Security Ignorance and Fraud

2006-08-23

Richard has been talking about security scams over at Gendal World. There certainly seems to be a lot of empirical evidence that security principles aren’t well understood by the general public.

For example: My credit card expired recently. On receiving the new one, I forgot to sign it, and put it in my wallet with the back blank (yeah, I know). I’ve since been able to use it twice unsigned:

At a pub, I paid for ~£10 worth of drinks. They didn’t use chip-and-pin, so I was asked to sign. When the barman noticed I was missing a signature, he pointed out that I really should sign it, but ’this time’ he’d take other ID. I showed him my photo driving licence (with a signature), and there were no further questions. I was sufficently fazed that I forgot to sign it again, and:
At a shop in Southampton airport, I went to pay for a magazine. Again, no chip-and-pin. When noticing the card was unsigned, I was again encouraged to sign it, but this time no other ID was required - even though I offered my driving licence. ‘I’ll trust you’, I was told.

Of course, it is dumb for me to walk around with an unsigned card in my wallet. However, it’s also dumb for these retailers to accept it. You could argue that it’s a low risk for them - I look respectable, I have other ID with my photo and signature, and these are low amounts involved. Whether they are breaking their contract with the bank by accepting it, though, I don’t know - I suspect it would frowned upon, at least - and they are probably liable for any fraud.

I was tempted to leave the card unsigned and see how much longer I could get away with it. If I wasn’t putting myself at risk, I’d do it, but I’m paranoid about losing things, so I haven’t. But it’s curious to see just how easy it is to get away with some things.

Comments

Bruce Schneier has also been discussing user education on security recently: http://www.schneier.com/blog/archives/2006/08/educating_users.html

— andrewferrier 2006-08-23 22:09

Well, I think that trumps my story. Accepting it unsigned is one thing, but accepting that two signatures match when they've just been written in plain view is clearly pure stupidity. Where was this? Are you willing to dob in the guilty party? :)

— andrewferrier 2006-08-23 21:43

I had my card unsigned for ages. I have been asked to sign the card in front of a cashier, and then they checked that my signatures matched (both done in front of her!) Really, the whole signature thing is useless for security. Your card should really have a photo of you on the back like they do in Europe, and only chip and pin should be accepted (well, it is the shop's risk i suppose, so they can accept a signature if they want)

— Anton Piatek 2006-08-23 10:15