home links tools blog about

« Sams Publishing can Bite Me | Main | Motherboard Blowout »

December 06, 2007



Not too long ago, I got a few calls where my Credit Card company called in to verify "suspicious recent activity" on my card. The thing is, the message left on the machine sounded ... well, fishy. It gave a number to call, and when I called, the first prompt simply said, "Please enter your credit card number now."


I couldn't even find that number of the back of the credit or on a statement, so how was I to know that was legit?

It turns out, it was indeed a "real" check, and I'm all for that. Heck, question every darn purchase if it protects my identity. I'm thrilled when the cashiers at the store ask to see my license. Please, ANYTHING to help protect me.

But, these efforts need to be tempered with a modicum of intelligence and forethought. You know, this identity stuff is really not that tough and yet many companies just haven't seemed to figure that out yet.

Michael K. Campbell

Yeah, as geeks we have a sort of sixth-sense for things that might be construed as potential phishing or probing attacks. I guess that's both because we have to code defensively in our applications and such (to ensure that our apps stay above reproach), and because (as geeks) we're constantly getting called on by family members, neighbors, and what-not to fix their machines after they've been spoofed, phished, or whatnot.

What's spooky is that a lot of brick-and-mortar organizations just don't seem to even realize that they need to think this way. And spookiest of all is the fact that the entities that seem to have the hardest time with it frequently seem to be the very folks closest to our financial data.

My experience with Dell a while ago FLOORED me. They sent me this cryptic, one-off, email that said there was a 'problem with my order - would I please call some 800 number for my protection'? Yeah right. If i was a phisher, I'd figure that you could spam that message out to everyone, and 6% of people getting it would have an order with Dell. So imagine how cynical i was when i called and they wanted my SSN before they would even provide ANY information about what was going on. Needless to say I didn't give them that info. What KILLS me though, is that after making a few calls and getting PISSY with the operators in order to have them put me on with their managers, I was able to find out (eventually) that this was Dell's PREMIUM customer support just watching out for me to make sure that I hadn't been the victim of Identity Theft. It was like something out of a security best-practices HORROR novel.

Ralph Day

Brian wrote:

"I'm thrilled when the cashiers at the store ask to see my license."

The funny thing is VISA and Mastercard discourage this practice. In fact, if your refuse to show your ID the merchant must accept your card anyway. From the Rules for VISA Merchants:

"Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures."

They claim its because a crook will probably have fake ID in your name with a signature in their handwriting anyway. It gets more amusing when they also say if a merchant is presented a card without a signature they should ask for government issued ID and have the customer sign the card before accepting it. Gee, what happened to that crook with fake ID all of a sudden. I guess he's using it to get on a plane with a bomb while you're signing your card.

As a merchant I get even more pissed off when VISA & Mastercard oppose the National Retail Federation push to have your card number only stored by the banks.


The long and short of it is the credit card industry doesn't really care about identity theft - they care about profits. Requiring ID to use your card means less people using their card and less profits. Centralizing storage of credit card info at the banks means a bunch of money investing in changing systems and moving all the risk to the bank - not a profitable idea. Better to continue to force the risk on the merchant like they always do.

The comments to this entry are closed.