Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Privacy

Are Signature Pads Dangerous to Privacy? 85

Posted by Cliff from the stuff-to-think-about dept.
WildHunter asks: "While making a foray into a local retailer today I paid using a credit card and was asked to sign a paper receipt on top of a digital pad. Being cautious I asked what it was for and I was assured that it was 'fully secure and safe to use'. Being a typical paranoid Slashdotter I offered to sign off of the pad but refused to sign on the pad. Was I over reacting or can someone back up my paranoia with some facts?" Think about it, some deceitful vendor has one of these, sells you something, gets your signature, and can then ring up loads of charges on your card using a digital copy of said signature over, and over, and over... you get the idea. Do the current crop of signature pads prevent against this and other similar kind of deceit?
This discussion has been archived. No new comments can be posted.

Are Signature Pads Dangerous to Privacy? More

Are Signature Pads Dangerous to Privacy?

Comments Filter:
  • And what prevents anyone from taking an ordinary signature, putting it on the pad and tracing over the original signature making a prefect copy?

    With a normal signature experts are able to verify the signature by looking at the pressure used on the pen in different parts of the signature. A feature that is very much lost with this "digital signature"

    • Re:Regular vs digital (Score:1, Informative)

      by Anonymous Coward
      Posting as AC for numerous reasons...

      A feature that is very much lost with this "digital signature"

      Good tablets record the pressure. They also record other information (pen orientation) that may be used to verify identity. Once you have the dynamic record of the signature you can do more (think pen velocity along the strokes, quite individual, those little loops you do on the "e's and 'a's, lots of identifying data there).
      The simple answer is Don't use your real signature on the pads. They could record enough data to reproduce things. Use an 'X' for the couriers.
      • My signature on one of those pads looks *NOTHING* like my real one. You don't get the same kind of feedback as you do with a pen (at least not in my experience) and my sig ends up looking like a 3rd grader trying to learn cursive. . .
    • With a normal signature experts are able to verify the signature by looking at the pressure used on the pen in different parts of the signature. A feature that is very much lost with this "digital signature"

      I have worked in the field of Biometrics, and this statement is just not true. In many implementations of signature pads, the pressure is also measured (and even displays thicker lines because of it). Most signature recognition algorithms also use the varying pressure as a factor in the matching algorithm.

      A traced signature will _not_ match on any matching software I used.

      T

  • I doubt there's more of an opportunity (Score:5, Insightful)

    by leviramsey ( 248057 ) on Saturday August 03, 2002 @07:31AM (#4004095) Journal

    ...than the physical signatures.

    Think about it. All the retailer gets is a digital copy of your signature. Now, they could conceivably sign your name to contracts with them and such. But in order to actually sign your name, the person with the copy of your signature would have to actually write it out with a pen. Now, even the most braindead clerk would get suspicious if you had to use a stencil to sign the credit card receipt.

    Yes, they could learn your signature from digitial printout, and if they're adept enough at forging, could do it that way. But they could do exactly the smae thing with old fashioned receipts (making copies of the receipt if necessary).

    In addition the credit card companies do maintain large anti-fraud departments to investigate this sort of thing (as under US law, you'd only be liable for up to $50 of the purchases the retailer would make without your actual signature; it he buys a brand new rig from AlienWare with your signature, several grand will be eaten by AlienWare (which doesn't help their relationship with the CC) or it gets eaten by the CC. Either way, they see a pattern of people who have transactions disallowed, all of whom made purchases at the same store, and the retailer gets in big trouble.

    There are more important risks with CC's.

    • ...as under US law, you'd only be liable for up to $50 of the purchases...

      Many cards now have $0 liability (such as my Citibank card). Anyone with the standard $50 liability may want to consider getting a new credit card.

    • as under US law, you'd only be liable for up to $50 of the purchases the retailer would make without your actual signature

      Bull. I've never agreed to that. To quote the discover card agreement, "You agree to pay us in U.S. Dollars for all purchases, cash advances, and balance transfers including applicable Finance Charges and other charges or fees, incurred by you or anyone you authorize or permit to use your Account or a Card, even if you do not notify us that others are using your Account or a Card."

      If they can't convince a judge that I authorized or permitted the purchase, I'm liable for $0, not $50.

