Anyone know the logic used by credit card makers?

Post #39,299 by drewk 5/20/02 2:28:11 PM Reply	Anyone know the logic used by credit card makers? As I [link\|http://z.iwethey.org/forums/render/content/show?contentid=38210\|posted] a little while ago, the Post Office won't accept any credit card that isn't signed. If you bring one in that says on the back, "See ID" -- as mine does -- they won't accept it until you sign it in their presence and provide a picture ID. Now if the card were actually stolen, all I would have to do is sign the card in the parking lot and they wouldn't even ask me for ID. (Which is [supposed to be] why mine says what it does on the back.) Even if there is a note specifically directing them to ask for ID they are under no obligation to do so. So, in theory,[1] what does the presence of the signature supposedly do to decrease the likelihood of fraud? [1] I harbor no illusions that it actually makes me any safer. I'm just wondering what "logic" they're using. === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,305 by Silverlock 5/20/02 3:41:30 PM Reply	Mmmm..... __Pretzel__? OB. Steely Dan ref. "Patriotism means to stand by the country. It does NOT mean to stand by the President or any other public official save exactly to the degree in which he himself stands by the country. It is patriotic to support him insofar as he efficiently serves the country. It is unpatriotic not to oppose him to the exact extent that by inefficiency or otherwise he fails in his duty to stand by the country." ~ Theodore Roosevelt
Post #39,777 by bepatient 5/24/02 3:08:55 AM Reply	Good ob SD reference...think I'll give it a listen now. You were born...and so you're free...so Happy Birthday! _{Laurie Anderson} [link\|mailto:bepatient@aol.com\|BePatient]
Post #39,391 by tseliot 5/21/02 11:55:58 AM Reply	They think it helps cut down fraud. Better idea: Write "ASK FOR PHOTO ID" on the back. [link\|http://www.straightdope.com/mailbag/mcredit.html\|http://www.straight...mcredit.html] --------------------------------- Many fears are born of stupidity and ignorance - Which you should be feeding with rumour and generalisation. BOfH, 2002 "Episode" 10
Post #39,427 by drewk 5/21/02 5:45:30 PM Reply	That's what I have Well, shorter form, I've got "See ID" on the back. But the USPS simply *won't accept* anything that isn't signed. If it's not signed when you come in, they ask for photo ID *and require that you sign it in their presence* before they'll accept it. If it's already signed when you come in, even if it says to check an ID, they won't ask for ID. Catch->22 === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,468 by static 5/22/02 1:35:03 AM Reply	Have you talked to the credit card issuer? If your credit card issuer allows for you to do what you did, then you can report to them that the Post Office won't accept a card issued by them. Wade. "All around me are nothing but fakes Come with me on the biggest fake of all!"
Post #39,492 by drewk 5/22/02 9:40:15 AM Reply	Checked their website From [link\|http://mastercard.com/education/fraud/fraud.html\|here]: Here are some easy steps you can take to protect yourself from fraud. Sign new cards as soon as you receive them. It's the very first thing on their list. === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,538 by kmself 5/22/02 3:02:14 PM Reply	Nope. Merchant is the fall guy. In the US, at any rate, liability for CC fraud falls on the merchant. The cardholder is insulated from all but $50 liability by law (and that waived in many cases). The CC bank denies charges. The merchant holds the bag. Merchants, being the ultimately responsible party, can choose to accept or deny payment by card on any criteria of their choosing (within fair trade and nondiscriminatory limits). `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]`
Post #39,598 by drewk 5/23/02 9:19:05 AM Reply	Is that any kind of excuse ... ... for implementing such a brain-dead policy? In fact since the merchant is on the hook for it, and since the standard advice from the card issuer is what the merchant's brain-dead policy is based on, doesn't it seem like merchants have a good case that the card issuers are basically encouraging fraud? === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,648 by kmself 5/23/02 12:35:00 PM Reply	You've missed the point... ...recourse isn't with the CC company, it's with the merchant. If you don't like a merchant's CC policies, don't patronize them, or refuse complaince. Preferably with a large sale on the register. I've done this repeatedly at locations which expect me to sign on the line...electronically (Macy's, Best Buy, Home Depot). My biomarkers are valuable, and I don't sell them cheap (prints went for a four-month Schwab contract). A dinky $200 credit card purchase certainly ain't worth it. The first time I did this, it took about 15 minutes for the clerk and her manager to figure out what to do. Since then, I've always simply been offered a paper form to sign. As for signing a card -- there may be a weak authentication here. If the store's policy is to check signature against card, you're going to tend to restrict use of the card to those capable of duplicating your signature. If that's not you, it's at least a smaller set of others. Again, if "check ID" is your signature, you may choose to explain this (again, a significant purchase, and a long line, are your friends) to the clerk and/or managment escalation. My guess is that the USPS is going to be largely unsympathetic. In practice, CC companies tend to be pretty good at detecting unusual card activity, and will freeze or block a card. Once the cardholder him/her self has cancelled a card, you're fully off the hook. This helps considerably. Still, the CC infrastructure, designed for a triplicate paper world, doesn't match the needs of electronic commerce particularly well. We're eventually going to pay for this in a big way (and are currenlty paying for it in a small, but significant way, with a 1-2% online fraud rate, about 10 times the traditional rate. Last time I ran the numbers, fraud costs were on the order of $100 per cardholder per year (my own CC expenses aren't that high, I can only assume there's some big-ticket fraud out there). `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.home.netcom.com/\|[link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand? Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/...a_alert.html]]`
Post #39,653 by drewk 5/23/02 12:54:15 PM Reply	I got it, but it doesn't make sense Since the merchant is the one on the hook for fraud, you would think they would be interested in instituting real security policies that have some chance of working. Until about two years ago clerks rarely checked the back of the card. It's becoming more common that they do. But in ~15 years of using credit cards, I have never had anyone check the signature against one on another ID or on file. Checking that it is signed, without then verifying that signature against anything, is completely worthless. And you're right that the USPS would be unsympathetic. They kept a copy of the policy right there next to the register. From the fact that they did, and from the badly dog-eared condition of it, they seem to pull it out to show people fairly regularly. Shouldn't this eventually indicate to someone that there's a problem? === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,725 by ben_tilly 5/23/02 7:47:05 PM Reply	It makes perfect sense to me Here is my theory. It, despite being apparently nonsensical, arises from a rather sensible dynamic. Very similar to one we bitch about in software. Well-run companies attempt to reduce costs and maximize revenues. That means that any area of the business that is a cost center gets shortchanged, and companies try to avoid paying them, and shove as much liability for it as they can off on others. And if those others see that business as the price of doing business, they will swallow the pill. Software companies do that with security (which is one reason their software sucks) and shove things off with their warranty disclaimers. Credit card issuers do the same thing, and shove liability (eg fraud cost) to merchants. As for the merchants, if they don't accept credit cards, they lose a lot of business. The credit cards aren't giving them a choice, they either accept the deal as is or lose customers. If someone came out with a better designed credit card, what would happen? It would cost more to implement, no customers would use it, and so no merchant would accept it. With no merchants accepting it, no customer would want to use it and...shit. So credit card companies have little liability or motivation to pursue real solutions. Merchants have no leverage. So merchants accept credit cards and swallow fraud as a cost of doing business. What do you think? Cheers, Ben "... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything." --Richard Feynman
Post #39,795 by drewk 5/24/02 9:15:16 AM Reply	You've made me realize my mission So credit card companies have little liability or motivation to pursue real solutions. My mission, then, is to increase the rate of fraud to the point that it's economicaly viable to implement a better solution. Mwah Mwuaha MmmmmmmmWAAAAAAAAAhahahahahahahhaa === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,885 by ben_tilly 5/25/02 12:13:52 AM Reply	A profitable mission... Until someone realizes that it is cheaper to track you down and put you in jail than to change their business model. :-P Cheers, Ben "... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything." --Richard Feynman
Post #39,765 by static 5/24/02 12:38:46 AM Reply	Two problems. The fact that there is a dog-eared copy of the policy sitting right next to the register won't get very high. The employees who know usually aren't able to get the attention of whoever should care about this. Put another way, there are too many layers of management between those who know and those who should know. If the USPS is still wholly owned by your Federal government, you could go bug your local Federal Congressman about it, I guess. The other problem is unsigned cards - how do you control that? If the USPS was serious about controlling fraud via unsigned cards, they would have their own database of unsigned cards and refuse to honour them even after they're signed unless they check a signature another way. This, of course, is a considerable undertaking! Another way to battle that is for card issuers to require a visit in-person to pick up a card at which point you must sign it or they won't enable it. Unfortunately, this would put the onus on the card-issuers for fraud and theft, which, as everyone knows, they are most unwilling to take on. Out of curiosity, I've been watching for when clerks doing an Amex transaction compare my signature with that on my card. AFAICS, most of them don't. I think it might be time to move away from hand-written-signature verification technology, but the prospective replacements do not seem to be inspiring confidence in their privacy and security qualities. Wade. "All around me are nothing but fakes Come with me on the biggest fake of all!"
