Thoughts about identity theft

On 4/8/05 13:47, "Johann Beda" <st-tidbitsbeda.ca> wrote:

>> Yeah, lot of good that does. Every had your checkbooks stolen? I
>> had a customer who had some checks stolen and even though the
>> signature looked NOTHING like hers, they were cashed anyway. See,
>> real humans never see checks anymore; everything is machine processed.
>
> It is however a lot easier to convince the bank and maybe the
> police that "it ain't me that done dat" if the signatures do not match.

In any event, you're not liable if you didn't write the check.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

At 11:47 AM -0700 4/8/05, Johann Beda wrote:
>At 6:51 AM -0700 2005/04/08, Google Kreme wrote:
>>Yeah, lot of good that does. Every had your checkbooks stolen? I
>>had a customer who had some checks stolen and even though the
>>signature looked NOTHING like hers, they were cashed anyway. See,
>>real humans never see checks anymore; everything is machine processed.
>
> It is however a lot easier to convince the bank and maybe the
>police that "it ain't me that done dat" if the signatures do not match.

My former mother-in-law worked at one of the larger banks in the Washington DC area before she retired, in the department which handled checks which had bounced. They handled thousands of checks every day; and they were the only ones in the whole check clearing process who ever compared the signature to anything on file.

The only things on a check which are even looked at in normal processing are the amount of the check (in numbers), and if there is a signature, any signature. Not the date, not the payee, not the amount in words.

The only time a human ever looks at a check is when the amount is encoded along the bottom. After that it is all automated. Nothing else is ever looked at, UNLESS there is a problem. It is much less costly for the banks to deal with the problem checks than to prevent the problems in the first place.

So the bank will never discover a problem unless the check bounces. You have to point it out to them, and that's when the signature comes into play.

Dave

On 4/8/2005 14:18, "David W. Vaklyes" <dwvwmc-worldwide.com> wrote:

> The only things on a check which are even looked at in normal processing are
> the amount of the check (in numbers), and if there is a signature, any
> signature. Not the date, not the payee, not the amount in words.

Or in some cases no signature, although there was *something* in that area.

I managed to send in (last minute of course--the form is horrible) a
Michigan Intangibles Tax form and payment forgetting to sign the check. The
state very nicely stamped "Honor Without Signature blah blah Guaranteed blah
blah" in roughly the signature area, and indeed the check was honored and
seemingly not delayed.

I don't know whether Joe's Bar and Grill can do the same.

  --John

On 4/8/2005 14:18, "John C. Welch" <jwelchbynkii.com> wrote:

> On 4/8/05 13:47, "Johann Beda" <st-tidbitsbeda.ca> wrote:
>
>>> Yeah, lot of good that does. Every had your checkbooks stolen? I
>>> had a customer who had some checks stolen and even though the
>>> signature looked NOTHING like hers, they were cashed anyway. See,
>>> real humans never see checks anymore; everything is machine processed.
>>
>> It is however a lot easier to convince the bank and maybe the
>> police that "it ain't me that done dat" if the signatures do not match.
>
> In any event, you're not liable if you didn't write the check.

If you can prove you didn't write the check. Not *quite* the same thing
(although if the bank wants to keep your account: ie, you aren't a high
cost customer) it's close to the same thing.

Unfortunately, statutory and Federal Reserve regulation changes have
invalidated some wonderful old case law, including the case in which the
court held that a check written in proper form on a watermelon was valid.

  --John

On 8 Apr 2005, at 12:47 :48, John C. Welch wrote:
> On 4/8/05 10:43, "Google Kreme" <gkremegmail.com> wrote:
>
>> I've walked away from multi-thousand dollar purchases because some
>> moron decided I had to provide ID. Requiring ID when presenting with
>> a valid credit card is a violation of the merchant trade agreement
>> between the company and Visa/Mastercard. In fact, the Apple Store
>> Cherry Creek has reversed their policy on this, based, in part, on me
>> I believe. I contacted not only the store manager, but Apple
>> Corporate and Mastercard when i was asked to show an ID to purchase
>> some iPod accessories. I've not been asked for an ID since.
>>
>
> You do realize that by doing that, you made the life of credit card
> fraud
> people *easier*, not harder.

