Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

America, wake up: stop being "security sheep"

America, wake up: stop being "security sheep"

  • Comments 18
  • Likes

OK, I need to complain a bit here.

Yesterday I went to Best Buy to get a new digital camera. I already knew which one I wanted, so I found a sales guy, pointed to the display unit, and said, "I'd like one of these."

"Sure," he replied. He found the keys, unlocked the cabinet, pulled out a box, and said, "I'll meet you at register four."

"Eh?" I asked. "Can't I just carry it?"

 "No, the policy is that I have to carry it."

"What a stupid policy," I grumbled, "treating all of your customers as if they're thieves."

Then when making the purchase with a credit card, the cashier demanded to see my ID. "Why?" I asked.

"To verify your identity."

I walked out of the store, with my camera, but not in a good mood at all. I spend a lot of money at Best Buy and I don't appreciate the assumption that I'm there to steal something. Furthermore, asking for ID during a credit card purchase is just dumb. Credit card companies really don't care who you are. Once the authorization is received, the transaction has already been processed, which includes a serious amount of "transaction authentication" to detect and reduce fraud. This is far more reliable than some clerk comparing names or -- worse -- signatures. And how come it never seems to dawn on the policy-making folk at these stores that online purchases don't require ID?

How did we get into this mess of distrust by default? My thinking followed this process:

  1. First I blamed the September 11th terrorists. You bastards, if you hadn't done what you did, then Americans wouldn't be so afraid of strangers and so quick to assume that anyone who doesn't "look right" is a rapacious murderer.
  2. No, it isn't the terrorists. It's the media. Owned by money-grubbing conglomerates with their lips pressed firmly against the wrinkled white flesh of the other Washington's (that's D.C.) buttocks, the media assists the politicians in their drive to keep America terrified. For when the people are terrified, they can be controlled, and even have their civil liberties illegally stripped away without nary a peep.
  3. Finally, I realized: it's our own fault. We as free citizens have the solemn responsibility not to allow ourselves to be manipulated by those who would benefit from our sheepishness. While we citizens have no control over the media (this is a good thing) and little control over our current government (this is a bad thing), we have complete control over how we react to the tactics of both -- as well as the tactics of those who would do us physical harm.

America is paralyzed by fear, and this fear has caused us to regard with great suspicion those whom we necessarily interact with every day. The only way to move beyond this is to refuse to allow yourself to be manipulated. While you can't just refuse to show your ID if you want to buy something with a credit card or get on an airplane tomorrow, you can begin having conversations with your friends and neighbors -- help people understand that only when we all rise against the backlash will there be change. And chat up a stranger, too. In my travels around the world I've met hundreds of folks; I'm convinced that the overwhelming majority of people are kind and decent and simply looking for someone to listen to their stories. Be a listener -- it's amazing what you can learn. And little by little, we can undo the paralysis that defines life in the 21st century.

 

Comments
  • I don't know, Steve - it's a store policy, not a national policy, and it probably exists because they looked at the costs and benefits, and determined that they end up losing money when they allow customers to pick up small, high-value products themselves and carry them around the store.  All it takes is one thief to walk out with one product (or more likely three or more) to wipe out the day's profit on the similar items they sold to all the honest customers.

    And credit card "verification" has been around since there were credit cards - and before that there was a similar demand for verification when writing a check.  In my part of the country (Washington DC metro area) they DO NOT EVEN LOOK at the signature anymore.  I routinely sign with a primitive "X", or an elaborate picture of some kind (stick figure house with chimney and a car out front, or a smiley face blowing a raspberry, or a star with pinwheel motion lines), and I *never* get challenged on it by the store or by my credit card company.  One time in a hundred, the clerk will actually see the "signature" and just laugh.  (And no, it doesn't match the sig on the back of my credit card, because I never signed the back of my credit card.)

  • Did you also have to show your receipt upon existing the ‘controlled area’ between cashier and exit? Here is some more  Best Buy fun:

    http://www.die.net/musings/bestbuy/

    http://www.consumerist.com/consumer/best-buy/best-buy-calls-911-on-customer-asking-for-refund-225169.php

  • I agree with Aaron with regards to "store policy" regarding small high-value products. That's probably also why they have that type of product locked in a cabinet. If you don't like the "store policy", you do have the freedom to buy at another store, or from a web shop.

    Here in The Netherlands there is even a reverse distrust-issue when shopping, because as customers we cannot always trust that we are buying a new product! By law stores are allowed to sell a returned or refurbished product as new without mentioning this. However, Dutch web shops do have to mention this (since you cannot inspect the product prior to buying it), so as a customer you have actually more rights and are safer buying online here..