      • If the unauthorized charges are due to my own negligence (I lose the card, or the card is stolen and I do not report it in a timely manner), then maybe I'm liable for $50. But as long as I make a reasonable effort to maintain the security of my card and account information, I'm liable for $0.
    • In addition the credit card companies do maintain large anti-fraud departments to investigate this sort of thing

      actually, i've found they don't care if they catch anyone or not. a friend of mine had his credit card number stolen. a bunch of home office equipment was charged to it. when he got his bill in the mail he found the company that sold the equipment, and called them. they gave him the address where the equipment had been delivered. he checked it out (it was a house), and was able to easily see some of the larger items from the yard in front of the house. he called the credit card company and they didn't care. they just reveresed the charges. they weren't even interested in the address of the person who had defrauded them. they just apparently wrote off the expense.
      • Why didn't he report it to the local police? I'm sure this counts as receipt of stolen goods, not to mention qualifying as stealing the goods in the first place. If somebody stole my credit card info I'd have no problem whatever seeing them checked into the crossbar hotel.
        • because they didn't really steal from him. they stole from the credit card company. the credit card company didn't want to press charges. they specifically told him it was cheaper for them to write off the expense than it was to investigate, no matter what information he would be able to give them.
      • That's odd. I've had my card/number stolen multiple times. Every time, it has been the credit card company that has noticed first and they either call me or cancel the card right away. One time they called me while a spending spree was in progress and they gave me the distinct impression that they were trying to trap the perp. (i.e. they authorized the charge when it was a 25 cent phone call in the hopes that he would try to make another department store purchase)

        -a
  • Never used one in a shop but a couple of mail companies have started to have PDAs things to use for stuff you have to sign for. However, they're so unwieldy to use, theres no danger of my "signature" being of use to anyone!!

    • Yep, where I used to work, the delivery guy would turn up with sometimes hundreds of pounds' worth of IT kit, and expect us to sign something saying it had been received in good condition/working order/etc. without even opening the (frequently badly dented) cardboard packaging. And of course, the signature was digital, so how that's supposed to be bound to any meaningful statement about what condition things were in is beyond me.

      Standard unofficial office policy involved signing yourself Mickey Mouse, or X|ZYY or some such. No-one ever noticed or complained.

  • Spoof 'em. (Score:5, Interesting)

    by inkfox ( 580440 ) on Saturday August 03, 2002 @08:30AM (#4004164) Homepage
    Those units are just like the old Koala Pads. It's a grid array of wires, which make contact when they touch. This means they can only accurately detect one position at once.

    I don't trust them because I don't know if they're recording a bitmap or vector/spline data. The former is okay, but the latter, if intercepted, can be used to make an infinite number of unique-looking but valid signatures. So, I usually make swirls with a fingernail while I sign, making a valid paper signature and a cloud of noise on the screen, since the pad can't tell which of four moving coordinates is the real active one when two different points are pressed at once.

    I've only ever had one merchant actually look at the screen and ask me to sign again. (He thought it was the unit's fault.) The rest seem to believe that the pad is checking my signature, not just recording it.

    • On a similar note.. I sign the paper.. not changing the X position of my pen, but moving the paper right to left. They usually have loose area in those things...

      They usually get something looking like a bunch of up and down scribbles. The paper is signed.
  • We have a number of those at the store I work for (Zehrs, if you live in Ontario or Qubec), but only for the self-scan lanes. I don't think, as someone else said, they're any more of a risk than a paper copy, but your particular retailer's behaviour is a little odd. If he's getting the paper copy, there's no need, in MasterCard/Visa/AMEX's opinion, to have the digital version as well. I say call the guy on it; the worst it'll do is make him think about it, right?
    • I buy gas with my credit card all the time. Never have to sign anything. Never have to enter a pin either.

      And these guys are paranoid about signing digitally?

    • The digital pad is so that paper receipts do not have to be delivered to process the transaction. When they run your card through it just authorizes the transaction, it later has to be reconciled for payment. That's why the credit card company must be able to present a copy of the receipt (though they frequently cannot) -- they are at least responsible to have the store retain the copy in case there is a question. This way it is handled entirely electronically, with obvious savings for time and document retention problems.

      I have had stores err in reconciling charges and the charge never shows up. Lose the signatures and you have nothing (the bank may or may not help you process the charges anyway in the hopes 95% won't know you screwed up and will pay anyway).

  • Usual paranoia (Score:5, Insightful)

    by blankmange ( 571591 ) on Saturday August 03, 2002 @10:20AM (#4004371)
    Yeah - I don't like giving out my credit card info to questionable people behind the register either, but what are you going to do? Start using cash in all of your transactions?

