(keitai-l) Re: Vodafone enters m-payment arena

From: Conrad Buck <cpbnews_at_sympatico.ca>
Date: 01/16/02
Message-ID: <000b01c19eae$4a1e91a0$90b95e41@cpb>
Hi

I have been following this conversation with interest and there have
been many good points. 

Out of interest, here in Canada we use a service called interact that
makes
You sign for goods after handing over your card by taking a small
keyboard that is attached to the cash desk and punching in a 4 digit pin
number. I can even select which account I want the money to come out of.
Again this follows long from the aspect of punching in a PIN to verify
your purchase.

As far as I am aware, fraud is comparitvely low compared to using your
signature, and if anyone is from the UK when was the last time someone
checked your signature?!!! I signed 'Donald duck' the last time I was in
England on my visa card and no one batted an eyelid. 

Interact could be compared to switch or delta in the uk.  

cb

-----Original Message-----
From: keitai-l-bounce@appelsiini.net
[mailto:keitai-l-bounce@appelsiini.net] On Behalf Of Curt Sampson
Sent: Wednesday, January 16, 2002 3:56 AM
To: keitai-l@appelsiini.net
Subject: (keitai-l) Re: Vodafone enters m-payment arena


On Tue, 15 Jan 2002, Nick May wrote:

> cjs@cynic.net writes:
> >Credit card issuers are not interested in the least in reducing
> >fraud if it means they have to give away a cent to do it.
>
> I take this to mean: "Credit card issuers are not interested in the
least
> in reducing
> fraud if it means they have to give away more than they gain by doing
so".

Well, I'm not even sure about that. Or perhaps their perceptions
are a bit screwy. Basically, anybody who can get hold of my mail
can get several credit cards in my name and rack of many thousands
of dollars on them. Yet the credit card companies are willing to
take this risk if it means they have a small chance of gaining a
new customer. Basically, reducing fraud is further to the back of
the corporate mind than making more revenue and getting more
customers. So I'm not convinced that something that merely reduces
fraud, without generating more revenue or more customers, would
even be looked at by an issuer.

> >The one measure that would do far more than anything else to reduce
> >fraud would be to put a picture of the owner on the card.
>
> <neutral tone>Do you have evidence of this? </neutral tone>Most of the
> reports I (vaguely) recollect having seen suggest it would have very
> little effect.

I was sure I'd seen reports saying the opposite, but I could be
wrong. I have no references for this, unfortunately.

> cjs@cynic.net writes:
> >and thus has a PIN
> >keypad. Yet you'll notice that the credit card issuers don't care to
> >use this technology.
>
> I am skeptical - lots and lots of smaller places do not have this
> technology at all. (Do Taxis have it? - Can it be used in different
> countries? I am not sure)....

Well, I don't have broad international experience here. However,
in Canada pretty much *every* business, regardless of size, takes
debit cards, and thus has a keypad. In New York the situation was
similar. Perhaps elsewhere in the U.S. it's not, but from what I've
seen of the hardware currently issued to merchants by banks,
everybody these days ought to have the capability.

And even if it's not available everywhere, the issuers could still
use it where it's available.

> Are we sure that the reason cc companies do not
> use the tech is because they do not care - rather than for other
reasons?

No.

> Also - a PIN is PURELY "what you know" security - if the phone is
being
> identified by Vodafone then it is "what you know and what you have"
> security, possibly with "and where you are" security thrown in as
well.

Uh...if you don't have the card, how do you swipe it in the reader
before you enter your PIN? This is "what you know and what you
have" security, just like the keitai idea, as opposed to just "what
you have" security, as a standard credit card transaction uses.

> On a superficial reading of your argument, credit
> card companies should be downright ENCOURAGING fraud! (It is just more
> business, on your argument.)

Right.

> Of course, they don't.

Well, it would certainly be impolitic to get up and say in public,
"Hey, folks, please go out and steal credit cards." That's not to
say that there's not some implicit encouragement behind the scenes.
Tossing a bunch of cheques in the mail that anybody can use to
write a debt up on my credit card is one thing I certainly don't
approve of, yet it's impossible to stop issuers from doing it.

As far as fraud in general goes,
http://www.scambusters.org/reports/walker.html
makes interesting reading. Especially this bit:

    Through working closely with the credit card companies and
    other online merchants, I know the bottom line is this: You,
    as a merchant, are the one who is going to get stiffed! The
    cardholder is not responsible for more than $50 of fraudulent
    purchases. The issuing bank of a stolen credit card really
    doesn't care because they will simply charge the merchant back
    for any fraudulent purchases, plus a $10-$15 charge back fee.
    In fact, the issuing banks actually make $50 on these situations.
    They get the $50 from the cardholder (the cardholder's obligation),
    then they charge back each and every merchant for all the
    fraudulent charges.


> Imagine a credit card:
>
> 1)  That did not have your details printed all over it, but which was
> identified as a token belonging to you. ("what you have" security")

Certainly quite possible now, since the only viewable information
used in CC transactions now is the signature (and often not even
that!). The rest is taken from the magenetic stripe.

> 2) That required a pin. ("what you know" security.)

As debit cards do now, and have done for a long time.

> 3) That you could specify could only be used in a certain area.
("where
> you are" security.)

No problem; POS terminals are not terribly mobile.

> 4) That did not require your details to ever become known to the "girl
> behind the counter" ("need to know" security - there is nothing on the
> card)

As per 1.

> 5) That was part of something you ALWAYS carry, and is so personal you
> instinctively (not the right word, but)  know where it is at any time
of
> night or day. (Go on - where is your keitai?)

I would say my wallet edges out my keitai by a slight margin. But
even considering them equal, well, no difference.

> Would that credit card be of interest? It would for me (certain
searching
> questions about the security with which the PIN is sent wirelessly,
> notwithstanding)

Well, those questions are answered by just having a credit card
without a user-visible number on it, aren't they?

This is basically my whole point; I don't see what's offered here
that's not been available for years with no extra technology, should
the CC issuers have chosen to do it.

Perhaps this is the problem with "M-commerce" (whatever that is)
in general. It doesn't do anything we can't already do.

> I have lost everything, repeatedly, from car keys to credit card, -
but my
> keitai is "part of my body", so it would be of great interest to me.

Well, keitais get lost too. And heck, if I drop my credit card in
a puddle, it still works! :-)

cjs
-- 
Curt Sampson  <cjs_at_cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC


This mail was sent to address conradbuck@sympatico.ca
Need archives? How to unsubscribe? http://www.appelsiini.net/keitai-l/ 

---
This Email is certified Virus Free
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002
 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002
 
Received on Wed Jan 16 18:50:57 2002