Title: Some Recent Attacks against Online Payment, or The Perils of Risk-Based Security Management

Many industries, including the payment industry, take a risk assessment based approach to cyber security. That is, security is considered a trade-off decision between aspects such as safety, usability, costs, which is translated into a single-objective utility or financial decision. I will discuss some of the implications of risk-assessment based approach to cyber security decision making. I will do this mostly through examples in credit-card payment, but the principles extend to other fields and applications. In the process, I will discuss a number of practical attacks against credit-card based payment our research identified in recent years. These are attacks against both contactless and online use of cards. I will explain how the latest incarnation of payment systems integrates risk-based decisions into payment technologies, thus purposely designing systems that may not be secure. We will discuss this approach, and extend the discussion to the security and safety of systems other than payment.