    Digital signatures can be used by less-than-ethical sods just like your credit card number by the same people. Make sure your credit card company has fraud protection and be done with it....

    This is similar to the people who will willing give their credit card to a person behind the counter but refuse to shop online because 'it isn't secure enough'..... Get over the paranoia and get on with your life... it is too damn short to take up your time with menial crap like this....
    • No kidding! Besides, the cashier could always copy down your cc# from the receipt you signed & look at the expiration date when you hand the card to them. No signature required.

    • but what are you going to do

      Demand a paper receipt to sign. If the sales clerk can't provide one then demand to see their supervisor. If their supervisor can't figure it out then exercise one of the benefits of living in a capitalist economy and take your money someplace else.

      I left a couple hundered dollars worth of clothes sitting on a counter once because the sales clerk couldn't figure out how to complete the transaction without that silly little machine. This rarely happens anymore. Most businesses that use those things seem to have caught on that some people just don't like them and have trained their employees to know how to make a paper receipt in those cases.

    • Or better yet, just use cash for all your transactions. There is nothing as satisfying as thunking down 20s to pay a $1000 bill.

  • There is nothing wrong about being paranoid about such things - but they are SO easy to fool! When I encounter one of these things I merely alter my signature! Not just a little bit - alot!

    So - they may have a copy of my signature, but not one that would standup under examination, which beg's the question of what good is the signature system if the vendor doesn't LOOK at the signature on the card in the first place!!!

    • Comment removed based on user account deletion
      • My card is not even signed!

        Not that it really matters (nobody ever looks), but its generally a bad idea not to sign your card. Someone could steal it, sign it, and then be able to fool anyone who didn't check their ID. You can write 'See ID' on the back of the card, then you'll know how many people even bother to look.

        On a side note. I usually mangle my signature (not on purpose, just sloppy) and I have only been asked for my ID once.
        • Yea, on my card it says to check id, but out of every 10 or so purchases I make, maybe 3 will actually check id.
          • Yea, on my card it says to check id, but out of every 10 or so purchases I make, maybe 3 will actually check id.

            You are doing better than I. Only 1 out of 10 (at the most) ask to see mine, even though the signature line says "DEMAND PHOTO ID".

            But, it's not a big deal. I put it on there mainly to discourage someone from trying to use it if my wallet is stolen.

          • "See ID" isn't valid (Score:2, Interesting)

            by xenoc_1 ( 140817 )
            You know, Mastercard, Amex, Visa, and Discover all tell you to sign your card as soon as you receive it. As an example, here's Mastercard's Fraud Info [mastercard.com] page.

            I'm not going to do your research for you but I've seen statement mailers, various web pages, and other consumer info from each of them over the years that all said "See ID" or similar is not valid to put on the card. More importantly, unless that card is signed with your signature rather than some bogus phrase, you technically haven't followed your terms of the contract. Arguably they could claim that because you didn't sign the card, they aren't liable, because you didn't take the reasonable (and required under the contract) action of signing the card.

            "See ID" is a nice idea, but it's kind of like that wacky MS EULA-bypass stuff we always see here. People get some idea that by finding a way not to take a specific physical action like clicking a button or signing a card, they've changed the contract. I doubt that would hold up. There may even be unintended consequences like claiming the cardholder didn't take the necessary and reasonable steps to protect the card.

            (And in the case of the EULA-bypasser, MS might claim use of a "circumvention device" under the DMCA.)
    • If you wrote it, it's still a legal signature, regardless of whether it's your "real" signature or not.
    • A little trick I use: the name printed on my credit card is NOT the name I sign receipts with.

      So if my card is ever lost or stolen, and someone signs receipts using the name printed on the card -- those will be obvious frauds, easy to spot.

      Most credit card companies now recommend that you do NOT sign the back of the card (after all, if it's signed and the card is stolen, the miscreant has a valid signature all too handy to copy!!)

  • Way paranoid (Score:4, Interesting)

    by CMiYC ( 6473 ) on Saturday August 03, 2002 @11:02AM (#4004460) Homepage
    I'm really not sure where your concern is... If you are a credit card fraud victim, it doesn't matter if its a perfect digital signature or if its a handwritten one. You report both instances to your credit card company. I'm pretty sure they would clue-in if they noticed that all of a sudden you went on a $10,000 shopping spree and digitally signed your receipts exactly the same way every single time. (Again this is if you report it.) BFD, with these devices you can get a perfect digital signature. Well last time I checked, we are not digital machines. We are incapable of doing anything perfectly the same twice--including signing our name.

