Does your bank request/require that you change the PIN on your ATM card every few months?
ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN.
You have to possess both in order to transact - at least in in theory.
Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued.
If I'm not supposed to not "tell anyone", why is it even printed where I can read it? ---- [Context is only having so-many brain cycles to memorize passwords.]
It's harder as we get old. Use technology to aid with the heavy lifting. :-)
Right. But the meta problem is figuring out which technology to trust. Phishing is the tip of the iceberg on social engineering. So far, the bad guys are winning. -- These are my opinions. I hate spam.
Are the bad guys winning though? Are they really? On Jun 8, 2012 9:43 PM, "Hal Murray" <hmurray@megapathdsl.net> wrote:
Does your bank request/require that you change the PIN on your ATM card every few months?
ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN.
You have to possess both in order to transact - at least in in theory.
Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued.
If I'm not supposed to not "tell anyone", why is it even printed where I can read it?
----
[Context is only having so-many brain cycles to memorize passwords.]
It's harder as we get old. Use technology to aid with the heavy lifting. :-)
Right. But the meta problem is figuring out which technology to trust.
Phishing is the tip of the iceberg on social engineering. So far, the bad guys are winning.
-- These are my opinions. I hate spam.
A friend would print in block letters in the sig area of his credit cards "ASK FOR PHOTO ID". He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card. Maybe someone mentioned this but merchant card contracts generally (always?) require that you NOT store CVVs when the transaction is over. It's just some double-check remotely that you physically have the card, or did once in the past, etc. and doesn't imprint. Credit card security is about percentages not absolutes, about the cost-benefit analysis. Many years ago I interviewed at a company which was building a big honking multi-processor. They had $150M in pre-orders from BIG CREDIT CARD COMPANY dependent on the machine being able to run a bunch of anti-fraud algorithms they knew were good (run against historical data) but couldn't run in real-time, no iron was fast enough at the time. BIG CREDIT CARD COMPANY estimated, as I remember, that if they could run those algorithms it would catch about $50,000/hour in fraud, so the $150M was a good investment from their point of view. I didn't take the job and they never finished the system. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
----- Original Message -----
From: "Barry Shein" <bzs@world.std.com>
A friend would print in block letters in the sig area of his credit cards "ASK FOR PHOTO ID". He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card.
This seems like an altogether excellent time to haul out *this* old chestnut: http://www.zug.com/pranks/credit/ FWIW, My cards have always said SEE ID, and I get about a 40% or so hit rate on that. It's been odd recently, cause I sometimes forget, and the privacy reflex kicks in and makes me want to say "Why??" :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On 06/09/12 15:43, Jay Ashworth wrote:
----- Original Message -----
From: "Barry Shein"<bzs@world.std.com> A friend would print in block letters in the sig area of his credit cards "ASK FOR PHOTO ID". He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card. This seems like an altogether excellent time to haul out *this* old chestnut:
http://www.zug.com/pranks/credit/
FWIW, My cards have always said SEE ID, and I get about a 40% or so hit rate on that. It's been odd recently, cause I sometimes forget, and the privacy reflex kicks in and makes me want to say "Why??" :-)
Cheers, -- jra My personal favorite is to ask if I spelled my name correctly?
Lyle Giese LCR Computer Services, Inc.
----- Original Message -----
From: "Barry Shein" <bzs@world.std.com>
A friend would print in block letters in the sig area of his credit cards "ASK FOR PHOTO ID". He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card.
This seems like an altogether excellent time to haul out *this* old chestnut:
http://www.zug.com/pranks/credit/
FWIW, My cards have always said SEE ID, and I get about a 40% or so hit rate on that. It's been odd recently, cause I sometimes forget, and the privacy reflex kicks in and makes me want to say "Why??" :-)
If your card is not signed, your card is invalid and should not be accepted by any merchant. http://www.mastercard.com/us/merchant/pdf/MerchantAcceptanceGuide_Manual.pdf Page 8-2; "Unsigned Credit Cards". VISA has similar requirements. Writing "SEE ID" in the signature panel primarily makes your card invalid *unless* your signature is also present. One of the design goals of the V/MC system is that a cardholder is not supposed to need anything other than their card and the ability to sign. The comparison of the signature provided to the card signature is supposed to be one of the primary ways to validate a cardholder, but of course these days, most vendors are lazy and don't. In fact, one of my favorite abusive merchant practices, trying to require ID, is expressly prohibited: http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf Page 5-14, sec. 5.8.4, "Additional Cardholder Identification". They're allowed to ask, you're allowed to refuse, and absent a good reason, they're not allowed to refuse your transaction. Now, if your signature doesn't match or something else is particularly fishy, yes, then they should require it, but they cannot require it by default for all transactions they process. That and a "minimum charge" are among the two most common merchant violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sun, 10 Jun 2012, Joe Greco wrote:
One of the design goals of the V/MC system is that a cardholder is not supposed to need anything other than their card and the ability to sign.
