Announcement

Collapse
No announcement yet.

a new twist on stores asking for your zip code... credit card automated checkout

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • a new twist on stores asking for your zip code... credit card automated checkout

    heya,

    this might be interesting to folks here. i will assume that most of you are familiar with two trends relating to check out / register sections of stores and supermarkets today...

    1. policy of asking for your zip code - often heard as one of the knocks people would make against Radio Shack in the past, nowadays numerous merchants just have a policy of bothering every customer for their zip code when they are paying. i'd imagine that most of us here refuse to discolse ours on principle (or have fun giving fake ones just to skew the data in marketing databases) at least stores are training their people now to no longer be pushy about this. in the past, i've been told that (a) they can't complete my purchase without it (b) i can't use gift cards or other promotional deals without it (c) i'm at risk of not having my warrany honored if it's not in their records (d) etc etc etc. this no longer happens and, at least around me, i'm pleased that customers refusing to give out personal info is just about as common as people who yak about anything to strangers.

    2. customer-operated credit card / debit card swipe terminals - initially i saw these only at supermarket checkout lanes, but now i'd say the majority of stores where i buy things have swipe terminals and pin pads <rant>is it just me or is the UI code on most of these annoying? most of them assume you're using a debit card and ask you for a PIN... if you are using credit card you must press cancel, then choose "credit"... why isn't that the first choice?!?</rant>

    an interesting thing happened to me today, however. i made a small purchase at a store and used my credit card at the swipe terminal. it asked me to OK the amount. i did. it then asked me for my zip code. i was puzzled. i know that zip code validation is a type of authorization used with CC purchases. i was about to give it my zip, but accidentally hit a wrong button before i started punching it in. i pressed cancel to clear it out... but the authorization simply processed anyway.

    i'm wondering if the device wanted my zip code for merchant bank authorization or for storage in a marketing database. you can bet that from now on i plan to just hit cancel if i continue seeing this new prompt at other stores. if things ever don't go through, i'll just keep cancelling until the checkout staffer asks what's wrong, at which point i'll mention how the device keeps asking for information that it doesn't need. they can process my card manually if they have to, but i'm never buying into this bullshit about establishments' insatiable desire to have more and more of my personal data.*

    * interestingly, i wonder how far off we are from a time when merchant banks enter into partnerships and collaborative contracts with stores which will automatically generate a marketing profile of you for the vendors during your purchases. in other words, i swipe my chase mastercard at the local Stop & Shop, in addtion to stop and shop billing me for $36.12 through, chase automatically generates a profile of me based on the data in their files (name, address, credit limit, etc) and sends it back to the store for instantaneous storage in the marketing database entry associated with my shopper card.** such a proposal would likely first be put forward under the guise of "discouraging fraud" but with banking laws and privacy regs being gutted all the time, the freedom of stores to do whatever they want might not be that far away.

    ** yes, i have a shopper's savings card at my local supermarket. while it can technically track my purchases, it's not tied to my actual name and address. the funny thing is, i'm always amazed at the fact that any bullshit you write on the application form is accepted. i trash my card routinely and get new ones just so i no meaningful marketing profile gets built up... and each time i've chosen personal info that is more and more obviously fake. nowadays i think i'm in the system as thomas jefferson, with an address of 1600 pennsylvania avenue. what's funny is the fact that during checkout, when your receipt is printed, the store uses your name (as it appears on file) in the receipt... a la "thank you, thomas jefferson, for buying at stop and shop. you saved $4.20 with your savings card." more than once i've had register jockeys (attempting to be chummy with the customer) glance at the receipt as it prints and say something like "thanks, tom, have a nice day." one time, a person even said "oh, were you named after the president?" or something. never, however, has anyone commented on the fact that the name doesn't match the one on the credit card i just used.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

  • #2
    Like the "extra digits" on a credit card to show the owner has physical access to the card, a zip code query adds little security to cases where a wallet is stolen with the card. After all, don't we have Driver's Licenses, and don't these include our address, which also includes our zip code? Physical access is just that. All the zip code does, is make holders of stolen cards use easier targets. (Stores that don't ask for zip.)

    It seems "security" is being used to convince people to part with their privacy, and further aid marketing and research.

    FUD is very effective at convincing people to part with money, privacy, and other things.

    As for filling out incorrect information for application to get shopper/store cards in hopes you will provide them with disinformation, beware. If you use those cards with an ATM or Credit Card purchase, the store may associate and update the customer card name with the name from the credit card or atm. (3 out of 3 customer cards for stores have done this with my customer cards. I've filled out bogus information in the application, but eventually, cash purchases also show my name on the receipt when I use the store card.

    Comment


    • #3
      Originally posted by Deviant Ollam
      2. customer-operated credit card / debit card swipe terminals - initially i saw these only at supermarket checkout lanes, but now i'd say the majority of stores where i buy things have swipe terminals and pin pads <rant>is it just me or is the UI code on most of these annoying? most of them assume you're using a debit card and ask you for a PIN... if you are using credit card you must press cancel, then choose "credit"... why isn't that the first choice?!?</rant>
      [/I]
      Most of these devices that I use take ONLY atm cards. If you want to do credit, you hand your card to the store clerk. There's only been a couple places I've shopped (one that is semi-regular) where the machine also took credit.

      Something that has always driven me buggy about these machines is how they differ in sensitivity. When I was using my ATM card (now I just use credit), I had one store that had no trouble with my card ever, one store that would never accept my card and another store whose machine would take my card, but only after wrapping a plastic bag tightly around it. This method would work every time, except on the rare occasion that the clerk was not familiar with this idea and did not wrap the card tight enough to eliminate wrinkles. In the stores where the ATM card would not run through, the clerk would automatically take the card and say "shall i run that through as credit?" The clerk gets this total grouper face as I'm rummaging through my wallet for my credit card saying "no, that's not going to run as a credit card, let me get mine for you."

      So many people are completely clueless as to what a debit card is vs what an ATM card is. In fact, I've had customer service folk at my BANK swear up and down that my ATM card will NEVER EVER work in a debit card swipe machine. Funny, I've been doing it for 10 years. The first thing I do when I get a debit card is cut it up and request an ATM card. Sometimes it take a couple go-rounds for them to understand the request, but i've never used one since I got my credit established.

      Comment


      • #4
        What you need to do is something like this guy:

        http://www.cockeyed.com/pranks/safew...e_shopper.html

        where you forge copies of member discount cards and spread them all over, diluting the data to the point of absudity. Perhaps we should have a Defcon set of club cards
        Never drink anything larger than your head!





        Comment


        • #5
          Originally posted by renderman
          What you need to do is something like this guy:

          http://www.cockeyed.com/pranks/safew...e_shopper.html
          Ooh, I like that. Unfortunately, the grocery store where I shop has its card work differently, probably because people were so pissy about the safeway and albertson's cards. It requires that a real address be used if you want the coupons (if you don't, no point in using it).
          http://tinyurl.com/qez7b

          "It does not affect prices in any way. You still get the same low prices whether you use the card or not. No gimmicks, no pricing games, and no fees to join."
          Instead, the Rewards Card will pay Customers a rebate for simply using the card when they shop Fred Meyer. Customers earn one "point" every time they
          spend five dollars at Fred Meyer. [...]
          Rebates will be mailed to Customers at the end of the 13-week period.

          Comment


          • #6
            Originally posted by mfreeck
            another store whose machine would take my card, but only after wrapping a plastic bag tightly around it. This method would work every time, except on the rare occasion that the clerk was not familiar with this idea and did not wrap the card tight enough to eliminate wrinkles.
            hah... i am familiar with this technique (and have experienced the same problems as you... many of the units have reader heads with very poor coercivity specs) and always get a kick out of showing it to new people. can you or someone else here who knows more than i do about mag stripes confirm or deny the hypothesis i've formed as to why this works? i've felt that many read errors are due to dirt or tiny cracks in the mag stripe fouling the reader head, and the placement of the plastic bag sheet (as you noted... one must take care that it's tight and smooth) makes a nice, flush surface. since the data is being read via magnetic fields, direct physical contact isn't necessary.

            Originally posted by mfreeck
            So many people are completely clueless as to what a debit card is vs what an ATM card is.
            while i'm aware that the two terms are similar, i am not 100% certain that i have it all straight. is this how it works...

            credit card - the one with which we're all familiar, where a person is drawing from a line of credit issued by a bank. sig required but no PIN. (although some have PIN numbers to allow for cash advances drawn against the holder's line of creit at ATM machines) authorizations processed through merchant banking network.

            debit card - attached to the funds in a person's checking account. (or possibly savings account?) signature required for usage, but not a PIN number. authorizations processed through merchant banking network.

            ATM card - attached to the funds in a person's savings and/or checking account(s). with use of a PIN number, individual can view, deposit, withdraw, or transfer funds at ATM machines. not useable in, say, a restaraunt's credit card processor (merchant bank system). signature not sufficient for usage, PIN required.

            check card - new term that marketers started using to refer to debit cards since in some snobby circles they gained the stigma of being only for poor people who can't acquire a line of credit with an issuing bank.

            where it gets confusing i think is when banks today start issuing cards that are multi-function. i.e. - a check card that also can be used with a PIN at an ATM.

            am i on the right track with most of that?
            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
            - Trent Reznor

            Comment


            • #7
              I'd like to bring up what I think is a relevant point-I never use a credit card unless I *absolutely* have to (i.e. internet purchases, emergencies). I've never used my CC at a grocery store or gas station. Honestly, you see so many idiots using them for a $5 grocery bill...