    I would be more concerned with the fact that these stores store our credit card NUMBERS, or when you order something over the phone (who knows if they aren't writing it down while typing it in?), or the clueless SSL "secure" websites that email you a confirmation with your CC number. Oops. I probably just gave you some more reasons to add a 3rd lock to your windowless house.

    • I can't speak for the poster but I won't sign those machines because an electronic copy of my signature is one more piece of information they don't need. I also don't give out my zip code or phone number and, if I feel they really do need it, I'll make them jump through flaming hopes before I give them my SSN.

      To me this is just another example of a technological gadget that contributes nothing to the transaction but allows the company to store yet another piece of personal information that they don't really need.

  • Being cautious I asked what it was for and I was assured that it was 'fully secure and safe to use'.

    You asked the person working at the cash register a nd got that answer ?? At least the answer sounds good, but how true is it ?? I can see an employee meeting and this is brought up... The manager responds, "In case anyone asks, tell them "It's fully secure and safe to use.".

  • some experience with this (Score:5, Interesting)

    by vsync64 ( 155958 ) <vsync@quadium.net> on Saturday August 03, 2002 @11:25AM (#4004511) Homepage
    Until recently, I used to work at Office Depot. During this time, the store switched over to electronic signature pads. To their credit, they did tell us how to bypass this procedure and allow the occasional paranoid customer (with suitable rolling of eyes) to sign on paper. Unlike Best Buy, from what I've heard.

    I was one of those paranoid customers whenever I bought something from the store, and I disliked having to allow customers to use the pads, for several reasons:

    You can guess a lot by how someone signs their card, and having the card in hand allows you to verify the pattern of hand movements for the signature, as well as check expiration date, holograms, etc. With the self-swiper, the customer retains the card at all times. Sure, you can watch the hand movements and compare to the signature if you get a glance at it, but regardless, most people put their card away quickly and furtively, triggering mental red flags, and then get pissy if you ask "Sir, may I see the card and a photo ID please?". So you lose either way.

    Secondly, the company would have a perfect digital record of the signature. Note that I said "company", not "store". While it's true that signatures could easily be forged from paper receipts, having a single giant database of signatures presents a much more tempting target, and a much greater reward should it be compromised. Keep in mind that Office Depot is the same company that has all their "locked-down" in-store kiosks brag about the need to enable unsigned ActiveX controls, so I'm not the most confident in their data security.

    This annoys me as a customer of other stores, too. "See ID" means nothing if the retailer never gets a chance to see it written on my card.

    The world of credit cards is rife with fraud and incompetence anyway. Gas stations and convenience stores are the worst. (I was recently in a gas station where the clerk told me, "Well, your signature matches, so I won't ask for your ID." Gee, thanks, lady.) And they're as obsolete as cheques -- we won't be remotely secure until we have smart chips in every card and deprecate all legacy swipers -- but I'm not sure if being secure in my identity can make me feel more secure overall. There are good reasons to keep the anonymity of cash around.

    Note that I wanted to use em dashes (&mdash; HTML character entity) in my penultimate sentence, but I guess Taco has decided to disallow the ampersand escape and further muddy the waters of HTML. Way to go, guy. Is it too complicated to equate &nbsp; with the space character in your joke of a "lameness filter", instead of restricting those of us with US keyboards to ASCII-7? I notice you've already made an exception for &amp;.

    • Actually you can get a paper receipt to sign on at Best Buy. If the cashier doesn't know how, just tell them to hit "cancel" when you are supposed to sign on the pad. The register will spit out your receipt and then another receipt for you to sign on (which they keep).
    • most people put their card away quickly and furtively, triggering mental red flags, and then get pissy if you ask "Sir, may I see the card and a photo ID please?". So you lose either way.

      You can't turn down a credit card purchase just because they won't show you ID. I guarantee after a few people fill out this form [mastercard.com] you will change your tune.

      Also, I find it funny that "no ID required" is one of the big selling points banks are using to try and get people to switch to debit cards. There is no ID required for a credit card purchase either!