This seems to be different across the world. Here in Sweden, they don't really look at your signature on the card, they look at the name on the card, name on the ID and the signature of the ID (which is pretty much required if you don't have PIN).
The comparison of the signature provided to the card signature is supposed to be one of the primary ways to validate a cardholder, but of course these days, most vendors are lazy and don't.
I've seen people verify the signature in France and in some asian countries. I don't travel much these days, so I don't know the situation in other countries.
then they should require it, but they cannot require it by default for all transactions they process.
That and a "minimum charge" are among the two most common merchant violations I see.
For MasterCard violations, report them!
Is that policy worldwide or just for the US? -- Mikael Abrahamsson email: swmike@swm.pp.se
I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely "discount for cash!" but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract. I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
A merchant can offer a cash discount. --John On 6/10/2012 11:16 AM, Barry Shein wrote:
I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely "discount for cash!" but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract.
I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check.
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Mike
--John
On 6/10/2012 11:16 AM, Barry Shein wrote:
I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely "discount for cash!" but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract.
I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check.
----- Original Message -----
From: "Michael Thomas" <mike@mtcc.com>
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I believe that what Barry says was the old reality.
Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On 06/10/2012 11:33 AM, Jay Ashworth wrote:
From: "Michael Thomas"<mike@mtcc.com> On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in
----- Original Message ----- 1981. Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it?
I dunno, maybe they're an exception? Maybe it had something to do with competing with the old oil company credit cards? MIke
On 10-Jun-12 13:33, Jay Ashworth wrote:
From: "Michael Thomas" <mike@mtcc.com>
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981.
Merchants have always been allowed to offer a cash discount. The ban is (was?) on surcharges for card purchases. In practical terms, this means that if you post only one price, it must be the card price, not the (possibly lower) cash price.
Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it?
The "credit" price is subject to the merchant's discount rate, regardless of the nature of the particular card used. The "cash" price is the part of the "credit" price left after the discount rate is applied. Say gas is $4/gal and the merchant's discount rate is 4%. That means the merchant only gets paid $3.84/gal for card purchases. If the merchant charges cash customers $3.84/gal, which is legal, they get paid the same amount of money. However, it is illegal for the merchant to post /only /a price of $3.84/gal and then charge card users $4/gal to cover the card discount; that's an illegal surcharge. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jun 10 13:34:06 2012 Date: Sun, 10 Jun 2012 14:33:03 -0400 (EDT) From: Jay Ashworth <jra@baylink.com> To: NANOG <nanog@nanog.org> Subject: OT: Credit card policies (was Re: Dear Linkedin,)
----- Original Message -----
From: "Michael Thomas" <mike@mtcc.com>
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I believe that what Barry says was the old reality.
Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it?
It is, and *ISN'T*, 'cash'. Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed. Unlike a credit card, the money _is_ immediately dedecuted from your bank account. Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide. You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer. At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction. VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit. Thus the merchant could not determine, in advance, what their 'cost' for the transaction was. As a result of the lawsuit, the cost differential between credit and debit transactions was eliminated.
On 10-Jun-12 14:01, Robert Bonomi wrote:
From: Jay Ashworth <jra@baylink.com>
Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it? It is, and *ISN'T*, 'cash'.
Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed.
Unlike a credit card, the money _is_ immediately dedecuted from your bank account.
All of the above is completely irrelevant to the merchant.
Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide.
FWIW, this is known as the "discount" rate.
You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer.
The merchant's discount rate varies between card types. That's why many merchants don't accept AmEx, DC, CB and Nexus: their discount rates are higher than Visa and MC. For a low-margin business, the difference in rates can make the difference between profit and loss on a given sale.
At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction.
Wrong. Even debit cards present a risk of chargeback due to fraud. However, the fraud rates are lower due to the us of PINs, so the discount rate is also lower.
VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit.
It's still impossible to tell, which is why most card terminals ask whether the card is credit or debit. If you press the "credit" button, even if the card is a debit card, it is processed as a credit card--with the credit card discount rate. That's why Visa's advertising and contests promote customers using signature (i.e. "credit") transactions: Visa gets more money that way (at the cost of their merchants).
