them get=20
> careless, and the worst simply help themselves.
>=20
> It's examples like this that convinced me of the importance=20
> of studying the economics of security as well as the technology.
>=20
> Ross

If he has not already seen it Ross may like to add the following to his
collection of cases of dishonest insiders causing security failures.=20

This URL refers to a massive "identity theft" scam that was uncovered by
the FBI. As it happens, the main perpetrator was a Brit. =20

http://news.bbc.co.uk/1/hi/business/2513015.stm

"The FBI in New York has charged three men in connection with what it
calls the biggest identity theft case in US history.
=20
"The trio have been charged with stealing the personal details of over
30,000 people, using them to empty their victims' bank accounts and
burden their credit cards.=20

"Prosecutors allege that Philip Cummings, a 33-year-old British citizen,
used his helpdesk job at a software firm contracted to credit company
Experian to steal 15,000 individual credit reports, as well as many
others from other credit rating companies."=20

"If convicted, he faces up to 30 years in prison for fraud, and millions
of dollars in fines."

Quentin
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." =20