      • The reasons they advertise "No ID required" for Debit/Check cards is that most places want to see an id when you write a dead-tree check.
        • The reasons they advertise "No ID required" for Debit/Check cards is that most places want to see an id when you write a dead-tree check.

          Well. Cheques and card-swipes are practically identical any more. Merchant cheque verification ensures that funds are in the account, and until CVV2 and smart-cards become more prevalent, the credit card interface provides no more proof of identity, and is more convenient to use for fraud.

          I can't blame someone for wanting to see ID on a self-certifying document. If it's a card-present transaction, I guess it's the bank's loss, but I would expect them to request the most stringent checking possible.

          As far as legality goes, I'm now puzzled about the legality of requiring IDs for cheques. Considering that just scribbling down your name, bank, and account number is more than required for a legal document, where do they get off? Is it just contractual obligations with the credit card issuers?

          I never had anyone protest about me requiring ID, either. Guess we've all been brainwashed...

      • You can't turn down a credit card purchase just because they won't show you ID. I guarantee after a few people fill out this form you will change your tune.

        Interesting. I did not know this, but it does appear that if MasterCard is calling it a "violation" that you are at least partly correct. Sigh. All I know is that I was ordered to require ID on any purchase over $100. Everything else was at my discretion.

        Aren't you allowed to require ID if the signature doesn't match, though? (And yes, I know that the signature is authorization, not identification. I seem to be the only one who does.)

      • "no ID required" is one of the big selling points banks are using to try and get people to switch to debit cards

        And yet another reason I won't get a debit card. Banks love them because the money instantly disappears from your account. Tough luck if it wasn't you using it. But I'd rather take advantage of the float on checks or credit cards myself, thanks.
      • Thanks for the link. Makes me want to head out to my local Best "we aren't subject to our merchant agreements because we're so big" Buy with my MasterCard right now.
    • "See ID" is not a replacement for a signature. Hence the notation "Authorized Signature, not valid unless signed" which appears on all credit cards.

      Not signing your credit card indicates that you have not agreed to adhere to the credit agreement with the issuer. A merchant is in violation of the merchant agreement for accepting such a card as payment.

      Matching signatures between receipt and card is also not crucial -- you are simply re-affirming your agreement to ahere to the terms & conditions of the credit agreement. Other than being a (poor) indicator of whether a card is legitimate or not, checking the signature is a useless exercise.
  • More and more recently, I've been presented with these pads. I've gotten more brazen and now whenever I get one of those pads... I simply sign it with a horizontal line. Courriers, and cashiers never seem to care or check.

  • paranoia (Score:4, Interesting)

    by anthony_dipierro ( 543308 ) on Saturday August 03, 2002 @12:37PM (#4004720) Journal

    Being a typical paranoid Slashdotter I offered to sign off of the pad but refused to sign on the pad.

    What's the point? Now all they need is a half-decent scanner and they get the same result - a digital copy of your signature.

    Was I over reacting or can someone back up my paranoia with some facts?"

    You were overreacting.

    Think about it, some deceitful vendor has one of these, sells you something, gets your signature, and can then ring up loads of charges on your card using a digital copy of said signature over, and over, and over...

    How is this something which can't be done with a photocopying machine and some scissors? And why would the person "ringing up loads of charges" care if the signature matches or not? It's not like vendors have a central database of signatures that they check against. At best they check against the signature on the back of your card, which they can only do if you're in person, in which case you can't use a digital signature anyway.

    Do the current crop of signature pads prevent against this and other similar kind of deceit?

    Maybe your misconception is what the signature pad does? Signature pads merely record your signature. They don't check it against a central database or anything. Even if they did, this wouldn't be subject to defeat as long as you witnessed the person making the signature.

    Or maybe your misconception is over who is responsible for fraudulent charges? A credit card purchase is simply a contractual agreement to pay. If the purchase is fraudulent, the merchant loses. Not the credit card company, and not the owner of the credit card (except for up to about $50 in some cases where the credit card was stolen). If your credit card wasn't stolen and the charge wasn't made with your permission, you're not responsible for the charges. Period.

    So what does a signature do to protect the merchant? It does two things. One, it allows the merchant to check the signature against the back of the card. Two, it gives the merchant a record of the contractual agreement.

    Will a judge render a judgement for the merchant in the case of the merchant forging a signature? It's possible, but there are a number of things against it. One major reason is that when a merchant gets too many chargebacks, they are generally dropped by the merchant bank. So the amount of money you can steal before you get caught is relatively low. Then, on top of that, a judge would generally take a digitally scanned signature as lesser weight than a regular one. Finally, if you can subpeona the original signature from which the copy is made and show that they are identical, then you have a slam dunk case, and the merchant will probably wind up in jail. Besides, a signature can be forged just as easily with a handy dandy photocopying machine.

    So, if anyone loses from digital signature pads, it's the merchant.

    • Being a typical paranoid Slashdotter
      sheesh... you make it sound like slashdot readers are as bad as the elderly who sit reading weekly world news and national enquierer and believing all of it...
  • lost/stolen cards are usually reported by the owner as soon as it is noticed. even so, the credit card companies will remove bogus charges, usually in one phone call. i should know, i worked in a retail furniture store for nearly 4 years. customers, who were legit, but had a case of "buyer's remorse" could call their cc company and get the charges canceled, even though we had 2 sig's; one for the furniture (with a can't cancel clause after 3 days - CT law) and the other on the cc receipt. it doesn't matter, the cc companies all take the old view of AMEX, screw the business, we want to keep our customer.
  • ... to give my signature digitally. Whenver I go to a store that I know uses one of them, I inform the cashier that I don't give my signature digitally, and tell them I require a "regular" receipt.

    There's no law on the books that says one has to give a signature that allows for digital capture.

    I have yet to run into a situation where I'm informed that they don't offer it. Besides, by that point they've already billed my credit card. If they can't put the money back without a (digital) signature, they're going to have to give me cash, or I'm leaving without signing.

    What annoys me is why the fsck Fry's insists on photocopying your driver's license whenever you attempt to write a check. Isn't that illegal?
    • I have yet to run into a situation where I'm informed that they don't offer it.

      Try picking up a "signature required" package or registerd mail at a Canada Post Office.

      photocopying your driver's license whenever you attempt to write a check. Isn't that illegal?

      I don't know about photocopying, but I've always seen clerks writing your drivers license NUMBER down on the back of cheques.
      • In many states, Virginia included, it is illegal to photocopy a driver's license. We also have an opt-out policy for SSNs on our licenses. You can get what's called a 'T' number instead that has no relationship to you SSN other than in DMV's database.

    • Definitly not illegal hear, it is actually encouraged to prevent fraud.

      A photocopied license cannot be used for identification purposes, so they can't use it to apply for any services, etc.
    • Fry's opperates in several states (at least three), however as their largest presence is in california, I'll assume you're there.

      I know california has a _lot_ of privacy laws, and their laws are online. I seem to recall hearing about one that prevents merchants from writing your license number on checks you write to them, if you request they do not, or something.
  • All it takes is a merchant account, your name, number, and expiration date to make charges to your card. (Some cards get you slightly better rates if you provide an actual address and zip code.) The signature doesn't do anything except give them some leverage in case you reject the charges; a dozen transactions with the same signature "proof" is not going to be any leverage worth speaking of!

  • Actually, they record your signature for their protection, and put it in a database that record what you bought when you used your credit card. They do this because if you dispute the charges, the Credit Card company always falls on the side of their customer, unless they have a great reason why they should not believe them. So the first thing the credit card company is going to ask for is proof that the customer made the purchase they claim they did not make. If the merchant can provide the signature, credit card number, and an invoice of what they bought, they are half way towards winning their side of the dispute.

    All that the signature pad does is give them a digital carbon copy that they can more easily manage. No more paper receits, and it is easier to keep them all in one centralized repository that they can access if a dispute arrises.

    However, this does not mean that you or the merchant can be lax in their duties. You must still watch out for the fraudulent merchant who may charge you for more than the purchase is worth. The waiter who will slip extra items on your bill. We may not have to worry if merchants shred their carbons anymore, but worry about how those who have access to the new storage medium use that access. Always review your credit card statement, and compare it with receits you saved from your purchases. Double check everyone's work, because it is your money they are playing around with.

  • At first I thought you were just paranoid. As a credit card user you are protected against fraud in many ways. Plus the card company goes pays a lot of money for systems that statistically search for fraud. I know because a friend works for the company that provides the software to most of the banks that issue cards use. Plus, after all it's not any harder to steal your signature the old fashioned way - with a scanner.

