(keitai-l) Re: Vodafone enters m-payment arena

From: Curt Sampson <cjs_at_cynic.net>
Date: 01/16/02
Message-ID: <Pine.NEB.4.43.0201161723210.439-100000@angelic.cynic.net>
On Tue, 15 Jan 2002, Nick May wrote:

> cjs@cynic.net writes:
> >Credit card issuers are not interested in the least in reducing
> >fraud if it means they have to give away a cent to do it.
>
> I take this to mean: "Credit card issuers are not interested in the least
> in reducing
> fraud if it means they have to give away more than they gain by doing so".

Well, I'm not even sure about that. Or perhaps their perceptions
are a bit screwy. Basically, anybody who can get hold of my mail
can get several credit cards in my name and rack of many thousands
of dollars on them. Yet the credit card companies are willing to
take this risk if it means they have a small chance of gaining a
new customer. Basically, reducing fraud is further to the back of
the corporate mind than making more revenue and getting more
customers. So I'm not convinced that something that merely reduces
fraud, without generating more revenue or more customers, would
even be looked at by an issuer.

> >The one measure that would do far more than anything else to reduce
> >fraud would be to put a picture of the owner on the card.
>
> <neutral tone>Do you have evidence of this? </neutral tone>Most of the
> reports I (vaguely) recollect having seen suggest it would have very
> little effect.

I was sure I'd seen reports saying the opposite, but I could be
wrong. I have no references for this, unfortunately.

> cjs@cynic.net writes:
> >and thus has a PIN
> >keypad. Yet you'll notice that the credit card issuers don't care to
> >use this technology.
>
> I am skeptical - lots and lots of smaller places do not have this
> technology at all. (Do Taxis have it? - Can it be used in different
> countries? I am not sure)....

Well, I don't have broad international experience here. However,
in Canada pretty much *every* business, regardless of size, takes
debit cards, and thus has a keypad. In New York the situation was
similar. Perhaps elsewhere in the U.S. it's not, but from what I've
seen of the hardware currently issued to merchants by banks,
everybody these days ought to have the capability.

And even if it's not available everywhere, the issuers could still
use it where it's available.

> Are we sure that the reason cc companies do not
> use the tech is because they do not care - rather than for other reasons?

No.

> Also - a PIN is PURELY "what you know" security - if the phone is being
> identified by Vodafone then it is "what you know and what you have"
> security, possibly with "and where you are" security thrown in as well.

Uh...if you don't have the card, how do you swipe it in the reader
before you enter your PIN? This is "what you know and what you
have" security, just like the keitai idea, as opposed to just "what
you have" security, as a standard credit card transaction uses.

> On a superficial reading of your argument, credit
> card companies should be downright ENCOURAGING fraud! (It is just more
> business, on your argument.)

Right.

> Of course, they don't.

Well, it would certainly be impolitic to get up and say in public,
"Hey, folks, please go out and steal credit cards." That's not to
say that there's not some implicit encouragement behind the scenes.
Tossing a bunch of cheques in the mail that anybody can use to
write a debt up on my credit card is one thing I certainly don't
approve of, yet it's impossible to stop issuers from doing it.

As far as fraud in general goes, http://www.scambusters.org/reports/walker.html
makes interesting reading. Especially this bit:

    Through working closely with the credit card companies and
    other online merchants, I know the bottom line is this: You,
    as a merchant, are the one who is going to get stiffed! The
    cardholder is not responsible for more than $50 of fraudulent
    purchases. The issuing bank of a stolen credit card really
    doesn't care because they will simply charge the merchant back
    for any fraudulent purchases, plus a $10-$15 charge back fee.
    In fact, the issuing banks actually make $50 on these situations.
    They get the $50 from the cardholder (the cardholder's obligation),
    then they charge back each and every merchant for all the
    fraudulent charges.


> Imagine a credit card:
>
> 1)  That did not have your details printed all over it, but which was
> identified as a token belonging to you. ("what you have" security")

Certainly quite possible now, since the only viewable information
used in CC transactions now is the signature (and often not even
that!). The rest is taken from the magenetic stripe.

> 2) That required a pin. ("what you know" security.)

As debit cards do now, and have done for a long time.

> 3) That you could specify could only be used in a certain area. ("where
> you are" security.)

No problem; POS terminals are not terribly mobile.

> 4) That did not require your details to ever become known to the "girl
> behind the counter" ("need to know" security - there is nothing on the
> card)

As per 1.

> 5) That was part of something you ALWAYS carry, and is so personal you
> instinctively (not the right word, but)  know where it is at any time of
> night or day. (Go on - where is your keitai?)

I would say my wallet edges out my keitai by a slight margin. But
even considering them equal, well, no difference.

> Would that credit card be of interest? It would for me (certain searching
> questions about the security with which the PIN is sent wirelessly,
> notwithstanding)

Well, those questions are answered by just having a credit card
without a user-visible number on it, aren't they?

This is basically my whole point; I don't see what's offered here
that's not been available for years with no extra technology, should
the CC issuers have chosen to do it.

Perhaps this is the problem with "M-commerce" (whatever that is)
in general. It doesn't do anything we can't already do.

> I have lost everything, repeatedly, from car keys to credit card, - but my
> keitai is "part of my body", so it would be of great interest to me.

Well, keitais get lost too. And heck, if I drop my credit card in
a puddle, it still works! :-)

cjs
-- 
Curt Sampson  <cjs_at_cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC
Received on Wed Jan 16 11:03:46 2002