TELECOM Digest OnLine - Sorted: Re: Supermarket: Let Your Fingers do the Paying

Re: Supermarket: Let Your Fingers do the Paying

Robert Bonomi (
Sun, 06 Feb 2005 17:23:19 -0000

In article <>,
Robert Bonomi <> wrote:

> In article <>, Robert Bonomi
> <> wrote:

>>> In article <>:

>>>> [TELECOM Digest Editor's Note: I do not understand one thing: If
>>>> people have already been verified as to their ability and
>>>> willingness to pay for their groceries through their credit card
>>>> and their personal identification has been verified in much the same
>>>> way by the credit card people, then *why* would people want to go one
>>>> step further by enrolling in 'Pay by Touch'? Is this intended as one
>>>> way to 'save them time' by not having to sign a credit card slip? In
>>>> other words, touch your thumb or finger somewhere rather than taking
>>>> a couple seconds to sign a slip of paper? Now, if the grocery people
>>>> had set up their own credit system *in place of Visa/MC* by using a
>>>> thumb/finger print, I can see where that might be useful, but
>>>> otherwise, why bother? PAT]

>>> Gee, I dunno.

>>> Like maybe you _don't_ have to have your card, *or* card number, with
>>> you.

>>> Like, no hassles if the mag stripe doesn't read.

>>> Like, no opportunity for a dishonest cashier to memorize the number
>>> off your card.

>>> Like, maybe, *nobody*else* can buy anything with that card number at
>>> that store. i.e., if it's a 'pay by touch' card, "no touchee, no
>>> tickee", and if the fingerprint _doesn't_ match, "no sale".

>>> You're right, I can't see why anybody would *consider* bothering to do
>>> something like that.

>>> [TELECOM Digest Editor's Note: Well, let's see ... maybe I was caught
>>> shoplifting at a grocery store in Iraq or Iran and the Taliban chopped
>>> off all my fingers as part of the punishment.

>> Strawman -- not a _bad_ strawman despite the stretch, but still a
>> strawman.

>> Then, obviously, you would not _elect_ to use their *optional* system,
>> would you? And then there's no problem for you, is there?

>> Or didn't you notice that it is a _voluntary_participation_ system?

>>> And one of the terms for accepting MC/Visa cards required by
>>> many/most/all of the card issuers is that the store is *not*
>>> permitted to demand any other form of identification. The card is to
>>> stand on its own regards ID, *if the holder is using it for
>>> payment*. So your 'no touch, no sale' idea is not possible in many
>>> stores.

>> When the store has a prior *signed*, verified, validated, directive
>> from the card-holder on file that says "do not allow any charges
>> against this card number unless the fingerprint matches the one I have
>> provided on file" the store most certainly *can* demand the
>> fingerprint.

>> Agreed, the store cannot do it on it's _own_ initiative. However, that
>> is simply not the situation with regard to a _voluntary_participation_
>> program such as the one under discussion.

>>> I can see where fingerprints might be
>>> used in lieu of an actual plastic but I do not think it can be a
>>> requirement *in addition to* plastic.

>> Making clear that you did not bother to *read* the original article.

>> A) this is not a 'required' system.

>> B) the fingerprint _is_ used *INSTEAD* of the plastic.

>>> And when a clerk is caught making an unauthorized sale using someone
>>> else's card the answer is simple also. Fire and presecute them. PAT]

>> "Simple"??? *snicker* No, make that <*GUFFAW*>

>> First off, that _assumes_ that the clerk got caught.

>> Second, 'unauthorized sales' can make for a _gawdaful_ mess of
>> problems for the actual card-holder. Just imagine that you're going
>> on vacation. And have made sure that your card has a _zero_ balance
>> outstanding. You get to your destination, and offer the card to pay
>> for your hotel room, and get told "card not accepted -- over credit
>> limit". Where are you, the wife, and kids, going to sleep tonight?

>> Getting an 'unauthorized sale' off your account can be *difficult*.
>> Consider a telephone order (one where the merchant asked for, and
>> _got_ the 'security code'), that was actually _delivered_ to YOUR
>> address, and signed for in your name.

