When you work in InfoSec, there's a definite tendency to define risk within the context of what you control: technology. Of course, technical controls, or the failure thereof, are not the only context in which risk exists. There's a whole world of physical security that, usually, but not always, is divorced from information security. Some of the really smart criminals understand that this rift exists and exploit it. But this post isn't about social engineering. It's about credit card fraud. The NY Times has a good article about technical attacks that are possible against new rfid credit card readers. Guess what, people can use the same technology that allows for transmitting of card data to the reader for stealing the card data. Are you surprised?
I bring this up not because the technology is flawed, but because the article illustrates how the credit card companies manage risk. Let's lay out the objections from the credit card companies as illustrated in the article:
1. “This is an interesting technical exercise,” said Brian Triplett, senior vice president for emerging-product development for Visa, “but as a real threat to a consumer — that threat really doesn’t exist.”
2. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”
3. “It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”
4. "Beyond the security on the cards themselves, the companies said, they have deployed fraud detection and prevention measures that block suspect purchases. And each company stressed that cardholders were not liable for fraud."
5. "Tom O’Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective."
4 of the 5 statements don't actually deny the technical results of the research, but address instead the likelyhood of exploit. In other words, they're largely saying that their risk analysis has determined that the likelyhood of exploit is not large enough to warrant addressing the technical capability. In most organizations, this is a perfectly reasonable conclusion. There are some other points in these objections about compensating controls and cardholder liability.
It's important to keep in mind that the primary goal of the credit card companies is not consumer protection, but profit. In that sense, the primary motivation for consumer protection is its affect on profit. That's what makes the end of the article interesting. Despite the results of the risk analysis that the companies have clearly done, "[a]ll of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers." Why would they do this? If the likelyhood of actual loss is fairly minor, why spend the resources to change the data that's transmitted? The answer is simple, risk can come from consumer confidence as well. Even if a loss never occurred via this attack vector, the perception of impropriety on the part of the credit card companies would have a detrimental affect on profit.
In order to arrive at this conclusion, the credit card companies had to perform risk analysis that combined marketing, sociology, and technology. Perhaps they even went so far as to assume that some information disclosure would be discovered and to build in some information they could then remove from the data stream to demonstrate responsiveness. One might ask, why would they have included the credit card holder's name in the first place? Maybe I'm just paranoid.