As a result of the lawsuit, the cost differential between credit and debit transactions was eliminated.
... except it's still there, though perhaps in the other direction. The discount rate for "debit" transactions is lower, but a PIN must be used to get that rate. The exact rates vary between card networks, card processors and even merchants, but a few years ago the numbers I heard were 4% for "credit" (i.e. signature) transactions and 1% for "debit" (i.e. PIN) transactions. That is why those nifty PIN terminals appeared everywhere virtually overnight: saving 3% on every "debit" transaction easily paid for all those new terminals. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On 6/10/12 12:23 , Stephen Sprunk wrote:
On 10-Jun-12 14:01, Robert Bonomi wrote:
From: Jay Ashworth <jra@baylink.com>
All of the above is completely irrelevant to the merchant.
Given that the thread now spans nine conversations threads and at least 122 messages and is buried in the finer details of merchant handling of gas cards I think it can stop now. Thanks from all of us. Joel
Stephen Sprunk <stephen@sprunk.org> opined:
On 10-Jun-12 14:01, Robert Bonomi wrote:
From: Jay Ashworth <jra@baylink.com>
Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it?
It is, and *ISN'T*, 'cash'.
Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed.
Unlike a credit card, the money _is_ immediately dedecuted from your bank account.
All of the above is completely irrelevant to the merchant.
False to fact. The fact that it is an order for (deferred) third-party payment, vs 'cash in hand', is *very* relevant to the merchant. For starters, the purchase amount becomes a 'debt' owed to the merchant by the third party. There are massive legal ramifications to that distinction alone.
Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide.
FWIW, this is known as the "discount" rate.
"Not exactly". There are typically three components to the total charge that the merchant pays on a given transaction. One is a charge based on a percentage of the transaction amount -- that _percentage_ figure is known as the discount rate, distinct from the dollar-amount deducted for that purpose. Over and above the 'percentage' amount, there are 'per transaction' charges - which are essentially independant of the size of the transation. On 'small' transactions, the 'per transaction' charges tend to swamp the 'percntage' charge.
You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer.
The merchant's discount rate varies between card types. That's why many merchants don't accept AmEx, DC, CB and Nexus: their discount rates are higher than Visa and MC. For a low-margin business, the difference in rates can make the difference between profit and loss on a given sale.
At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction.
Wrong. Even debit cards present a risk of chargeback due to fraud.
*SNICKER* According to the law, 'debit' cards (processed through the CC network) do -not- have any of the protections with regard to limit-of-liability that credit cards do. The account owner can assert 'fraud', but VISA is _not_ required to refund them any of the monies involved. For the 'debit' type transaction, VISA has the money in hand -before- they pay out to the merchant, the risk of them not getting the money is zero. Legally, the risk of having to return the money after an allegation of fraud is also zero, given that the merchant has followed the letter of the contract in processing the card. And, if the merchant has not don so, then VISA charges back the full amount to the merchant -- with the net risk to VISA being zero. The other kind of 'debit' items -- ATM transactions do not involve VISA at all, only the issuing bank. For these, With the proper PIN presented, 'fraud' charges are (sometimes) eaten by the bank involved as a 'customer relations' measure. Generally, the presentation of the proper PIN is taken as 'proof' that an authorized user did perform the transaction, *until* such time as the bank is notified that the card or PIN has been lost/stolen or otherwise compromised.
However, the fraud rates are lower due to the us of PINs, so the discount rate is also lower.
Sorry, but that is utter fiction. PIN-based payments are processed as ATM (Automatic Teller Machine) network transactions -- they are *NOT* 'debit' transactions via credit-card clearing- house network.
VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit.
It's still impossible to tell, which is why most card terminals ask whether the card is credit or debit.
