CircleID

The big divide in Internet crime is what governments consider to be crime.

The US government and its alies consider bank fraud to be the Internet crime problem.

The Russian government is rather more concerned about 'Information Terrorism' a definition that in their view includes all forms of disagreement with the Putin regime.

So there is little prospect of any agreement on stopping Internet crime in the near future since the West places a much greater priority on freedom of speech than preventing the loss of a few billion dollars in bank fraud that the banks themselves consider too low to be worth bothering to stop.

US banks could very easily eliminate card present fraud by deploying the Chip and PIN protocol deployed in Europe. Chip and PIN has practically eliminated card present fraud in Europe. The residual fraud is almost entirely due to the need to support legacy non-Chip and PIN cards issued in the US.

Stopping online fraud is a little harder, but even this could be eliminated with a little executive branch involvement. I have a Mastercard with an embedded OTP display produced by Niagra ID that I use as a demonstrator. We could deploy that and reduce MOTO fraud to negligible levels. Smart phones are becoming ubiquitous, we could start using those as a second factor authentication tool.

Stopping Internet crime is hard, but not nearly as hard as establishing the type of international institutions being proposed here. Even if Russia signed the treaty it is rather difficult to believe that they would enforce it when they won't even let the St Petersberg police arrest the members of the Russian Business Network. The members of the RBN are rather too useful to the GRU when Putin's mob needs a bit of hacking done against a political opponent.

There will eventually be some sort of organization like the one Kaspersky suggests but it is unlikely that Russia will be a member any time soon.

"US banks could very easily eliminate card present fraud by deploying the Chip and PIN protocol deployed in Europe. Chip and PIN has practically eliminated card present fraud in Europe. The residual fraud is almost entirely due to the need to support legacy non-Chip and PIN cards issued in the US."

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

Yes, I know all about Ross Anderson's attack. It is embarrassing for the banks, but not actually what Ross thinks it is.

Chip and PIN has still eliminated card present fraud even with some protocol issues. It doesn't need to be very good to be better than putting the credit card number on the front of the card.

I did not design those protocols, (though in the interests of full disclosure I did contribute in a modest way to a very distant predecessor). Had I done so I would not have put the PIN verification on the card the way they did. But then again, my designs all run on relatively large computers where there are no resource constraints. I don't know what the cost tradeoffs were here.

But even with the flaw as designed the exploit discovered is of a sure-fire ticket to jail variety. Correcting the protocol to eliminate the flaw is trivial. While it would be very difficult to upgrade every terminal a thief has a very high probability of being arrested if he uses the card at a terminal that has been upgraded.

The only attacks on Chip and PIN seen in the wild thus far have been relatively small (less than a million) and involved the legacy channel. From what I understand the fraud has declined as deployment progressed rather than increased exponentially as it has in other areas of card payment fraud.