Why the multinationals won't stop cyber crime

[Jan Klimkowski]

Crystal clear article from Market Ticker's Karl Denninger on why the corporate fraudsters will not make cyber crime impossible:

More Examples of Corporate Rot

and consumer screwing by those corporations, especially the banks.

TOKYODespite spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can't guarantee the security of its videogame network or any other Web system in the "bad new world" of cyber-crime.

Oh please.

Your name and address aren't valuable. Your credit card number is.

Now here's the problem: Corporations want an "easy" way to bill you on a repetitive basis. That is, you sign up for a gaming network that has a monthly charge. Having you log in every month and put in your credit card number would make it very easy to cancel. In fact, the default would be that you cancel, unless you use the service and once again approve a charge each and every month.

To prevent you from having that default, the companies store your credit card number. This means that they can present it again and again to bill you without your intervention. Incidentally, this has, over the years, led to many abuses where it becomes nearly impossible to cancel, as the company makes it very, very hard to get through to someone who will do so (or who says they did when they really didn't.)

The obvious fix is to prohibit storing customer card numbers at all, and make "opt out" repetitive billing schemes a per-se violation of card regulations.

End of problem.

Now you have to sign in every month and once again request billing, providing your card number each time. Now the company never stores that number. Now the thieves can't steal the database from the company. Sure, they can intercept the data flow in real time but now they only get the transaction stream they intercept and not the entire treasure trove.

Industry, of course, doesn't like this idea. But it stops most of the abuse instantly.

There's a second way. Again, as with the first, companies are barred from storing numbers. But now to make recurring billing possible when the charge is submitted the company also sends up a field with the maximum and minimum charges permitted and the interval authorized (e.g. "$20, $20, 1 month" for a $20/month service.) The card protocol is modified so that when the "APPROVED" response comes back it includes a one-way hash of sufficient length that it is basically impossible to guess a valid one.

The bank in question has this hash and the card that generated it along with the limit and the merchant that authorized the charge.

That hash is now valid to generate a charge only within the parameters authorized for a period of time (say, one year) and only from the same merchant. The interchange network need only store the hash itself, time it is valid for and prefix it for the issuing bank so it knows where to route future presentments of the same hash for the time period it remains valid.

A thief who steals the database now steals nothing. The hash is invalid when presented from any other party, and there is no way to reverse the hash to obtain an actual card number.

Further, the issuing bank, being the one who generated the hash, now can expose that to the customer and allow him to revoke it at any time. Now if you "can't cancel" the solution is easy - you sign into your card company's web site and revoke the authorization from your end!

So why haven't either of these things been done?

Simple: The Banksters and corporations like bending you over the table. They claim this is for your "convenience" but it really isn't - you get nearly impossible to cancel "services" that you no longer want and the creation of these security problems which, in some cases when they're small scale customers do not catch and thus they pay these unauthorized charges, which benefits the bank as well as they get to keep the transaction fees.

If we had actual consumer protection in this country the card networks would be forced to implement this system, rendering these issues moot.

But then those companies wouldn't be able to create "almost-impossible to cancel" services, would they?