Incorrect. (this is mostly a terminology issue -- what has become 'common usage' is muddy at best and often misunderstood) The terminal has no 'need to know' whether it is a bank-issued credit or bank-issued debit card. It does NOT ask that -- contrary to what the buttons appear to imply. <wry grin> Terminals ask because many cards today are 'multi-function' -- they can act as a bank-issued credit (or debit, but not both) card _and_ as an ATM card. The _labels_ on the terminals are technically inaccurate, the proper labels should be 'Credit/Debit' and 'ATM'. There are -four- types of cards in existance in the U.S., today, with =two= unrelated, unconnected, types of processing networks. Many, but _not_ all, cards have 'dual credentials', and are usable on both networks. The four types of cards: 1) non-bank-issued credit cards. examples: Amex, Diners Club. 2) bank-issued 'association'-branded credit cards. example: Visa/MC. 3) bank-issued 'association'-branded debit cards. example: Visa/Mc. 4) bank-issued ATM cards. The two types of networks: 1) the inter-bank ATM networks e.g. STARZ, CIRRUS, 2) the credit-card clearinghouses. e.g. VISA/MC, AMEX, etc. A non-bank-issued card cannot be used on the ATM network. A bank-issued card can function as a debit or credit (but not both) card, as an ATM card, or as _both_. The point-of-sale terminal asks a question to determine 'which network' (ATM or credit/debit-card) to process the transaction over. When a card can be used on both networks, there is no way to determine which network should be used, =other= than to ask. As the old saw goes "ROM does *NOT* mean <R>ead <O>perator's <M>ind" *grin*
If you press the "credit" button, even if the card is a debit card, it is processed as a credit card--with the credit card discount rate.
TODAY, that is correct. Before the VISA lawsuit mentioned above, that was -not- the case. A VISA 'debit' card, _processed_as_a_credit_card_, was charged at materially higher rates than a VISA 'credit' card. $DAYJOB found that the clearing-house charged the same for processing the transaction, but the passed-through charges originating from VISA were over 40% higher. It was impossible to predict the charges, which meant it was impossible to automatically feed data into the accounting system. I had a major argument/fight with $DAYJOB's clearinghouse and with VISA corporate on this precise matter a few months before the above-mentioned lawsuit was filed. $DAYJOB was a small-fry operation and did not participate in the lawsuit.
That's why Visa's advertising and contests promote customers using signature (i.e. "credit") transactions: Visa gets more money that way (at the cost of their merchants).
Actually, VISA gets _some_ money rather than none. They don't get anything on an ATM nextork (PIN-based) transaction. It also saves the purchaser from being assessed a charge for a 'foreign' ATM transaction by their bank -- typically at least $1, and possibly as much as $4. For a 'quality' merchant, the typicaal difference in transaction fees between the two networks (ATM vs VISA/MC) is a fraction of a percentage point. Small enough to be, generally, immaterial to the retailer.
As a result of the lawsuit, the cost differential between credit and debit transactions was eliminated.
... except it's still there, though perhaps in the other direction.
You don't know what you don't know. Starting with the difference between PIN-based ATM network transactions and PIN-less 'debit card' VISA/MC/etc network transactions.
The discount rate for "debit" transactions is lower, but a PIN must be used to get that rate.
Incorrect. That is an bank ATM card transaction -- not a merchant-account card transaction. It is procesed by an entirely different network, with an entirely different fee structure. Ususally including a fee of $1 or more, charged directly to the cardholder for using an 'off network' ATM machine. The VISA/MC network transaction rates are *identical* for VISA 'debit' and VISA 'credit' cards. Since the above-mentioned lawsuit, that is.
The exact rates vary between card networks, card processors and even merchants, but a few years ago the numbers I heard were 4% for "credit" (i.e. signature) transactions and 1% for "debit" (i.e. PIN) transactions.
I don't know where you heard those numbers but 4% on credit card transactions is typical of what the 'we provide credit card processing for *anybody*' sleazeball operations charge. The ones that fly-by-night internet-only pornography operators use. A sizable, established, brick-and-morter retailer with a an established record of few-to-no chargebacks will typically have rates of around 1.4%. $DAYJOBB got a discount rate of 1.9% after putting together only a six-month history with -zero- chargebacks. This was for an established 'MOTO' (mail-order/telephone-order) business, located in a downtown office building, gross reveues in the low 7 figures, but only a few thousand dollars a month in card charges.
That is why those nifty PIN terminals appeared everywhere virtually overnight: saving 3% on every "debit" transaction easily paid for all those new terminals.
The PIN terminals appeared so that people could use bank ATM cards -without- having to have the 'name' credit card. Especially when those 'name' cards started applying significant 'annual fees' for the right to simply -have- the card. VISA/MC/etc 'debit' cards were usable at any location that took 'credit' cards of the same brand, with _no_ additional equipment (not even a PIN pad) long before widespread ATM networks existed. In the early days of ATM transactions, but after 'networks' were in place that allowed one to use an ATM card at any ATM of any 'cooperating' bank, there was -no- charge to either the bank or the ATM owner/operator. The assumption (borne out in practice, _then_) That there were roughly equal numbers of transactions by non-customers at bank-owned ATMs and transactions by bank customers at non-bank ATMs. As ATMs proliferated beyond bank sites, into retail establishments, and eventually integrated with the cash-register CC processing, that balance no longer held. And 'per transaction' charges were assessed. ATM operators charged 'foreign' customers a transaction fee for the privilege of using their machines, AND banks charged their customers a fee for using 'foreign' machines.