Forging a signature is rather difficult, and even a cursory
examination of the card and the signed slip (or in The Apple's store
case the touchpad signature) will reveal a fraudulent purchase in the
vast majority of cases. The fact that NO ONE checks the signatures
is not my problem. If merchants start caring because they are losing
money to fraudulent sales then they might start enforcing only
accepting signed cards and ensuring the signatures match. But, in
cases where a card is presented at the POS, the instance of fraud is
so infrequent as to be statistically insignificant.

And I don't believe in carrying ID. I don't write checks precisely
because I don't want my address and phone number and driver's license
number in countless merchant's databases. My credit cards are all
billed to a mailbox, and my shipments go to a mailbox. Nearly
nothing is shipped to my home address. i don't use my mother's
maiden name as a security word because anyone who knows me knows my
mother's maiden name; I use a completely unrelated word instead. I
never use my real birthday on any web site that claims to require a
birth date. Instead I use the easy to remember 31-Oct. I use a
different password on just about every web site (certainly everyone
that is involved in purchasing anything).

On Friday, April 8, 2005, at 02:47 PM, Edward Reid wrote:

> At 06:51 AM 04/08/2005 -0700, Joseph H. Dougherty wrote:
>> thieves do not typically order "expensive *monthly* packages of any
>> kind
>> (discovery horizon, anyone?); and fraudulent orders tend towards
>> vendors
>> who deliver a lot faster than does Gateway.
>
> You might not think so, but ...

> In the original case, I'd say that Joseph's lawyer friends are wrong.
> The
> thieves wanted a cell phone to use for a month. Are they going to go
> into a
> cell phone store and say "I want a cheap one-month contract"? Of course
> not. Cell phones are bought with subscription plans, and the thieves
> don't
> want to rock the boat, so they order a subscription plan. They don't
> care
> that it stops working in a month (or less). They just throw away the
> phone.
> And as for expensive, that just makes the store worker more eager to
> complete the sale and less likely to become suspicious.
>

They'll probably throw it away before you'll receive the next bill. A
lot of calls overseas can be run up in the course of a few days, and
even worse, a lot of drug deals and other illegal activities can take
place over the phone, which could be traced back to the name on the
stolen credit card number was issued to.

Criminals do buy "burner" cell phones with cash so their calls cannot
be traced - it was an important plot element of HBO's "The Wire" this
year.

Marilyn

> In the UK, merchants always hold onto the card until the slip has
> been signed, compare the signature, and only then return your card.

In New Zealand, merchants almost never look at the back of the card.
However, they rarely need to, since the number of people that sign for
credit card transactions (rather than using a PIN) gets lower every day (I
would say that most of the people that still sign for transactions would be
at least middle-aged).

I use my credit card for most of the things I buy, and I can't recall the
last time I had to sign for a transaction (other than when overseas). If it
were possible, I would happily exchange my card for one that *only* accepted
PIN transactions (or online ones) and couldn't be used with a signature.

Is using a PIN with a credit card not common in the US?

(In terms of identity theft, ISTM that a PIN is much better for preventing
fraud when the card is physically present, but as useless as a signature for
anything online, over the phone, and so on. I would assume that 'remote'
fraud would be the majority, since you don't run the risk of being caught on
camera).

=Tony.Meyer

John C. Welch wrote:

> You do realize that by doing that, you made the life of credit card fraud
> people *easier*, not harder.
>

Howso? The merchant is supposed to compare the signature on the back of
the card with the signature you put on the receipt; I think forging a
signature is probably more difficult than creating a fake photo-ID.
(Consider that the merchant probably takes any photo ID, not just
in-state driver's licenses)

On 4/11/2005 7:54, "Tony Meyer" <ta-meyerihug.co.nz> wrote:

> Is using a PIN with a credit card not common in the US?

None of my credit cards has any facility for using a PIN. One of them does
bear a photo (Bank of America).

The two ATM/Debit cards do of course use PIN, but when used by a merchant
that does credit cards but doesn't have debit card capabilities then it's
the usual signature business (Cingular's AT&T Wireless store in the handy
"nearby"--35 minutes--mall was the most recent case for me).

By the way: a potential advantage of Debit card over Credit card is the new
USA concept of "Universal Default" wherein one (or for some cards two
consecutive) missed payments trigger punitive rate increases not only on the
card in question but potentially on all others (and perhaps on your
adjustable rate mortgage if written recently). It's hard to pay late on a
debit card.