    I actually ran into this issue at work once. My boss wanted his signature scanned so that he could have it on his letterhead and never have to pull out his pen again. That is until I asked him how secure he thought his computer was. Yes, security was my responsibility but they didn't give me much time to spend on it and virtually no budget. Plus I think his password was "porsche" and he wasn't about to change it.

    Anyway that was 10 years ago. It does bring up the reason to be paranoid, however. A database of signatures is a worthy target for any cracker and it's likely worth something to the holding company. So what do they do with it anyway? I can't imagine that the benefits of being able to produce the signature from anywhere is all that great. Plus you can't prove that the signature didn't come from a different purchase or a different databse anyway. So why go through all this trouble? I would be interested to hear the stats on the fraud that this kind of system prevents. I'm guessing it's minimal. So what is the worst case here? Likely nothing but then again a cracker could use the data for purchases or identity theft and a malicious company could use the database for something like spam only much worse. "He said we could handle his long distance. See, we even have his signature"

    BTW, I like the earlier post about dragging your fingernail across the paper. Yea, some systems might require extra passes of the pen but it's simple and effective.

  • Its unfortunate that companies are deciding they need us to prove ourselves to them, but they don't take basic security into account for us. More and more people who have no right to are demanding my social security number, signature electronically or thumbprint. And I refuse.

    First off its illegal to demand a SSN unless they are your employer, bank, stock broker or the army and you're enlisted. Every credit card that demands it is breaking the law.

    The solution to that is to give them a bogus one-- unless you're applying for credit. Then if you give them a bogus one its fraud, even though its illegal for them to ask in teh first place-- unless you give them a patently bogus one.

    Anyway, I have learned that the idiots that work for these companies don't understand security and think you're being stubborn for protecting your rights, so I stopped arguing with them-- I just blow them off. The UPS guy asks me to sign for packages and I do-- but the signature bears no relation to my name.

    Same thing when asked to electronically sign for a credit card- I give them a bunch of squiggles... so far nobodies actually compared.

    Thumbprints are the worst-- bank tellers are the most obnoxious about saying its for my protection-- which is the most blatant lie I've ever heard. They don't take to well to being asked "Exactly how does this protect me?" Usually I refuse. So far they haven't escalated the issue-- I think they sense the eagerness with which I approach the opportunity to dress down a bank manager on how lax their security is, and how ironic it is that a BANK has such bad security, in front of all their customers. The thing is - these people KNOW that they are not providing adequate security, but they don't have the power to change it either.

    It is your duty, whenever someone demands of you something that is not their right to demand, to give them a bogus biometric. Its the only way to protest and its the only way to protect yourself.

    So far, writing to companies and pointing out that using SSN as a "password" is stupid (every bank I know of does this) has gotten nowhere. But office Depot, UPS, et al, have a lot of useless signatures on file.

    • Banks are required to collect SSNs for interest-bearing accounts, because interest is taxable (and thus reportable) income.

      I suspect that they're also required to collect SSNs for regular checking accounts. It helps the Fed catch those nasty money-laundering drug-dealing kid-porno-peddling terrorists. :-)


      • Of course. Which actually is really just yet another reason the IRS is a bad idea. That they use it for passwords however is unacceptable.

        This is yet another reason we should get rid of the current system and implement a Fair TAx: www.fairtax.org

      • but nowhere does it require your social security number to be used as a password.
  • The privacy issues either way about the same. The real issue is how easy would it be for an employee to steal your signature?

    With a paper recipt, any pimple-faced cashier can palm your carbons and have your signature. With a digital signature, it would take a few geeks in collusion to get access to the files and a suitable output device. Making a "loopback device" that would allow them to charge things using that signature directly would be even harder, unless the system was written by M$FT. Granted they could steal as many as they wanted, but it would be all so much harder and obvious than pocketing carbon copies of paper signatures.

    But as others had said, hardly anyone verifies signatures anymore. Most of the time I have my credit card back befure I even get the paper to sign.

  • This is more of a debate of advancing technology verses privacy and securty lost. The easier daily routines become due to better and cheaper technology, no one can doubt that privacy and security are taken for granted.

    So I pose to the /. community...

    Option #1: Do we embrace technology for the sake of speeding along advancement, thereby being retro-active when security flaws or privcay issues come to bare?

    Option #2: Or do we be pro-active and addresses all concerns prior to public consumption, thereby possibly slowing down technological advancement considerably?

    Hmmmmm......

Slashdot Top Deals

Don't panic.

Close