|
Maintaining an 150 year old house requires two things, a lot of time and a lot of trips to the hardware store. Since the closest hardware store to my house is Home Depot, it is rare that a weekend passes without at least one trip to Home Depot. So now in the wake of the Home Depot data breach I am through no fault of my own in a situation where any or all of the bank cards I use regularly could be cancelled if the issuer decides they might be compromised. And this is not the first time this has happened to me this year.
The global electronic payment infrastructure is under attack by a well resourced and highly skilled group of adversaries. But the attacks against the US banking infrastructure succeed for one simple reason: The US card payment infrastructure is based on an architecture that is inherently insecure. All the data required to authorize a transaction is encoded in the magnetic stripe on the card. Which makes the criminal’s task very easy indeed. US banks still follow the original ‘Diners Club’ security model: Don’t make it hard to make fraudulent payments, make it easy to catch the people who try.
Think about this for a moment, doesn’t this sound rather like the situation with DNS security? DNSSEC was first proposed over two decades ago but the proportion of DNS records that are signed remains small and the number of parties actually validating signatures is negligible.
What is different in the payments world is that the secure alternative doesn’t just exist, it is deployed and widely used. This year is the tenth anniversary of the Chip and PIN payment card security system entering public use in Europe. The Chip and PIN system is not perfect but it raises the bar on committing card fraud from trivial to very difficult. Card Present fraud, that is fraudulent purchases made in person at a bricks and mortar store where the card is presented to the merchant, has been virtually eliminated. And most of the residual fraud exploits channels that remain open only because card readers and the payment infrastructure are still obliged to support processing of the obsolete magstripe cards still issued in the US.
It is possible to get a Chip and PIN card from a US bank, but it is not easy. Most customer service reps for the few banks that issue one are not aware they exist. Why on earth would the US banks ignore a technology that would save them money by reducing fraud?
Here we get to the key problem of deploying security: People and businesses are very keen to deploy systems that save them money, they have almost no interest in spending their money that will benefit others. When the ability to act and the incentive to act are aligned, deployment is very rapid. This is why products such as spam filtering and firewalls sell so well. When the ability to act and incentive are not aligned, deployment is stalled and the excuses pile up.
If people want to deploy DNSSEC they should think about ways to align incentives with ability to act.
Europe and the US took different paths on deployment of Chip and PIN because the deployment incentives and ability to act were aligned differently. Part of the reason for this different is structural: The US has seven thousand banks that issue cards to consumers but the merchant side of the business is concentrated in a half dozen processors. In most European countries the card issuing and merchant processing sides of the business are both concentrated in a half dozen very large banks, each of which has a more or less equally balanced portfolio of cardholders and merchants. This makes transfer of costs from one side of the business to the other much easier.
But another part of the difference is cultural, in particular the response to regulation. One of the primary functions of government regulation is to align ability to act with incentives. The European banks knew that if they didn’t act to improve payment card security, their governments would regulate to force them.
The US has a different approach to regulation. And not necessarily one that benefits corporations in the long run because instead of the alignment of incentive and ability being a legislative and executive process, the lack of action in those quarters eventually results in action in the judicial branch. Given the choice as a businessman I would much prefer regulation to litigation.
The reason that the banks are uninterested in deploying a strong payment card security model is that they have transferred their fraud risk to the merchants. According to the payment card association rules, Home Depot is required to indemnify the banks for the cost of the breach of the Home Depot IT systems. In addition to the $50 million in fraud already identified, Home Depot is in theory required to pay the cost of reissuing all the cards.
I say ‘in theory’ because these cases tend to be litigated and Home Depot would have an exceedingly good argument if it was to argue that the cost of the breach should fall on the banks because the banks were negligent in relying on Home Depot to protect the security of the card data when existing and widely deployed technology would have eliminated that dependence.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix