The good, the bad and the polymorphic - PowerPoint PPT Presentation

About This Presentation

Title:

The good, the bad and the polymorphic

Description:

To buy software. To buy access. To buy music CD Roms (www.MP3.com) ... 'Free gift if you buy with NR' So customers will prefer them too. Dr Alan Solomon ... – PowerPoint PPT presentation

Number of Views:22

Avg rating:3.0/5.0

Slides: 42

Provided by: alanso4

Category:

more less

Transcript and Presenter's Notes

Title: The good, the bad and the polymorphic

1
(No Transcript)
2
Credit Card fraud on the Internet
3
But we already solved this

The engineer, the physicist and the computer
security guru

4
CC Fraud

The myth
The reality
Who gets hurt?

5
The myth

Wily hackers stalk cyberspace, sniffing packets
and assembling them to get your credit card
number so they can steal from your account
The customer loses money

6
The reality

Inadequate narrative
Kids making up numbers
Repudiation
The merchant loses money

7
The CC system

Designed for retail
Adapted for Mail Order
Adapted for Phone Order
Adapted for Net Order
A bridge too far

8
Inadequate narrative

I bought some stuff from Starship
I got a CC bill (no invoice)
Two months later, I got another bill
From American Computer Products
Who are they???

9
Adequate narrative

Merchants should be given 120 characters for
narrative
Carried through to the statement
So the customer knows what its for

10
Kids making up numbers

To buy software
To buy access
To buy music CD Roms (www.MP3.com)
To buy other virtual goods/services

11
Making up numbers

Six digit bin number
Any nine digits
Luhn check (mod 10)
Why is it so easy?
Because the banks dont see the cc number as a
password, they see it as a username (account
number)

12
Creditmaster

4000 13 ATT Universal
4013 Baltimore Bank
5100 Southwestern States
5172 First Bank Card Center
5419 87
etc

13
Creditmaster

I phoned up the 4013 bank
Told them about it
Gave them a dozen examples
They dont seem to see it as their problem
They dont care

14
Chargebacks

Merchants have no defence
Imagine you sold a newspaper for 1
Two weeks later, the customer comes back
Takes 1 out of your till
You watch, and wonder why this is allowed

15
Chargebacks

Or nine months later ...

16
Chargebacks

Merchants need non-repudiable transactions
Technically easy
Whoever does it first, will become the currency
of the internet

17
Non-repudiability - the NR-card

Limit liability up to 50
If you lose your money, tough luck
Just like losing 50 in your wallet
Merchants will offer deals that persuade
customers to use the NR-card

18
Non-repudiability - the NR-card

Merchants will prefer them - no chargebacks!
NR-price, 25 off!
Free gift if you buy with NR
So customers will prefer them too

19
Non-repudiability - the NR-card

NR-card comes with a CD Rom.
CD Rom has dual key cryptosystem and your two
keys
The CD Rom becomes your digital signature for
that card
I dont need to tell you folks whats on that CD
Rom!

20
But thats the future

What about now?
Were stuck with a CC system designed for retail.
We have to do the best we can with what we have

21
Risk management

Get a lot of detail from the customer
Name, address, post code, etc
Name of issuing bank
Customer support number

22
Risk management

Check the country hes from, against the IP
address
Check the Zip code against the state
Check the phone number against the location
Check for creditmaster numbers

23
Risk management

Check the bank name
Check the bank support number
Buy the 5000 list of bank names/bin numbers
Or make your own

24
Risk management

Offer a high-price option that no-one should ever
want
except someone who doesnt care how much hes
spending

25
Risk management

When you get a fraud, dont give a refusal to the
customer
Say Hello, Mr Customer, heres what you ordered
there might be a slight delay
please be patient
youll get it within 48 hours

26
Risk management

were doing the best we can
due to a computer crash, there will be a
slight delay
the recent problems in New Orleans has meant
we value your custom and thankyou for being
patient
your business is important to us

27
Risk management

I call this the inefficient bumbler
The grammatical mistakes are to make it look more
authentic
Many companies do this anyway, so he wont
realise hes getting a run-around

28
Risk management

Why?
Well, if you say That card was no good, please
try again
What do you suppose hell do?

29
Risk management

If you can, give him something a bit like what he
ordered
But which doesnt work very well (slow, or less
functionality)
Since you wont be billing his card, you arent
defrauding him
Hell stop trying to defraud you

30
Authorisation

What most people think is It doesnt guarantee
payment, it only checks that there sufficient
funds in the account
This isnt quite correct

31
Authorisation

In fact, if its outside the UK, auths go through
Visa-net
If the amount is small, Visa-net can just check
the first six digits (bin number) and the modulo
Whoopee.

32
Authorisation

So, authing doesnt give the merchant the risk
reduction he thought it did
But it can lead to higher costs, via referrals
Heres how

33
Authorisation

Authorisation eq Go ahead, bill
Decline eq No way, Jose
Referral eq Maybe. Phone us up and well talk
about it.
This takes 5 to 10 minutes, and requires two
people
This is the Modern Electronic Credit Card System

34
Referrals

One-in-N banks choose one in three or one in 20
and do a referral
If you have a lot of customers, then youll get a
lot of referrals
Each referral is 5-10 minutes, two people

35
Referrals

Why wasnt this a problem before?
Because merchants had floor limits
Below the floor limit, no need to auth
With the Modern Electronic Credit Card System
all billings must be authed. Even 1.00
Even though authing doesnt ensure that the card
even exists!

36
Referrals

When the amount is 10, the bank gets 0.40. Can
they hire people for 1.50 per hour?
The current system for internet commerce in the
UK is about to break down

37
Chargebacks