If US banks still need convincing on chips ...

" Merchants (or Acquirers) might levy a surcharge of 1% or so for manually entered data in line with the elevated risk, to help shoppers switch behaviour."

WOW. A merchant that does this is on a suicide mission.

"For maybe $1B the majority of merchant websites could be upgraded to process ID data via digital certificates (economies of scale would come from Merchant Acquiring banks and payment gateways making the software upgrades in common shopping cart software)"

For no charge to online merchants, issuing banks can fully secure online card payments by allowing their cardholders to turn on or turn off their card accounts. This solution is applicable to any kind of card, mag-stripe or smart card. It would not require chips or smartcard readers. This solution can also utilize one-time non-replayable time based pin-codes that are sent through out of band channels.

Guarantee of payment (cost of fraud) is part of the interchange fees that merchants pay to Issuing Banks.

If there is one entity in the payment chain that should provide the necessary security and guarantee the payment, it should be the Issuing Banks. 

"For no more than $1B, Issuers could switch 100s of millions of magnetic stripe cards to chip (and many are going to do this anyway in response to demands from travellers who have trouble using their regular US issued cards overseas)"

I have trouble using my CHIP and PIN here in FRANCE just like american travellers have trouble using their regular US mag-stripe issued cards here in France.  

Marite,

Turning one's account on and off because it's inherently insecure against fraudsters is really just shifting the risk (and the blame).  How does risk get apportioned once users are making active risk decisions?  What if they forget to turn off?

Further, I'm thinking way beyond card accounts.  The fundamental problem underlying almost all ID related fraud is that nothing stops personal data being replayed.  We should be using smartcards, smart phones and the like -- with embedded private keys -- to digitally sign our data when we present it.  Health IDs, name & address, social security numbers, anything. 

You can't jury-rig magnetic stripe cards to create digital signatures.  The technology is a total dead end in the digital economy.

Hi Stephen,

It is a very interesting topic you are talking about.

Even if I'm not convinced that you are on the right track you seem passionate and only good things come out of it.

However when you say:

Merchants (or Acquirers) might levy a surcharge of 1% or so for manually entered data in line with the elevated risk, to help shoppers switch behaviour.

You cannot be serious.

You are missing a very important component in this analysis: the client.

You cannot FORCE him to change his behavior.

Are you really serious when you say you want to surcharge 1% to the client?

Either you really don't believe in your system or you are convinced that others don't. In any case you are killing your penetration rate even before starting.

The question in everyone's head when buying something or using a service is very simple WIIFM: What's in it for me?

I'm sure that you don't think that clients are interested in security because that would be a joke, they simply don't care.

They only care about more of "things they like" and less "things they don't like".

Security is none of their concern.

Simply ask yourself what you honestly would like to have as a consumer. And be honest. Forget that you are selling smart cards and you'll find the key to success.

Consumers in the US right now want to keep their houses, have more money, be happy again by any mean. They don't give a **** about security and definitely wouldn't pay for it.

Consumers in Australia, well you know them better than me. But you need to put them at the center of any of your decisions, otherwise none of them will buy any of your ideas or systems.

"Turning one's account on and off because it's inherently insecure against fraudsters is really just shifting the risk (and the blame).  How does risk get apportioned once users are making active risk decisions?"

The risk has already been defined and merchants are already paying for the risk of accepting card payments, which is embedded in the interchange fees that they pay Issuing Banks.

Think of the Issuing Bank's authorization system as having the one and only spigot that would allow the flow of funds. This spigot can be turned on and off. It should be turned on and off.

Your idea of turning on and off this spigot requires that the control of this spigot is passed on from the cardholder to the merchant to the Issuing Bank, which is quite inefficient and still insecure considering the link between the cardholder and the Issuing Bank remains vulnerable. As long as this link between the cardholder and the Issuing Bank remains expose, whatever solution you force onto online merchants will lack that universal security that should be given to cardholders.

"What if they forget to turn off?"

Cardholders will not forget to turn it off, since a 'turn-on' can be for one transaction.

"Further, I'm thinking way beyond card accounts.  The fundamental problem underlying almost all ID related fraud is that nothing stops personal data being replayed.  We should be using smartcards, smart phones and the like -- with embedded private keys -- to digitally sign our data when we present it.  Health IDs, name & address, social security numbers, anything."

Here, when we speak of Identity Theft, we're talking about social security numbers, passport numbers, driver license numbers, etc. Yes, of course, as a consumer and as a past-victim, I would not want anyone else to be able to use my Identity.

Just like my card number, whose custodian is really my Issuing Bank, other entities were responsible for issuing these other Identity cards. If and when I apply for credit, whoever needs to check my credit history has to check it with a credit bureau. Well then, this credit bureau would then be much like my Issuing Bank. My health ID was issued by the french government (CPAM), then this bureau is the custodian of my health id/'account'.

Do consumers really care about digitally signing anything? NO. What a consumer cares about is that NO ONE else other than himself is allowed to use his many different ID cards. Hence, we return to the same equation as payment cards. All of my ID accounts remain vulnerable as long as I do not have a direct link to these custodians. As a consumer, my interest lies in my ability to control the usage of my ID cards/ID accounts. Perhaps for other ID accounts that do not involve money such as my health card, it would suffice for me to get a notification each time my health card account is used.

"You can't jury-rig magnetic stripe cards to create digital signatures.  The technology is a total dead end in the digital economy."

See my comments above about digital signatures. As a cardholder, generating a digital signature truly does not interest me. What interests me is that I am able to use my chip and pin here in France to pay for a 1 euro toll, for example, because I am not able to... And since it is my money (its a debit card), I would like to be able to control what goes out of my account through this debit card. I would like to have that peace of mind that when I wake up tomorrow, the couple of hundred euros in that account is still there.

Would it appease you if I say that the system of card reader/smartcard would be more efficient if the communication is only between the cardholder and his Issuing Bank? Would you also consider that the link between the cardholder and the Issuing Bank can be secured by means other than a smartcard, static pin-code and a smartcard reader? 

Marite,

Generating a digital signature is not as complicated as you imply.  It is not something that has to "interest" any consumer.  It's a completely transparent process.  I think you know that every time you use a DDA EMV card, digital signatures are created by the card, automatically.  So nothing in my vision for securing digital identity is any more complicated for the cardholder than simply inserting their card and entering their PIN.

What I'm advocating (and it's not my solution, this is just a basic technology) is that whenever a remote party wants to know your important ID -- whether it is your name and address, credit card number, health ID, whatever -- then it's best to present that ID by way of a certificate and digital signature.  Different chips would naturally hold different IDs.  A practical example: your smart driver licence, REAL ID or ID card (in applicable jurisdictions) could carry a certificate that conveys your name and address.  Imagine you are originating a bank account online and the bank wants you to prove where you live.  You could insert your smart driver licence into a reader at your PC at home, enter a PIN, and the chip would send a tamper resistant cryptogram to the bank that includes your name and address.