    --John

On 4/11/05 08:02, "Anthony DeRobertis" <anthonyderobert.net> wrote:

>> You do realize that by doing that, you made the life of credit card fraud
>> people *easier*, not harder.
>>
>
> Howso? The merchant is supposed to compare the signature on the back of
> the card with the signature you put on the receipt; I think forging a
> signature is probably more difficult than creating a fake photo-ID.
> (Consider that the merchant probably takes any photo ID, not just
> in-state driver's licenses)

That just establishes that you faked a sig twice. The purpose of the ID, is
to verify the name and the sig. Forging a sig is actually pretty simple,
there's a number of techniques. But the simple way is to find a signature
that is a squiggly line or a merchant who doesn't check id. Then, it doesn't
matter whose card you have. They don't check ID, all you have to do is get
the sig right. Adding ID makes three things that have to match. It's another
barrier, and that's what this is about. Adding barriers. Oh, and most
merchants that check want government issued photo ids.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

At 7:54 on 11-4-05, Tony Meyer wrote:
> Is using a PIN with a credit card not common in the US?

When I was in the US at the end of last year, signature was used for
all credit cards and for most debit card transactions. However, debit
card transactions at the supermarket and pharmacy required a PIN.
Seemed a bit arbitrary! More disturbing, though, was that the PIN-pad
in the supermarket had no cover over the keyboard to hide my PIN
entry and it was positioned in such a way as to be optimal for
someone trying to watch me type my PIN. I had to practically hug the
thing to attempt some form of privacy.

> In terms of identity theft, ISTM that a PIN is much better for
> preventing fraud when the card is physically present

This is definitely the case (possibly with the exception of the
PIN-pad described above which broadcasts one's PIN to everyone
else!). I used to work for a company that makes credit card machines
and PIN-pads, and it has been shown that in countries (such as France
ten years ago) where they went from signature to mandatory use of
PIN, 'cardholder present' fraud dropped dramatically. The UK is
currently going through a mandated switch to PIN instead of signature
on all cards for just this reason. (As a side note, in the UK it is
still possible to use a signature by saying that you've forgotten
your PIN. The drop in fraud is not expected to happen until the PIN
bypass is switched off in a few years.)

> but as useless as a signature for anything online, over the phone, and so on.

Yes. So the question is whether 'cardholder not present' fraud
increases once PIN is required in person (and if so, by how much).
When France switched to PIN ten years ago, there was much less
'remote' shopping. I'm not convinced that in today's internet-rich
world the reduction in total fraud will be significant.

The final identity-related issue with PIN versus signature is that it
is more difficult to prove a transaction is fraudulent. If a
signature doesn't match, the bank has to accept that you didn't
actually make the purchase. But if someone steals your PIN, how do
you prove it wasn't you who entered the PIN?

_________________
=> Jolin Warren, Edinburgh, Scotland

At 08:07 AM 04/11/2005 -0700, Anthony DeRobertis wrote:
>I think forging a signature is probably more difficult than creating a
>fake photo-ID.


I can say with considerable certainty that no merchant attempts to make
sure the signature on the card matches what you sign with. My signature
varies so much that such an attempt would be worthless. Also, consider the
number of places now where you simply sign an electronic pad.

They check whether you have signed the card and whether you sign the slip
or pad. They may check the name on the card against an ID. If the name
doesn't seem to match your face for any reason, they may ask for an ID and
refuse the card, as many who tried to use a spouse's card have discovered.

Edward
Art Works by Melynda Reid: http://paleo.org

On Apr 11, 2005, at 5:36 PM, John C. Welch wrote:

> But the simple way is to find a signature
> that is a squiggly line or a merchant who doesn't check id. Then, it
> doesn't
> matter whose card you have. They don't check ID, all you have to do is
> get
> the sig right. Adding ID makes three things that have to match. It's
> another
> barrier, and that's what this is about. Adding barriers. Oh, and most
> merchants that check want government issued photo ids.

Except that merchants are not allowed to check ID, by the terms of
their contracts with the credit card conglomerates. This is a selling
point that has been used for the Visa check card in commercials: no
further ID is required when you use it. To repeat: A merchant that
asks for ID, except in the case where the card was not signed when it
was handed to the clerk, is in violation of his or her contract with
Mastercard or Visa.

Beyond that, even easier is to use the card number online. Or on the
phone -- often times the clerk on the other end has enough power to
override any conditions (such as requiring that the billing address and
the shipping address be the same) that the web store places on credit
card orders.

