Sambal

Peter Boothe asks twitter—

Why do we hold Internet security systems to a high standard that no offline system has ever met?

But it’s not so much that the standard is higher as that it’s different.  Counterfeiting and theft are risks for physical currency that don’t even make sense for some forms of electronic payments.  To counterfeit a credit card, you’d have to suborn a payment-processing system.  A physical credit card can be stolen but the underlying account is what’s actually of value; the account holder generally indemnified against fraud.

Contrariwise nobody has to defend against distributed physical attack – 100,000 home invasions aimed at stealing credit card information – because it’s only practical to mount such an attack  electronically.

The real problem, I’d say, is that our cultural and social systems adapt more slowly than technology changes.  For a simple example, consider that while personal accounts are insured against unauthorized debits, business accounts are not.  Since individual small businesses are on the hook for losses due to stolen credentials, enforcement efforts are weaker — effectively, banks and their insurers have chased the crooks out of consumer accounts and into business accounts.

Furthermore the cost of running electronic attacks is often very low, so the threat model for online security has to take account of even very low-payoff attacks.  This includes the classic salami attack and statistical attacks on credit card numbers.

 One reason Starbucks doesn’t use two-phase commit is that the cost of screwing up a coffee order is on the order of pennies.  A Starbuck’s that’s open for 14 hours making two drinks a minute only makes 1680 drinks.  Even with a 100% loss rate, at 10c a drink that’s only $168.  If the cost of screwing up a financial transaction is $0.0001, but the transaction can be attempted hundreds of thousands of times per minute, that’s already unacceptable.