    With regards to your credit card point, although I do agree that the ID check is not very useful, I think part of the "distrust" problem here is specific to the banking system in America, where credit cards (relatively sensitive to fraud) and checks (which must be cleared and can bounce, which can even lead to criminal charges) are used a lot.

    By contrast, in many European Union countries debit cards are used to make payments, and these cards have PINs, and no manual signature or ID checking is involved. Other payments (such as bills or even online shopping) are done using "giro" (direct deposit), which more and more happens online using "Internet banking", where transactions are authenticated using TANs (which some banks can send to your mobile phone by SMS) or two-factor authentication (often using the chip on your debit card to calculate a response to a challenge). Even though there is some fraud here is as well (like cloning debit cards that still use magnetic strips, or obtaining logon credentials for Internet banking using phishing), distrust with payments is not a big issue here in daily life.

    You write "America is paralyzed by fear", that is somewhat the case here as well, especially following a terrorist attack or threat thereof, such as the recently prevented attacks in London, after which liquids and electronic devices were banned from on-board luggage. Many of the security measures that followed since 9/11 are totally ridiculous and do nothing more than give a false sense of security, and many people are buying and accepting it. Most of these measures would not have prevented 9/11. Random secret checks by both authorities and journalists have revealed that there are still many security holes in many airports. People working in the airline industry have less to fear from the general public than we have to fear from them! Many people involved in terrorist plots were working at airports!

    The goals of terrorists not only include killing innocent people, but also instilling fear and disrupting our way of life.

    The response to terrorism (or threats) by the authorities (introducing ridiculous and annoying measures that restrict our freedom and make our lives less pleasant, and using fear to justify this) and media (endless blown-out-of-proportion coverage of any incident that will just needlessly add to the fear) is despicable, and is only making the terrorists more successful at obtaining their goals.

    For example, since two years we have compulsory ID here in The Netherlands for anyone over the age of 14, a pretty controversial measure that is probably very convenient for the police when dealing with offenders, but it is never going to prevent a single terrorists attack.

    Like with your credit card example, where fraud is best detected through "transaction authentication", terrorist threats are also best detected through good intelligence, and not by harassing innocent people and restricting their freedom. Even analyzing the purchases of airline tickets could already reveal a lot of suspicious patterns.

    However, as you mentioned, the citizens are also to blame themselves for putting up with this and letting the authorities and media scare us. If you think about it rationally, what is the chance of any individual to become victim of terrorism? Still pretty slim!

    Just because some terrorists were extremely lucky to slip through the hands of US intelligence and managed to hijack a couple of planes and fly them in to two landmark buildings, doesn't mean that most US citizens really had a real reason to fear for their own lives as well, but still many people were afraid, and the authorities and media certainly played a big part in that too.

    However, we do have control over the media! A quote from Time: "Time's Person of the Year: You! Yes, you. You control the Information Age. Welcome to your world." and "In 2006, the World Wide Web became a tool for bringing together the small contributions of millions of people and making them matter".

    I mean, you're expressing your opinion on this blog, calling on people to stop being security sheep, and many people will read it, and some will even respond to it.. ;-)

    Even the old traditional media (TV, papers) nowadays listen much more to their audience, getting feedback through their websites, e-mail, blogs, etc.. Citizens also control new media like Wikipedia, websites, blogs, YouTube, etc.. Something like the 9/11 conspiracy theories, crazy as they are, is something that spread like wildfire through the internet. However, this is also showed that many people are easily deceived and are not able to judge what information they can trust (which is also why something like phishing works).

    The bottom line is:

    - a very small minority, from shoplifters to terrorists, is spoiling things for the rest of us.

    - many people *are* sleepy sheep.

    :-(

  • Aaron,

    Be careful. By not signing your card, you may be violating your cardholder agreement. If this is the case and your card is stolen, you may find yourself on the hook for someone else's shopping spree at Best Buy.

  • There is the argument that if you treat people as thieves, they'll act that way.

    Just look at how most hotels require a credit card imprint when you check in.

    Which then leads people to acquire anything in their hotel room which isn't nailed down.

    Soap, coffee satchets, towels etc. :-)

    And anything that can pried up is not nailed down!

  • I agree on your point of carrying the camera, which although may be protecting the store and hence us from higher prices, it is simply degrading, and is akin to being escorted from the premises. It's not cunducive to a happy customer experience and hence could/will hit the store's bottom line (may be even more than theft of the odd item).