Identity theft is bad, but fraudulent use of credit cards that you know
you have and that fall into someone else's hands is not a difficult
problem -- it's simple enough to check your statement on a
month-to-month basis, or log in online, and to cancel credit cards when
you lose them. The credit card companies bear all the risk; in theory
you're liable for the first $50, but in practice you're not liable for
anything. The real danger is letting your social security number (at
least in the US), date of birth, and mother's maiden name escape into
the wild; with that information, someone can get a *new* credit card in
your name that you don't even know about. In those cases, at least in
theory, the credit card company still bears all the risk, but it's a
major hassle to prove that and get all the damage to your credit
history undone.

Charlton




--
Charlton Wilbur
cwilburchromatico.net
cwilburgmail.com
cwilburmac.com

John C. Welch wrote:
> On 4/11/05 08:02, "Anthony DeRobertis" <anthonyderobert.net> wrote:
>
> That just establishes that you faked a sig twice.

If you've gotten a new card issued in someone else's name, yes. For a
stolen card, the back should already be signed --- so you have to forge
that sig.

> The purpose of the ID, is to verify the name and the sig. Forging a
> sig is actually pretty simple, there's a number of techniques.

A number of techniques that work on an arbitrary signature, in a limited
amount of time, while still looking natural? Those would be the
constraints, I think, to reasonably use a stolen card, at least if
merchants checked the signature properly.

> Oh, and most
> merchants that check want government issued photo ids.

Do you know what a driver's licenses and DMV-issued ID cards from all 50
states and the District of Columbia look like, and what
anti-counterfitting measures are on them? What about passports from 170+
countries? And any other forms of government-issued ID you're willing to
take, like public school ID cards.

On 4/12/05 07:22, "Anthony DeRobertis" <anthonyderobert.net> wrote:

>> The purpose of the ID, is to verify the name and the sig. Forging a
>> sig is actually pretty simple, there's a number of techniques.
>
> A number of techniques that work on an arbitrary signature, in a limited
> amount of time, while still looking natural? Those would be the
> constraints, I think, to reasonably use a stolen card, at least if
> merchants checked the signature properly.

Due to my dad's job as a news reporter in Miami, I was able to have
conversations with cops that some folks don't. I asked about forging a
signature, because it looked really hard. The cop said that if all you want
is something that will pass a quick visual, if you have experience, you can
look natural doing it in about 2-3 hours. I watched someone do a fake sig
well within 5 minutes of seeing it. It depends on the complexity of the
signature and the training of the person looking at it. In most retail, you
can be quite different, and no one says anything.

>
>> Oh, and most
>> merchants that check want government issued photo ids.
>
> Do you know what a driver's licenses and DMV-issued ID cards from all 50
> states and the District of Columbia look like, and what
> anti-counterfitting measures are on them? What about passports from 170+
> countries? And any other forms of government-issued ID you're willing to
> take, like public school ID cards.

Actually, you'd be surprised at the availability of such information to
interested merchants. They even have posters with the major features showing
on all. But, unless you're in a place near a state border, an airport,
interstate, etc., you don't get that many out of state IDs. The ones you do
get are predictable. For example, in Kansas City MO, we get a lot of Kansas
IDs, some military, some Iowa, and the occasional Oklahoma. When I lived in
FL, we got a LOT of Canadian IDs, passports, and the like. Lots of military
ID too. We had handy charts showing us what they should look like. Every bar
or bar - type establishment I've worked at had regular classes on ID
validation. It all depends on how serious the merchant takes things.

john

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

On 4/12/05 12:36, "Charlton Wilbur" <cwilburchromatico.net> wrote:

>> But the simple way is to find a signature
>> that is a squiggly line or a merchant who doesn't check id. Then, it
>> doesn't
>> matter whose card you have. They don't check ID, all you have to do is
>> get
>> the sig right. Adding ID makes three things that have to match. It's
>> another
>> barrier, and that's what this is about. Adding barriers. Oh, and most
>> merchants that check want government issued photo ids.
>
> Except that merchants are not allowed to check ID, by the terms of
> their contracts with the credit card conglomerates. This is a selling
> point that has been used for the Visa check card in commercials: no
> further ID is required when you use it. To repeat: A merchant that
> asks for ID, except in the case where the card was not signed when it
> was handed to the clerk, is in violation of his or her contract with
> Mastercard or Visa.

