[cap-talk] Costs of ecommerce fraud

[Jed Donnelley]

<I'll just mention that I've been following the petname
antiphishing thread.  I agree with all that's been said,
particularly with regard to exposing passwords to shoulder
surfing - surprised that one even came up.>

On a related note I thought this message might interest
people on this list:

http://marc.info/?l=cryptography&m=118296865429174&w=2

particularly this:
________________________
The story begins with E-Trade's 10-Q filing of 17 November,
which filing is at [1] and elsewhere.  In that 10-Q, we have
this paragraph:

 > Other expenses increased 97% to $45.7 million and 55% to
 > $101.9 million for the three and nine months ended September
 > 30, 2006, respectively, compared to the same periods in
 > 2005. These increases were primarily due to fraud related
 > losses during the third quarter of 2006 of $18.1 million, of
 > which $10.0 million was identity theft related. The identity
 > theft situations arose from recent computer viruses that
 > attacked the personal computers of our customers, not from a
 > breach of the security of our systems. We reimbursed
 > customers for their losses through our Complete Protection
 > Guarantee. These fraud schemes have impacted our industry as
 > a whole. While we believe our systems remain safe and
 > secure, we have implemented technological and operational
 > changes to deter unauthorized activity in our customer
 > accounts.

In other words, remote exploitation of individual customer's
computers, doubtless many of them home machines and the
laptops of road warriors, eventually lead to a loss for
E-Trade that was material enough to appear on the 10-Q.
___________________________

The bottom line for me is that there isn't much hope
for ecommerce if user systems are generally compromised.
It seems to me there might be an opportunity there.

--Jed