1. Online and Electronic Fraud – Incentives and Regulation Ross Anderson Cambridge

2. Payment Systems Early modern period: merchant bankers carried risks of financing trade 19th century: industrialised by letters of credit, insurance certificates, bills of lading, inspection certificates, the telegraph People could do business with remote merchants Late 20th century: the Internet and credit cards Would the banks earn lots as the trust provider?

3. A Natural Experiment Stronger US consumer protection –Judd v Citibank 1980 –Reg E Weaker UK consumer protection –McConville et al v Barclays et al 1993 –Banking code, Financial Ombudsman Service Other countries spread out: F, De, E, ZA … Payment Services Directive trying to harmonise Some system issues becoming clear

4. Security economics Systems are often insecure because the people who could fix them have no incentive to 2001: people spent less on antivirus than expected, while UK banks spent more on security than US banks despite easier liability rules. Why? By 2001, computer viruses were already attacking third parties, not the machine owner Now 100+ researchers in security economics! What can we say now about payment networks?

5. Information goods and services Information goods and services markets tend to have three features –High fixed costs, low marginal costs –Network externalities –Technical lock-in Together, these increase the likelihood of dominant-firm market structures where the winner takes all What does this mean for security?

6. Information goods and services (2) To win a two-sided market race, you have to appeal to complementers – that is, app writers –Windows – no security at first (Win 3, Win 95, Win 98) then too much for lockin (Vista) –Symbian – ditto; UIQ2 then UIQ3 –Facebook – same pattern (compounded by tension between customers and users) Why should we expect payment networks to be any different?

7. EMV (‘Chip and PIN’) Now deployed in Europe and elsewhere ‘Liability shift’ – disputes charged to cardholder if pin used, else to merchant Changed many things, not always in the ways banks expected!

8. A normal EMV transaction

9. Fraud in the UK since EMV

10. EMV shifted the landscape… It caused the fraud to find new channels Card-not-present fraud shot up rapidly Counterfeit took a couple of years, then took off once the crooks realised: –It’s easier to steal card and pin details once pins are used everywhere –You can still use mag-strip fallback overseas –Tamper-resistance doesn’t work

11. Tamper-proofing of the PED In EMV, PIN sent from PIN Entry Device (PED) to card Card data flow the other way PED supposed to be tamper resistant according to VISA, APACS (UK banks), PCI Evaluations follow Common Criteria Should cost $25,000 per PED to defeat

12. Tamper meshes (Ingenico i3300)

13. Security economics (2) Acquirers and issuers have different incentives PEDs ‘evaluated under the Common Criteria’ were trivial to tap APACS said (Feb 08) it wasn’t a problem… The Dubai fraud

14. In a country where we don’t have Reg E or breach reporting laws… CA: 14% of households have suffered fraud losses BCS: fraud now accounts for 2-3m incidents a year versus 1m for traditional acquisitive crime

15. The ‘No PIN’ attack This attack lets crooks use a stolen card without knowing the pin Insert bad device between card & terminal Card thinks: signature; terminal thinks: pin Video: http://youtu.be/JPAX32lg krw http://youtu.be/JPAX32lg krw

16. A ‘No-PIN’ transaction

17. Blocking the ‘No PIN’ attack The card tells the issuer ‘signature used’ while the terminal tells the acquirer ‘pin used’ In theory: might block at terminal, acquirer, issuer In practice has to be the issuer (as with terminal tampering, acquirer incentives are poor) Barclays did this July 2010; removed by Dec 2010 Real problem: EMV spec now vastly too complex (with 100+ vendors, 20,000 banks, millions of merchants) … a tragedy of the commons

18. Proceeds of crime Card networks used to collect bad money –High-profile: child sex abuse images –High-volume: fake antivirus software –Controversial: gambling –… Previous attempts to blacklist merchants Following the money preferable Wikileaks shows it’s possible! What’s the optimal regulatory regime?

19. Coordination problems Brand-protection companies obtain feeds from many places (including PhishTank) Their contractors don’t share feeds Takedown company A, who sells services to bank A, will be unaware of many sites detected by company B Banks would be better off if they got their contractors to share feeds, compete on takedown The villain’s bottleneck – mule recruitment – is pretty much ignored

20. Regulators and Fraud Regulators were too ready to believe bank assurances about credit risk management There is a similar problem with operational security risk management Wherever regulators let them, banks are dumping the risk of fraud on customers – merchants and cardholders – and even on each other Where they don’t the tussle is between issuer and acquirers (the most concentrated wins) This is starting to create systemic risk

21. What I’d do Don’t ever water down consumer protection! Fed should allow PIN-based EMV only if –No liability shift –Spec version 5.0 fixes the known bugs Start thinking about online, nonbanks, proceeds of crime Publish decent statistics Foster research – economics and engineering! Newest problem: mobile wallets…

22. More … Kansas City Fed payments conference, Mar 29–30 2012 Workshop on the Economics of Information Security: Berlin June 25–26 2012 Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html www.cl.cam.ac.uk/~rja14/econsec.html My web page www.ross-anderson.com has not just security economics but also technical material on fraud