I don't know if VeriSign bloggers are meant to comment on each other's blogs, but Branden Williams makes many interesting points about credit card security in his Security Convergence Blog, and one in particular that I want to pick up on:
Uhh... what? Chip & PIN is the new Holy Grail of secure card acceptance? Last I checked, it slows down the bad guys, but does not stop them. There are flaws in that system as well. Besides, you have an issue with Chip & PIN in the US... acceptance! What good is a reader if no one carries the card to use them!
The economics of Internet crime has been a major consideration in the security world for many years. The criminals are looking to make money. Professional criminals are not interested in unprofitable crimes. What is beginning to be looked at is the economics of deploying security countermeasures. I wrote two chapters on this issue in my book, The dotCrime Manifesto. Adam and Andrew also consider it in their book, The New School.
At one level this is not a new issue, banks are always going to look at the economics of any security product and demand a return. But we have only recently begun to understand that of the two major problems Branden identifies with Chip and PIN deployment in the US, the technical issue is the easy part, it is establishing an economic case for deployment that is hard.
Fixing the problems identified by Ross Anderson and his colleagues is simple, just implement the encryption protocol already supported in the standard. But fixing the economic case is hard. American Express has been issuing 'Blue' cards with embedded smart chips for years. I have never once seen a reader in a US store.
Deployment of Chip and PIN is probably in the interests of every party in the credit card system, or can be made so with appropriate adjustment of charges, etc. Merchants need to be compensated for the cost of new reader terminals if the direct benefit is going to fall on the banks. Card issuers have to be compensated for the cost of the chips if the direct benefits are going to be seen by the merchants and the card acquirers.
Getting this to happen in the US is not impossible, but it will take executive branch commitment to make it happen. Until recently the prospects for this have appeared remote. Internet crime is a serious problem, but terrorism and other foreign relations issues are bigger problems. But as many of us have predicted for years, Internet crime is becoming a terrorist issue and a foreign policy issue. The risk of a life threatening Internet crime attack remains very low, the risk that terrorists might use a spot of phishing fraud to buy weapons and explosives to kill people is very high.
On the foreign relations side, there are very worrying signs that certain states have been developing a cyber-warfare capability with the intention of using it as a low intensity warfare alternative to outright war in much the same way that certain states employed terrorism in the 1970s. In some cases development of this capability has been outsourced to Internet criminal gangs.