Post #39,890 by Another Scott 5/25/02 8:35:01 AM Reply	I'm not sure I understand the problem(s). Hi, I'm entering this thread a bit late, I know... Many CCs have an additional 3 or 4 digit number on the back that the clerks have to enter when they process your purchase. Its on the same strip that holds your signature, or note, so they have the opportunity/need/etc. to see your signature at the same time. I think it's there so that phone/web purchases can't be made with CC numbers stolen from a receipt (as the 3 or 4 digit number won't be there). I agree with Karsten's post that said CC companies are pretty good at detecting unusual activity. A few months ago I discovered that a Visa Checkcard is not "just like a check". I needed to buy gas and stock up on groceries one evening. It turned out that the groceries came to about $305. I tried my Visa Checkcard (ATM card) that I always use, twice, and each time it was denied. I knew it wasn't a balance problem, so I just wrote it off as a glitch and used a credit card. The next morning I got a call from Discover asking me if I bought gas and groceries the previous night. (My ATM purchase was denied because my bank has a $300/day ATM limit and it apparently applies to the Checkcard even though I wasn't getting cash. Seems like a stupid policy to me.) As I understand it, the purpose of having a person sign their credit card immediately is primarily so that you'll indicate you accept the terms of the contract. It's the vendor's responsibility to make sure that you're the person who signed the card (as with a paper check). Drew, if you're wanting to have the merchants check your card against a photo ID, wouldn't it be simpler to get a CC with a photo already on it? I know it's available with many of the big national cards. I've recently had a clerk at PetSmart check my CC against my drivers license - I agree that it's very rare. But checking out of most stores I frequent is slow enough as it is - I'm sure that stores would lose business if they required more checking of IDs for purchases (unless, of course, it was uniform). I don't know how much stores lose from CC fraud compared to "shrinkage" (theft), returns, etc. Perhaps it's not something that most stores regard as a huge problem compared to other losses. I don't quite understand Karsten's objection to signing with a light pen, loss of control of biomarkers, etc. His photo has been all over the web for years. :-) Written signatures can be scanned. Telephone and web purchases can be made without signatures, etc. And I don't know about him, but my light pen signature hardly looks like my "real" signature (which also varies at tiems) so if it were misused it would be fairly easy to argue that it was invalid. I feel (a little) better about using a light pen than signing a slip. My $0.02. Cheers, Scott.
Post #40,171 by drewk 5/28/02 11:30:19 AM Reply	There's something I hadn't thought of As I understand it, the purpose of having a person sign their credit card immediately is primarily so that you'll indicate you accept the terms of the contract. Now this actually makes sense. Although it doesn't explain why it's listed on their own site as a security measure. === Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link\|http://z.iwethey.org/forums/render/content/show?contentid=38978\|Andrew Grygus]
Post #39,901 by Another Scott 5/25/02 12:30:46 PM Reply	Speaking of biometrics. c't comparison article. [link\|http://www.heise.de/ct/english/02/11/114/\|Here]. C't is a computer magazine in Germany. As might be expected, the consumer-level biometric systems aren't tamper-proof. [Face recognition]: FaceVACS-Logon can be outfoxed with a short video clip of a registered person. [...] [Capacitive fingertip print comparisions]: Although this according to the manufacturer's statements should have been impossible we were able several times to reactivate by simply breathing upon them traces of fat left by fingerprints upon the sensor's surface, thereby overcoming the biometric protection of the system. We cupped our hands above the scanner and within the shell thus formed breathed gently upon the sensor's surface. Meanwhile on the screen of the biometrically-protected computer we were able to see the contours of an old fingerprint slowly reemerge. [...] [Iris recognition comparisons]: What was interesting though was that all iris images taken by the system showed a bright spot in the middle of the pupil. This fact gave us the idea that - besides fulfilling the requirement of acquiring a green light by the system - we might in our next attempt at outwitting it show the system's camera human digital iris images printed on paper that had a small hole cut into the middle and behind which were placed the hidden pupils of actual human beings. [...] etc. They also discuss getting in by tapping into USB lines and using a bit of Perl code. It's a good read, though the English translation is a bit rough in places. Cheers, Scott.
Post #39,903 by ben_tilly 5/25/02 1:01:17 PM Reply	Good read I didn't see that in Bruce Schneier's last Cryptogram (I might have missed it though). If not, then someone should send it to him. Cheers, Ben "... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything." --Richard Feynman

Welcome to IWETHEY!