I spend a good deal of time following the developments in the security world. There are many good bloggers and websites that provide valuable ideas and insights to what needs to be done in order to make our world more secure. Security is an encompassing term that include personal privacy and safety; this is ultimately what we want to achieve. While I think of the security ramifications of almost everything I do, most people don’t. The majority of the population haven’t got a notion to what actions (theirs or others) jeopardize their overall security.
Change will undoubtedly come through regulation; it has to. I can only hope it will be done in the smart way, rather than the fast one (see UnRealID.) However, the greatest challenge will be changing peoples’ mentality towards security. People will need to be trained to apply these rules; otherwise they will not work in practice. This will be an onerous task.
Here’s a recent example. My Father was visiting and we went to a large sporting goods store and he ended up with a $200 purchase. He has a store “credit card” that was not on him. But he had the card’s number stored in his cell phone do-it-all gizmo. He read the number to the teller, signed the piece of paper and we left. No-one even asked for his ID!
This short story has many layers of security breaches and vulnerabilities. The teller should always ask to see the card and ID. While it is true that one does not need these when purchasing on-line, no one ever does it with a store “credit card.” The reason is that these cards not backed up by a major credit card and do not provide the same protection like VISA or MC. This means that you might not get your money back if there is a fraudulent transaction.* Even worse, your credit score would plummet. These cards are a disaster waiting to happen. Don’t ever sign up for them; the potential damages far outweigh the 10% discount on your first purachse. My recommendation to my Father was to pay the balance and cancel this card immidiately. I also told him to delete the CC numbers (and other sensitive information) from his cell phone, unless he is going to password protect entry.
* sentence revised 05/18/05.
You should never just be able to rattle off a card number without showing some form of ID. At least on websites, they ask you for that special 3 digit number on the back of the card, and the expiration date, increasing the likelihood that the card is actually in your possession.
The 3 digits and date of expiration add to the appearance of security while contributing nearly none. It’s just slapping some more numbers onto your transaction for no good reason; if someone intercepts your CC#, they will get these too. I don’t think it increases the likelihood at all; it just seems that way.
The same goes for asking for mother’s maiden name or last 4 digits of your SSN. If you think about it, it really does nothing in the way of proving that you are who you say you are over the phone. Maybe it had some value 25 years ago, but not today.
What about the “holy grail” of security – your personal signature.
That is such a laugh, you don’t even have to have skill to do a more-or-less look alike of any card holder’s signature that will pass. Not to mention the perceptive abilities of the ladies at the cashiers, surely they didn’t go to the secret CIA-learn-to-spot-a-fake-signature course.
There is an old story of a guy going to one of the big retailers. After buying his goods he payed with a credit card of some sort. The card was brand new and he didn’t sign on its back. After he signed the bill, the lady tried to “compare” his signature to the one on the back of the card. To her amazement, she saw nothing. She told the guy she can’t accept the payement cause there is no signature on the card (so far ok…).
The guy took back his card signed on its back and handed it to the lady. The lady mumbled “ah ok…” and accepted the payment.
Now, this can be an urban legend, but it demonstrates fairly well the “mmm” and “ah ok” attitude they have in big stores towards credit cards.
Why not use biometric data? it is readily available at low cost. If you ask me, it is more cause of the “personal” aspect a signature has. Somehow it is something you DO, it is not a property you have or a number.
Nir,
Sure, signatures do not mean much either.
You should look at:
http://www.zug.com/pranks/credit/
Not an urban legend (make sure you see all the pages.)
There are two types of stores /credit cards that make me crazy:
1.Some stores prints the full credit card number+exp date on their receipts. I always think that the garbage can outside those stores is a heavenly gift for Id thieves. Saar might know one of such stores very well (I would not tell their name on the web!). I have confronted the store owners many times to change their receipt printing policy but they seem to not care for the safety of their costumers.
2. The new American Exp cards security code is printed in front of the card. So some one may take a picture of your credit card while you shop with his/her cell phone and bang he/she has all the info that he/she needs to buy flowers for his/her grandmother in west Ontario. At least Visa security code is printed on the back side.
I have worked in a variety of places that accepted credit cards, as well as having owned small businesses that was responsible for handling credit cards. (Mostly in California)
In the case of unsigned cards – they are simply not valid until signed. We often asked people to sign them before we would accept them. We then were required to check their signature against a drivers license. We never really cared whether the signature matched very closely – we were simply more concerned about how people were behaving – fraud was easily spotted by how people were behaving – nervousness is very easy to spot. If you suspect that someone is ‘pulling a fast one’ you dig a little deeper (calling for card verification, more ID etc) and that would often scare them away.
As a business owner – we always bore the cost for not following card procedures – so if we wanted to accept a credit card number verbally – that was fine – if the owner disputed the charge then we were stuck with the charge. I don’t recall ever losing any money this way – but we certainly earned a lot of trust and repeat business from customers. (We did suffer regular check fraud though.)
I am also curious about how accurate your statements about store cards are – it seems that if I dispute a charge with my ‘store card’ the credit agency must prove that I made the charge, something no retailer would risk doing to a regular customer – unless I had a history of defrauding the store. (Target recently decided to ‘fire’ customers who returned too many items after realizing there are regualr scams to return merchandise then seek a discount on opened items.)
“I am also curious about how accurate your statements about store cards are”
I’ll dig deeper into this, because it is possible I do not have all the information correctly.
The relevant rule is probably the Federal Reserve Regulation E (Reg E). It’s what usually limits your liability to $50 (less is the issuer attempting to differentiate themselves.). I can’t remember how broad it is, but I think it applies to all credit cards.
Schneier said last week at ISD05 that he could toss his credit cards out into the audience and not be liable for any fraudulent charges. I think that is stretching the reality a bit – I believe for that liability cap to be effective you must notify the bank as soon as you know your cards are lost or stolen – giving your cards away and not reporting them probably shifts the liability to the holder.