    But on the credit card side, although the arguement may be valid, hasn't ID validation been inherent ever since credit cards started carrying a copy of the individuals signature ? Whether the store check that signature or not it is simply there to validate that the signer is the card owner - and yes this is an unreliable method and why most of europe use chip & pin for credit card transactions (also not 100% secure but what is ?) - after all, as per Tech Ed - we all just need 'enough' security not total.

  • More to the point, this might not be completely about security, and more about money.

    Often, salespeople at large retailers get "spiffs" (http://en.wikipedia.org/wiki/Spiff) for selling certain items, sometimes form the store, and sometimes from the manufacturer.  He may have been going to get a copy of the receipt to claim his spiff.

    Also, I believe credit card processors discount merchant's per-transaction charge the more verification they do during the sale. The id requirement may be so they pay less on each charge.

  • What I hate even more is when a store, like Target, that has a device that allows me to swipe my own credit card, then asks for it and my ID while I am putting the credit card back in my wallet. Is that "anti-convenience"? If you are going to ask for my credit card anyway, swipe it your own damn self! :)

  • From "Rules for Visa Merchants" guide (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/rules_for_visa_merchants.pdf)

    Page 29

    "Although Visa

    rules do not preclude merchants from asking for cardholder ID, merchants

    cannot make an ID a condition of acceptance. Therefore, merchants cannot

    refuse to complete a purchase transaction because a cardholder refuses to

    provide ID. Visa believes merchants should not ask for ID as part of their regular

    card acceptance procedures"

    By the way minimum charge amounts and transaction fees are not allowed either. (Page 10)

  • I can't speak about the store employee-carry policy (however, I would assume its related to loss prevention measures) I can comment on the credit card measure.  

    I do Payment Card Industry (PCI) audits.  Banks have started an incentive plan for merchants to require secondary authentication (photo, PIN, fingerprint, zip code) so Visa/Mastercard/etc lowers the banks per-charge rate for transactions.  This is why you have started to see the gas pumps asking for your zip code at the pump.  It is a way for banks to show that they are making efforts to lower fraudulent charges, thus easing the financial burden on the credit cards, who is generally responsible for covering the costs.  

    Its just a cost savings effort by the bank that Best Buy uses, which is passing down the incentive to Best Buy somehow, generally in the per-transaction fees to Best Buy.  

    Moral is, prove who you are, and you get stuff cheaper - just like at the grocery.

  • Visa and Mastercard both prohibit merchants from requiring identification as a condition of sale. Mastercard even has a complaint form on their web site for customers to report such merchants. Don't know that they actually follow up though.

  • I am almost never asked for ID when shopping, though one incident is worth noting. A few months back I was at CompUSA and made a $35 purchase. The cashier asked for ID, and I refused. She was a bit flabbergasted but she processed the transaction anyway.

    Best Buy has never asked me for ID, not even last week when I spent over $1,000 at once and signed my name on their terribly scratched pad.

  • From a security standpoint, I would LIKE to be asked for ID when using my credit card in stores, at least for large purchases.  Kind of a primitive type of two factor authentication (something you have + something else you have that has a picture on it).  The downside of this is that it forces purchasers to carry specific types of ID that are acceptable to the evaluator (cashier) -- what if you don't have a drivers license, passport, whatever.

    Alternately, a PIN protected chip in the card itself (something you have + something you know) or a photo on the card (something you have with some evidence that it belongs to you) would serve the same purpose, perhaps better.

    For a couple of years, I carried a credit card on which the signature strip said, in my hand writing, "Please request picture ID".  Not once was I asked for ID when using that card in stores, restaurants, hotels, etc.  When I got a replacement card, I just signed the damned thing and left it at that.

  • I noticed this behaviour here in germany about three years before. Some big stores required the ID _before_ they put the card into the reader.

    IMHO is this a respectable process and should be considered as another step in customer protection.

    I tell this because I've seen sellers that dont bother about a valid ID and don't bother about signatures on the bill. So requesting an ID before the credit card process happend is a good thing.

    In the case my credit card gets stolen (hopefully this never will happend *knock on wood*) I can only hope that there is a salesman that requires the ID of the theft _before_ he put the card into the reader.

    About the sales man that carry your digital camera... see it the other way round: At the process of choosing the article, you havent payed them any cent by now. So it is in the interest of the store to protect their value until they sell it to you by paying with your credit card. It's not a nice thing but it is understandable. If you blame this salesman, you could blame the other security things like cameras observing the customers or like the alarm installations that protect the other cameras or cellphoes eg. This can also be seen as a global distrust.

    About distrust by default I have a 4th thing to add: money spoils the character.

    Regards,

    cwoller

  • The "Credit card companies really don't care who you are" bit isn't entirely true. Credit card systems sometimes send "ask for Id" message to the merchant terminal.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment