In article <telecom24.53.10@telecom-digest.org>, Robert Bonomi
<bonomi@host122.r-bonomi.com> wrote:
>> In article <telecom24.50.6@telecom-digest.org>:
>>> [TELECOM Digest Editor's Note: I do not understand one thing: If
>>> people have already been verified as to their ability and
>>> willingness to pay for their groceries through their credit card
>>> and their personal identification has been verified in much the same
>>> way by the credit card people, then *why* would people want to go one
>>> step further by enrolling in 'Pay by Touch'? Is this intended as one
>>> way to 'save them time' by not having to sign a credit card slip? In
>>> other words, touch your thumb or finger somewhere rather than taking
>>> a couple seconds to sign a slip of paper? Now, if the grocery people
>>> had set up their own credit system *in place of Visa/MC* by using a
>>> thumb/finger print, I can see where that might be useful, but
>>> otherwise, why bother? PAT]
>> Gee, I dunno.
>> Like maybe you _don't_ have to have your card, *or* card number, with
>> you.
>> Like, no hassles if the mag stripe doesn't read.
>> Like, no opportunity for a dishonest cashier to memorize the number
>> off your card.
>> Like, maybe, *nobody*else* can buy anything with that card number at
>> that store. i.e., if it's a 'pay by touch' card, "no touchee, no
>> tickee", and if the fingerprint _doesn't_ match, "no sale".
>> You're right, I can't see why anybody would *consider* bothering to do
>> something like that.
>> [TELECOM Digest Editor's Note: Well, let's see ... maybe I was caught
>> shoplifting at a grocery store in Iraq or Iran and the Taliban chopped
>> off all my fingers as part of the punishment.
> Strawman -- not a _bad_ strawman despite the stretch, but still a
> strawman.
> Then, obviously, you would not _elect_ to use their *optional* system,
> would you? And then there's no problem for you, is there?
> Or didn't you notice that it is a _voluntary_participation_ system?
>> And one of the terms for accepting MC/Visa cards required by
>> many/most/all of the card issuers is that the store is *not*
>> permitted to demand any other form of identification. The card is to
>> stand on its own regards ID, *if the holder is using it for
>> payment*. So your 'no touch, no sale' idea is not possible in many
>> stores.
> When the store has a prior *signed*, verified, validated, directive
> from the card-holder on file that says "do not allow any charges
> against this card number unless the fingerprint matches the one I have
> provided on file" the store most certainly *can* demand the
> fingerprint.
> Agreed, the store cannot do it on it's _own_ initiative. However, that
> is simply not the situation with regard to a _voluntary_participation_
> program such as the one under discussion.
>> I can see where fingerprints might be
>> used in lieu of an actual plastic but I do not think it can be a
>> requirement *in addition to* plastic.
> Making clear that you did not bother to *read* the original article.
> A) this is not a 'required' system.
> B) the fingerprint _is_ used *INSTEAD* of the plastic.
>> And when a clerk is caught making an unauthorized sale using someone
>> else's card the answer is simple also. Fire and presecute them. PAT]
> "Simple"??? *snicker* No, make that <*GUFFAW*>
> First off, that _assumes_ that the clerk got caught.
> Second, 'unauthorized sales' can make for a _gawdaful_ mess of
> problems for the actual card-holder. Just imagine that you're going
> on vacation. And have made sure that your card has a _zero_ balance
> outstanding. You get to your destination, and offer the card to pay
> for your hotel room, and get told "card not accepted -- over credit
> limit". Where are you, the wife, and kids, going to sleep tonight?
> Getting an 'unauthorized sale' off your account can be *difficult*.
> Consider a telephone order (one where the merchant asked for, and
> _got_ the 'security code'), that was actually _delivered_ to YOUR
> address, and signed for in your name.
> I have relatives who have been the (almost) victim of *precisely*
> that. They got wind of things shortly before the order was to be
> delivered, and law enforcement was waiting when the delivery truck
> came by. A guy _outside_ the house pretended to be the 'addressee',
> and signed for the package. Whereupon the cops pounced.