According to contacts at Citibank, that's completely inaccurate, at lest
with them. Merchants are not only allowed to check, but highly encouraged TO
check, as it is a solid, proven way to reduce fraud. They are encouraged to
check for every transaction.

john

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

On 4/12/2005 10:36, "John C. Welch" <jwelchbynkii.com> wrote:

> It depends on the complexity of the
> signature and the training of the person looking at it. In most retail, you
> can be quite different, and no one says anything.

And of course, on the screen and stylus systems, the forger has a better
chance of making a signature look like yours than you do. Partly, I think,
a disadvantage of my single-stroke (John W. Baxter) signature.

  --John

>I watched someone do a fake sig
>well within 5 minutes of seeing it... In most retail, you
>can be quite different, and no one says anything.

That's an understatement! Check out this experiment with absurd obviously non-matching signatures:

http://www.zug.com/pranks/credit/

The narrative was so funny that I wondered if it was for real, and so did the people on the show "The Screen Savers" (now "Attack of the Show" on G4TV).

They asked their viewers to see if they could duplicate the "signature prank" and the answer was overwhelmingly 'yes'.

--Mariah Carey

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Apr 14, 2005, at 11:48 AM, John C. Welch wrote:

I wrote:

>> Except that merchants are not allowed to check ID, by the terms of
>> their contracts with the credit card conglomerates. This is a selling
>> point that has been used for the Visa check card in commercials: no
>> further ID is required when you use it. To repeat: A merchant that
>> asks for ID, except in the case where the card was not signed when it
>> was handed to the clerk, is in violation of his or her contract with
>> Mastercard or Visa.
>
> According to contacts at Citibank, that's completely inaccurate, at
> lest
> with them. Merchants are not only allowed to check, but highly
> encouraged TO
> check, as it is a solid, proven way to reduce fraud. They are
> encouraged to
> check for every transaction.

A summary of the issues (alas, with no cite more solid than "the fraud
departments at Visa, Mastercard, and American Express"):
        http://www.scambusters.org/Scambusters80.html

Clear statements about the invalidity of unsigned cards, from credit
unions:
        http://www.roscu.org/sign_your_cards.htm
        http://www.unitedhealthcu.org/articles/unsigned.html\

Clearer statements about the invalidity of unsigned cards, from payment
processing sites:
        http://www.paypros.com/merchantSupport.asp (A signature panel with
“Check ID’ or “See ID� is considered unsigned and must be signed before
completing the transaction.)
        http://www.infinitydatacorp.com/security/card-present.html (If the
cardholder refuses to sign the card, do not accept the card.)
        https://www.merchantapply.com/Iagree.aspx (see 7. a. vi., a signature
panel bearing the words "See I.D."... shall be deemed to be blank)
        http://www.busams.com/guide/procedures.htm (The words “See I.D.â€? in
the signature panel is not considered a valid signature.)

A Slashdot story on the subject:
        http://slashdot.org/article.pl?sid=05/03/21/1333258&tid=133&tid=1

According to the published policies of Visa ("Dealing with unsigned
cards"):
        http://usa.visa.com/business/accepting_visa/ops_risk_management/
card_present.html#anchor_5

I can't find a clear statement directly from Mastercard or American
Express about unsigned cards.

Charlton


- --
Charlton Wilbur
cwilburchromatico.net
cwilburgmail.com
cwilburmac.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCXpopgjfs1Vb65uQRAgbyAJ9RB8Zxu28X4mjomoZ06naTYmtJogCfe27u
cyviGUrX5NzCTQezG9QutLA=
=mS/m
-----END PGP SIGNATURE-----

>On 4/8/2005 14:18, "David W. Vaklyes" <dwvwmc-worldwide.com> wrote:
>I managed to send in (last minute of course--the form is horrible) a
>Michigan Intangibles Tax form and payment forgetting to sign the check. The
>state very nicely stamped "Honor Without Signature blah blah Guaranteed blah
>blah" in roughly the signature area, and indeed the check was honored and
>seemingly not delayed.
>
>I don't know whether Joe's Bar and Grill can do the same.

I believe this phrase essentially instructs the bank "go through and
cash it, if it gets disputed send it back to us without question,
we'll pay for it." I've seen this phrase with drafts that are
created to satisfy the $30 service fee for checks that bounce back to
merchants.

In the first case Michigan just reverses the payment to your taxes
and goes after you. In the second case I believe they're just trying
to get what they can get.

Nick