>> I have relatives who have been the (almost) victim of *precisely*
>> that. They got wind of things shortly before the order was to be
>> delivered, and law enforcement was waiting when the delivery truck
>> came by. A guy _outside_ the house pretended to be the 'addressee',
>> and signed for the package. Whereupon the cops pounced.

>> [TELECOM Digest Editor's Note: Oh, I dunno about this last part, where
>> one supposedly has a hard time catching the clerk 'in the
>> act'. Walmart does okay on it. The stores here in southeast Kansas
>> employ 'shoppers' for just that purpose,

> <snicker> *GUFFAW* [[ sigh. I'm repeating myself. ]]

> The ones who get 'caught in the act' are the bozos, incompetents, and
> amateurs.

> Consider, for example:

> Scenario:

> A card fails the mag-stripe 'read' -- i.e. it doesn't "swipe".
> The cashier gets the card, to manually key in the number.
> (the cashier also *memorizes* the 16 digits of the card, and the 3 digit
> 'security' code. This does _not_ take much time -- how fast can you
> commit 2 phone numbers to memory? )
> The cashier returns the card to the customer.
> The *completely*correct* transaction is completed.

> Just _what_ is the 'shopper' going to report to management? Besides the
> fact that the cashier did their job "right"? Even a security camera
> recording the cashier's every move isn't going to show anything wrong.

> Got any idea how many times a day that *that* scenario actually occurs
> for any given cashier? Sould you believe 'several times per *hour*'?
> "Capturing" _one_ card a day is a relatively trivial memorization
> task. Two or three would _not_ be a problem for most people. That's
>enough to make for a nice 'supplemental' income.

> Scenario, part II:

> After the cashier gets off-shift, and has _left_the_premises_, s/he
> writes down the previously memorized numbers. Then, that week-end, say,
> s/he meets up with "A. Mafiosi", who pays say, $20 for each card number
> with security code; $50 if the "name" that goes with the card is also
> available, and $150 if the _address_ is also provided. (Maybe it's a
> regular customer that often pays by check, but used a card _this_ time.)

> Scenario, part III:

> Our friend, "A. Mafiosi", sits on the purchased info for a couple of
> weeks -- hell, maybe a couple of -months-. Then he turns a crew loose
> to make a bunch of fraudulent purchases, using card numbers that came
> from several _different_ places, at *different* times.

> *HOW* IN THE H*LL does the victim (or _anybody_ else, for that matter)
> associate _those_ "unauthorized charges" with the specific transaction
> where the card number was 'memorized'?

> The *store* with the 'crooked' cashier has no inkling that anything is
> wrong. Not even any reason to so much as -suspect- that there's a
> problem.

> The credit-card company has no idea *where* or *when* the compromise
> occurred. Given _enough_ separate card numbers 'stolen', and *enough*
> computer processing power/time (it takes a *LOT* of "cpu cycles" to do
> this kind of 'pattern recognition' -- the specialty is called "cluster
> analysis" ), they _will_ find all sorts of 'patterns' in the valid
> charges. The odds of identifying the _actual_ pattern of transactions
> where the compromise occurred is *NOT* good. (It'd be one thing if
> this was the _only_ set of fraudulent transactions, but where they're
> mixed in with fraudulent transactions from "forty 'leven" *other*
> sources, the correlation problem becomes nearly impossible.)

> Admittedly, the more data you have to look at, the better the chances
> of finding 'correlations'. Unfortunately, the computing requirements
> for the required kind of analysis grow _faster_ than the data. It's
> somewhere between a 'square' and 'cube' relationship.

> [TELECOM Digest Editor's Note: The 'ones who get caught are bozos and
> amateurs' ... okay, so all the 19-20 year old cashiers at Walmart are
> Harvard graduates with great memories who can glance ONCE at a sixteen
> digit number and recall it exactly a few hours later when they meet
> with Mr. Mafiosi.

"Harvard graduate" has *NOTHING* to do with the ability to memorize
and recall two telephone numbers.

The quality of your strawmen is slipping.

In point of *proven* fact -- as in many, *many* college/university
psych department studies -- that most people *can* do such
memorizations with only a relatively SMALL amount of training; as in,
only a few *hours*.

*literally* the only thing it takes is some practice. Working with _numbers_.