> [TELECOM Digest Editor's Note: Oh, I dunno about this last part, where
> one supposedly has a hard time catching the clerk 'in the
> act'. Walmart does okay on it. The stores here in southeast Kansas
> employ 'shoppers' for just that purpose,
<snicker> *GUFFAW* [[ sigh. I'm repeating myself. ]]
The ones who get 'caught in the act' are the bozos, incompetents, and
amateurs.
Consider, for example:
Scenario:
A card fails the mag-stripe 'read' -- i.e. it doesn't "swipe".
The cashier gets the card, to manually key in the number.
(the cashier also *memorizes* the 16 digits of the card, and the 3 digit
'security' code. This does _not_ take much time -- how fast can you
commit 2 phone numbers to memory? )
The cashier returns the card to the customer.
The *completely*correct* transaction is completed.
Just _what_ is the 'shopper' going to report to management? Besides the
fact that the cashier did their job "right"? Even a security camera
recording the cashier's every move isn't going to show anything wrong.
Got any idea how many times a day that *that* scenario actually occurs
for any given cashier? Sould you believe 'several times per *hour*'?
"Capturing" _one_ card a day is a relatively trivial memorization
task. Two or three would _not_ be a problem for most people. That's
enough to make for a nice 'supplemental' income.
Scenario, part II:
After the cashier gets off-shift, and has _left_the_premises_, s/he
writes down the previously memorized numbers. Then, that week-end, say,
s/he meets up with "A. Mafiosi", who pays say, $20 for each card number
with security code; $50 if the "name" that goes with the card is also
available, and $150 if the _address_ is also provided. (Maybe it's a
regular customer that often pays by check, but used a card _this_ time.)
Scenario, part III:
Our friend, "A. Mafiosi", sits on the purchased info for a couple of
weeks -- hell, maybe a couple of -months-. Then he turns a crew loose
to make a bunch of fraudulent purchases, using card numbers that came
from several _different_ places, at *different* times.
*HOW* IN THE H*LL does the victim (or _anybody_ else, for that matter)
associate _those_ "unauthorized charges" with the specific transaction
where the card number was 'memorized'?
The *store* with the 'crooked' cashier has no inkling that anything is
wrong. Not even any reason to so much as -suspect- that there's a
problem.
The credit-card company has no idea *where* or *when* the compromise
occurred. Given _enough_ separate card numbers 'stolen', and *enough*
computer processing power/time (it takes a *LOT* of "cpu cycles" to do
this kind of 'pattern recognition' -- the specialty is called "cluster
analysis" ), they _will_ find all sorts of 'patterns' in the valid
charges. The odds of identifying the _actual_ pattern of transactions
where the compromise occurred is *NOT* good. (It'd be one thing if
this was the _only_ set of fraudulent transactions, but where they're
mixed in with fraudulent transactions from "forty 'leven" *other*
sources, the correlation problem becomes nearly impossible.)
Admittedly, the more data you have to look at, the better the chances
of finding 'correlations'. Unfortunately, the computing requirements
for the required kind of analysis grow _faster_ than the data. It's
somewhere between a 'square' and 'cube' relationship.
[TELECOM Digest Editor's Note: The 'ones who get caught are bozos and
amateurs' ... okay, so all the 19-20 year old cashiers at Walmart are
Harvard graduates with great memories who can glance ONCE at a sixteen
digit number and recall it exactly a few hours later when they meet
with Mr. Mafiosi. They won't be able to use a pen and paper to write
it down, the 'shopper' will see them do that. The 'shopper' can tell
management "the cashier claimed the card *you gave me as a control
to be used* would not swipe, and she had to do it manually, and she
wrote the number/name down on a scrap of paper in the process." Or,
did this brilliant young cashier actually -- in her three second
glance at the card as she punched the numbers in -- memorize the
number for delivery a few hours later, especially when there is no
context to -- or repetitive sequence in the number. I mean, the shopper
did not give her card number 5555-1212-1212-1212 or an 'easy to glance
at and memorize' number. And whether the shopper-spy is the customer
standing in front of the cashier right now, or the next one in line
dumping her crap all over the conveyor belt, trying to push and shove
her way to the head of the line is anyone's guess. Most store cashiers
in places like Walmart are in fact the bozos and amateurs you mention.
And since they are the front line, handling the cash, the registers,
etc, 'shoppers' blending in with the crowd of customers pushing and
shoving up to the register manage to do quite well at catching them.
PAT]