Ross Anderson on the E-Gold Connection
Ross Anderson has written a thought provoking paper on the role of non-bank payment transfer systems such as E-Gold in Internet crime. In particular he claims that revocability in a payment scheme is more important than identity.
The paper would be rather better if he could resist making unsubstantiated (and untrue) statements in the introduction such as "The SSL/TLS protocol was designed in the mid-90s to dump compliance costs on users". The purpose of SSL was to enable Internet retail. The original designers of SSL were entirely US-centric and to the effect that they even considered compliance costs they were dumping them on the merchant. At the time cryptography was strictly controlled by the US government which limited the effective key size to 40 bits. Online banking over SSL only became practical after the introduction of Server Gated Crypto by VeriSign some years later.
Another irritation is the claim "Windows Vista makes huge efforts to protect premium video content, but almost no effort to protect users' credit card numbers." Again this is assertion, not fact. The CardSpace technology deployed in Windows Vista is explicitly designed to enable the next generation of secure commerce. Microsoft's commitment to CardSpace is evidenced by the fact that they have made it available for the XP platform as well. Microsoft can hardly be faulted for having a more comprehensive security story on DRM, the movie industry knew what it wanted from Vista long before the design phase started. They knew what to ask for and they got it. The financial services industry has still not decided what it really wants and the problem of phishing only emerged as a major issue after the Vista feature set had been defined in any event.
Beyond these points Anderson does correctly identify the fact that non-bank payment mechanisms play a major role in enabling phishing fraud. The criminals are not really interested in credit card numbers, its the money they want. In particular banks that are diligent in revoking fraudulent payments are likely to be able to benefit from the displacement effect as the criminals target banks with lax controls.
I don't think that revocation is a magic bullet or that it is more important than any other factor. It may be the most effective tactical measure available at the current time but it is clearly a tactical measure, not a strategic one.
Another important issue identified is the potential role of social networking. A social network is rather harder to fake than a gas bill. Yet regulation is driving the replacement of traditional methods of risk control with due dillience that is easier to audit but rather easier to compromise.
Anderson's makes important comments on the 'infallibility' of Chip and PIN, it is a risk mitigation scheme and we should not assume that it eliminates all fraud risk. Even if Chip and PIN does turn out to be infalible, traditional credit card frauds will still work for as long as card number transactions under the MOTO rules or magnetic stripe transactions are allowed.
Since the paper was written the E-Gold principles were indicted with a range of money laundering charges. It will be interesting to see how the case turns out.