> They won't be able to use a pen and paper to write
> it down, the 'shopper' will see them do that. The 'shopper' can tell
> management "the cashier claimed the card *you gave me as a control
>to be used* would not swipe, and she had to do it manually, and she

You chose Walmart as the example. You obviously *don't* know how
things work there. The *customer* swipes the card. The *customer*
(as well as the cashier) gets a visible indicator _if_ the swipe
succeeds/fails. If the swipe did not fail, the customer gets prompted
if they want any cash back, or to approve the charge amount as shown.

There's *NOT* a d*mn thing the cashier can do to affect _that_ part of
the process.

> wrote the number/name down on a scrap of paper in the process."

Note well that I specified that the cashier did _memorize_ the number.
There's *NO* 'wrote it down on a scrap of paper' to report.

There's also *NO* reason for the cashier to attempt to 'fake' a
"didn't swipe" for a card that does swipe. he/she just waits for one
to come along that legitimately _fails_ the swipe. There are *so* many
valid 'targets of opportunity' every day -- far more than they are
likely to be able to retain memorization of -- that there is nothing
to be gained by 'fabricating' opportunities.

> did this brilliant young cashier actually -- in her three second
> glance at the card as she punched the numbers in -- memorize the
> number for delivery a few hours later,

Despite the sarcastic tone, you've got it *exactly* right -- It
doesn't take 'brilliance' -- virtually anybody who could work
successfully (postulating they were given the normal training for the
position) as, for example, an 'accounting clerk', a 'bank teller', or
a 'motel night manager'. is "smart enough", *AND* has the
memorization capacity, to do this.

It is *NOT* all that difficult. Again, *all* it takes is some
time/effort/ practice to develop that particular skill.

> especially when there is no
> context to -- or repetitive sequence in the number. I mean, the shopper
> did not give her card number 5555-1212-1212-1212 or an 'easy to glance
> at and memorize' number.

> And whether the shopper-spy is the customer
> standing in front of the cashier right now, or the next one in line
> dumping her crap all over the conveyor belt, trying to push and shove
> her way to the head of the line is anyone's guess.

Which makes exactly _what_ difference, anyway? After all, there is
*nothing* "out of the ordinary" to see/report. They had the customer
try to swipe the card several times. Then they took the card, held it
up beside their screen, while they looked at the number, keyed it in,
and double-checked what was on their display against what was on the
card. Everything is _exactly_ as a 'good' cashier would do it. This
one is just "thinking" a bit more than the average cashier.

> Most store cashiers
> in places like Walmart are in fact the bozos and amateurs you mention.

Yup. "Most" *is* the operative word. One 'smart' crooked one,
however, can easily do more damage than a -thousand- of the 'dumb'
ones. And the odds of catching that 'smart' one are at least a
thousand times worse than catching the dumb one.

> And since they are the front line, handling the cash, the registers,
> etc, 'shoppers' blending in with the crowd of customers pushing and
> shoving up to the register manage to do quite well at catching them.

Oh, yeah, the *stupid* ones get caught. I won't dispute *that*.
The 'smart' ones, nobody even so much as suspects they're there.

A few years ago, there was a ring that got caught (from the *other*
end -- fencing the goods purchased with the stolen card numbers) that
had used a scheme very similar to what I laid out. *ONE* of the
cashiers involved had made, as I recall, $160,000+ from the
card-numbers that she had carried out of the store 'in her head' --
she'd been doing it for more than FIVE YEARS, without being suspected
of anything. The store involved was "shocked"; management was quoted
as saying "She was one of our _best_ cashiers."

It _can_ happen. It *does* happen. The voluntary-participation "Pay
by Touch" system deprives the 'smart' crooked cashier -- as well as
the 'dumb' one -- of the opportunity to 'steal' a card number.

But, you're right, I can't imagine why anyone would *consider*
participating in that program.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: William Warren: "Re: Update Interval For E911 Records"
Go to Previous message: AES: "Re: Supermarket: Let Your Fingers do the Paying"
May be in reply to: Monty Solomon: "Supermarket: Let Your Fingers do the Paying"
Next in thread: David Clayton: "Re: Supermarket: Let Your Fingers do the Paying"
TELECOM Digest: Home Page