              The moral of this story is *use cash*.

              Oh yes, I use the "loyalty cards" with false info. Saw an idea about just pasting and labeling 5 barcodes on a single card to save space in your wallet and pointing out which one for the cashier to use.

              Al K. Lloyd
              "Are my pants...threatening you?"

              Comment


              • #8
                Deviant: actually, at least in town here, ATM cards are generally accepted through many point of sale systems, including Walgreens, Fred Meyer, etc. They require user swipe AND PIN, no ifs or buts. Debit on the other hand, can be mishandled by any $7/hr clerk.. whether ignoring sig/picture/<other> verification methods, or by someone using the card over the Internet like a credit card.

                Biggest difference imo is in disputes. Whether mischarged by a legit business, or completely frauduently used:

                Debit cards: Your money is gone.. out of your account faster than writing a check. You can dispute the charge(s), but money is gone in its entirety until the point that you have disputed and received chargeback from the bank.. in cases of complete fraud, possibly never.

                Credit cards: Someone could steal my card and buy a McDonalds chain with it, I have personally lost nothing but face if I completely ignore it. Okay.. so I have half a brain and I'll dispute it, having the negative charge removed from what the creditor thinks I owe them, but absolutely nothing changing between me and the actual amount of money I have.


                Alklloyd: I am one of those dorks that uses my credit card for everything and a stick of bubble gum.. I absolutely abhor places that only accept cash/check. So the government and businesses track my purchase activity.. *shrug* They track the rest of my life.. that's called being a US Citizen. Obviously there are times and places for using cash.. but I have found this to be quite limited until such a point that I need to no longer be me.. considering I don't break the law and the Bills haven't won the Super Bowl, such a catalystic event will probably take a while.

                Cash on hand requires management both physically and logically. Credit plays directly into my existing financial monitoring and accounting schemes. Cash on hand promotes haphazard spending. I have to plan for payment/spending of credit, cash just disappears.

                Cash requires additional steps to obtain .. I place the money in the bank, I take the money from the bank (all monitored and logged anyways). I need money, get it from the bank.. took too much.. spend it or return it to the bank. Credit transactions are made abstractly, from the point my direct deposit leaves the company to the point my creditor receives payment and discovers that they can't charge me interest for another consecutive month.
                if it gets me nowhere, I'll go there proud; and I'm gonna go there free.

                Comment


                • #9
                  One of my biggest issues is not only the zipcode thing but the places like Best Buy who make you sign their electronic pad when you use your credit card. Sears and Home Depot do it as well. So, now your signature is in a nice digital format *somewhere* in their network. Cant wait to see the first case of identity theft where not only does a customers personal information get stolen, but their signature as well.

                  Mr. Joe Sixpack, if you didnt apply for this home loan, then how come we have your signature all over it?

                  You think with all the PII disclosure cases getting press lately (Progressive Insurance being the latest to the list) these companies would want as little of their customers information as possible to limit their liability. At this stage of the game I would want enough information from a customer to validate they arent making a fraudulent purchase and thats about it. I dont want a database of customer information hanging over my head like a rain cloud, waiting for the day Estonian hackers steal it.

                  I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

                  Comment


                  • #10
                    Hmm, I just turned 16 and am probably going to be getting a checking account soon and with that an ATM card most likely. I know that (correct me if I'm wrong) credit cards are a lot more insecure than both ATM and debit cards, but I wont be getting one of those until I'm 18 (and have absolutely no desire for one as it just makes it easier for me to lose track of how much I'm spending, although it would be nice for online purchases). As far as ATM and debit cards go, which do you all think is more secure? Or are they pretty much equal (which they seem to be to me at this point)?

                    Comment


                    • #11
                      Okay.. I want clarification on this because I keep hearing it and not understanding it.

                      How are credit cards LESS secure than ATM or Debit? Are you talking exclusively on a 'the 4 digit pin sword is mightier than the zipcode'?... because on a conceptual level of accountability, I see it entirely opposite. Personally I care far more about the latter than whether which mechanism is weaker than the other.. they're all weak.
                      if it gets me nowhere, I'll go there proud; and I'm gonna go there free.

                      Comment


                      • #12
                        My ATM card is from wells fargo, It works like a check card when there's no debit/PIN pad, and works like a debit card if I choose, and a PIN pad is avaliable.

                        On the issue of checking for zip/id/picture.... It seems that the majority of places are very lax on their doing of this, sometimes I'll pay with my friends card who came in the store with me.. (I had a guy even look at a different ID once, and just continue with the transaction!).
                        At best buy/home depot for those signature things, I started making little pictures and simily faces.
                        I've also been asked for a phone number which.. I thought was stupid, but it happened a few times... I just pick a different number each time.
                        Its fun to test the limits of crappy auth... (and don't even get me started on those self checkout machines)
                        I heard a while back (i think even at defcon heh) that you could get a credit card, with a different name by telling the CC company it was for 'online purchases' and you wanted to use a different name for security reasons, or something like that.
                        Does anyone know if this is/was the case?
                        The only constant in the universe is change itself

                        Comment


                        • #13
                          Originally posted by converge
                          Okay.. I want clarification on this because I keep hearing it and not understanding it.

                          How are credit cards LESS secure than ATM or Debit? Are you talking exclusively on a 'the 4 digit pin sword is mightier than the zipcode'?... because on a conceptual level of accountability, I see it entirely opposite. Personally I care far more about the latter than whether which mechanism is weaker than the other.. they're all weak.
                          Hey converge,

                          It seems to me... a credit card is LESS secure than an ATM/Debit card because lets say we have bob making a purchase, and alice selling a... <whatever>.

                          Credit Card:
                          If alice doesn't check bobs drivers licence, or compare signatures (which is lowsey) or some other form of authentication... then all you need is the card.
                          If bob is buying gas with a stolen CC (or getting cash back) and the machine doesn't ask for a zip, and the person doesn't ask for more ID... then all you need is the card.

                          ATM/Debit card:
                          Alice must ask bob for his PIN to purchase something/obtain cash back/etc...
                          This is an example of something you have <the card> and something you know <your PIN>.

                          This seems like (weak) two factor authentication. Where as the CC is only (sometimes!) single. In the case of a stolen wallet, the casheir alice hopefully asks for ID and you didn't steal your twin brothers wallet. Also, its hard to think a zipcode is more secure than 4-digit PIN because.. if you think about odds, most people buying goods are going to live in the same location or zip of the store.. maybe nearby area... so you have a pretty good chance of determining the zip. (small keyspace :-P) Plus, theres a lot of other ways to determine the zip of a card holder.

                          So, I think they are less secure in some situations. Without strong abilty to verify authentication, its useless. (example: who in california knows what a North Dakodian licence looks like?? (why lots of places only take in-state IDs)).

                          Just for general information because we're here to learn: To my understanding, the PIN you choose really isn't the 'real' PIN... the ATM machine/bank via POTS does some kinda simple encryption/shift/xor with your PIN and account number to obtain the 'real' PIN number... I think they talk about it in here: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
                          The only constant in the universe is change itself

                          Comment


                          • #14
                            Originally posted by dYn4mic
                            My ATM card is from wells fargo, It works like a check card when there's no debit/PIN pad, and works like a debit card if I choose, and a PIN pad is avaliable.
                            That's not an ATM card, that's a debit card. ATM cards have no ability to be used like a credit card. "debit" = debiting directly from your checking acct, do not pass PIN code, do not collect $200.

                            And if someone takes all the money out of your checking account on a Friday, when the rent is due and you have no groceries, you'll be waiting til at least Monday (you DO have the time during working hours to spend time on hold to explain the problem to at least two people, right?) for the bank to put the money back while they "investigate" and hopefully find in your favour.

                            Oh, another fun fact about debit cards. More places like gas stations are now putting a "hold" on cards. So you go buy $25 of gas, but they put a $50 hold on your "card," aka your checking account. I forget how long it lasts, but I think it *can* be up to a week or two. Hopefully you weren't actually counting on *using* that money in the meantime, say to pay your bills, eat, etc within the next week.

                            I did have my CC number stolen once (it was the card I used exclusively for in-person sellers). I didn't pay that portion of the bill and it was fairly obvious that i wasn't buying bus passes and groceries at a roach-ridden store in NYC and I was absolved of the charges no problem. I never had the stress of my finances being put in jepordy even for a day.

                            Comment


                            • #15
                              right.. so we're comparing mechanisms, weak vs. weaker and who will win at probability.

                              I take the approach of neither being very secure and both methods are likely to end up with charges/purchases I didn't intend on. If you walk around with three different purchase implements, one in each pocket, and one of your pockets is going to get picked, but you don't know which one. Which method do you consider ACTUALLY secures your assets more.

                              'Cause in the event, I doubt I'd just be kicking back and saying.. "Well damn, they got me.. at least I tried by using a four digit pin!"
                              if it gets me nowhere, I'll go there proud; and I'm gonna go there free.

                              Comment

                              Working...
                              X