[Dave Birch] Several people mailed me the same link to the story about some Visa cardholders being somewhat surprised to find an unusually large transaction on their accounts.
A technical snafu left some Visa prepaid cardholders stunned and horrified Monday to see a $23,148,855,308,184,500 charge on their statements.
[From Glitch hits Visa users with more than $23 quadrillion charge – CNN.com]
How can you charge more than the GDP of the entire world to a prepaid card without a red light going on somewhere in the system? Once again, the golden rule is proven. Someone will always make a mistake, so make sure your payment system fails safe. A simple bounds check ought to do it: if PAYMENT_AMOUNT is greater US_NATIONAL_DEBT then “refer authorisation to a human operator”, or something like that.
[Dave Birch] A thought experiment. Suppose you found a flaw in a widely-used payment scheme, such as EMV. Suppose the flaw had come about because of a mistaken interpretation of a specification and would take some time to fix. Would you keep the flaw secret, and hope that the criminals didn’t find it, or would you tell the banks, or would you tell the banks about the flaw and tell them that the flaw will be made public in six months. I’m genuinely curious: what would you do? I’m sure that the first option is the most wrong: not exploring how to break a payment scheme means that the criminals will break it and you won’t know what to do. Consider the recent example of SIM card cloning in India, which the police apparently had difficulty responding to:
The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country.
If the good guys can’t even participate, the bad guys will always win.
[From Schneier on Security: The Ill Effects of Banning Security Research]
Bruce is, as is generally the case, right. Banning research means that only the bad guys will do the research. Hoping that the bad guys won’t find the flaw is a ridiculous strategy: it’s much better to come clean, bite the bullet and then fix it. What does “fix” mean though?