[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Card Not Present, was Re: FW: comments

On Mon, 27 Jul 1998, Phillip Hallam-Baker wrote:

>The merchant is not expected to have expertise in checking signatures
>but if a question arises they had better have the signed reciept if they
>want to be paid.

And which must reasonably resemble the signature specimen in the
card. Further, in the Card Not Present MOTO case, a copy of the mail
order, fax, caller-ID log or voice log would make it easier for the
merchant to defend against false fraud claims. Also, they would
represent a further risk to fraudsters being caught. Hence, they can
help decrease fraud. 

Unfortunately, similar and reliable logs are difficult in the
Internet case. Which further speaks against ad hoc NR for digital
signatures, as some defend.

>Nor are they particularly expected to do much checking of the card
>and in any case it is difficult to think of many circumstances in
>which a forged card would be available for inspection by anyone
>other than the merchant!

Yes, but the point is that absence of a proper hologram would mean
more risk to the fraudster in person ... as you also agree to later

> A fraudster is put at considerably greater risk if they
>present a stolen card in person than if they do so via the Internet.

where the risk of using a false card is higher because of the

>The issues involved in the SET protocol have very little to do
>with the philosophy of PKI. They begin and end with the question
>of risk management in the context of a vast deployed infrastructure
>which has much less intrinsic security than anyone would like.

IMO, the PKI question would benefit from a systemic approach -- which
is what is also missing in SET.


Ed Gerck
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
-- Internet saves trees, WebBoy UMC saves PCs, you save time and money

Follow-Ups: References: