Comment by hedora
3 years ago
This sort of thinking has been prevalent in the payments industry for a long time, and I find it infuriating.
The article is specifically limiting its discussion to situations where a payment credential is stolen. Those cases cost $10-20B per year.
This is HN, so most people here can figure out how to secure payment credentials, especially given the assumption that each credit card contains a tamper resistant computer with durable storage (as they currently do).
Instead of ending credential theft (at least in cases that don't involve violence/coercion), the payment networks pass the cost on to vendors, then advertise fraud protection as a feature to card holders.
This only works because the payment processors' monopoly prevents the merchants from fixing the underlying security issue.
So, the payment networks charge the merchants a large percentage of sales (imagine what your local government could implement if it increased sales taxes by 3-5%!) to supposedly pay for fraud protection.
This is exactly like a classic protection racket, except that the thugs that smash up the business don't actually work for the credit card companies.
(I do agree with the premise that driving crime to zero is usually not worth the cost, but that's just "Innocent until proven guilty", and not the subject of the article.)
Merchants are even more lax about card fraud than banks. The National Retail Federation complained about the cost of upgrading to chip readers. They asked the government to force banks to eliminate PCI DSS which would make it even easier to commit credit card fraud. PCI DSS is compliance not security but without it retailers would literally do nothing. Some retailers tried to get customers to switch to QR code payments linked directly to your bank account. One of these payment apps CurrentC was immediately breached.
Smart cards were also breached before the US switched to them.
I'd object to paying for PCI DSS if I were them, to be honest. The idea that every merchant (or credit card reader) even has access to credentials is ludicrous.
The currentc was of email lists, not the payment flow. It's embarrassing, but still a better track record than the existing payment processors (which probably suffered 10,000s of payment flow breaches as I typed this.)