On June 10, 2012 at 14:33 jra@baylink.com (Jay Ashworth) wrote:
----- Original Message -----
From: "Michael Thomas" <mike@mtcc.com>
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I believe that what Barry says was the old reality.
Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it?
I think part of the problem is there's no uniform answer to these observations. I remember news reports with videos of cash/credit signs at gas stations saying these were illegal (well, violated their contracts) but no one was enforcing it, an urge to get attorneys-general in on the act since non-uniform contract enforcement could be a violation of some sort of commercial laws or grounds for a civil suit if an injured party has standing. Or maybe some gas companies had the leverage to get exceptions written into their contracts, etc. They're just contracts, they can say anything as long as it's legal. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jun 10 13:26:36 2012 Date: Sun, 10 Jun 2012 11:25:35 -0700 From: Michael Thomas <mike@mtcc.com> To: "John T. Yocum" <john.yocum@fluidhosting.com> Subject: Re: Dear Linkedin, Cc: nanog@nanog.org
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I believe that what Barry says was the old reality.
You believe incorrectly. :) Merchants have NOT, per Visa/Mastercard/Amex/Discover/Diners Club contracts in the U.S., been prohibited from offering discounts for cash transactions for more than 20 years -- based on my direct kowledge of such contracts as a card-processing merchand.. TTBOMK, merchants were -never- so prohibited by such a contract. There are 'restraint of trade' issues involved if a contract attempts to place restrictions on transactions that do not involve all the parties to the contract. Forbidding surcharges on transactions paid for by the issuer's card -is-, on the other hand, fair game for the contract under which the issuer agrees to pay for certain purchases. Recently-enacted (2010) U.S. law *does* explicitly permit -- overriding any contract terms to the contrary -- setting a 'minimum purchase amount' for credit card transactions, as long as that amount does not exceed US$10.
From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jun 10 13:18:06 2012 From: Barry Shein <bzs@world.std.com> Date: Sun, 10 Jun 2012 14:16:10 -0400 To: Mikael Abrahamsson <swmike@swm.pp.se> Subject: Re: Dear Linkedin, Cc: NANOG <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely "discount for cash!" but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract.
The 'true explanation' is even simpler -- your impression is incorrect. <grin> In the U.S., Visa/Mastercard/Amex/Discover/Diners Club contracts all expressly forbid charging extra for a card transaction. Using language that applies only to a 'premium' or 'surcharge' applied to card transactions. They do *NOT* forbid giving a discount for cash payment. They do not state it =is= acceptable -- they are simply silent on the subject, which means that it is not proscribed. The logic: The card purchaser must be allowed to buy at the 'advertised' price. Prohibiting discounts gets into a 'restraint of trade' issue. Gas stations that offer a 'discount for cash' do not give that discount even for 'house brand' cards -- which do not have any fees that are payable to the issuer.
----- Original Message -----
From: "Robert Bonomi" <bonomi@mail.r-bonomi.com>
Gas stations that offer a 'discount for cash' do not give that discount even for 'house brand' cards -- which do not have any fees that are payable to the issuer.
In fact, that's not true. Several chains, notably including Shell, have at one time or another advertised that their house card (not a house-branded credit card, but an actually gas charge card) took the cash price. Cheers -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
The agreements often prohibit minimums and cash discounts/card fees. However, the Dodd-Frank act trumps the agreements as law > contract. Owen Sent from my iPad On Jun 10, 2012, at 11:16 AM, Barry Shein <bzs@world.std.com> wrote:
I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely "discount for cash!" but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract.
I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check.
-- -Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
That and a "minimum charge" are among the two most common merchant violations I see.
For MasterCard violations, report them!
Is that policy worldwide or just for the US?
http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf Despite the "/us/" in the URL, the guide has sections for geographic world regions, so it seems safe to conclude it's worldwide. I have not followed all the geographic subsections to discover what regional variations may exist; I leave that exercise for anyone who finds it of interest. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On 6/10/12, Joe Greco <jgreco@ns.sol.net> wrote: [snip]
That and a "minimum charge" are among the two most common merchant For MasterCard violations, report them!
In the US, Credit card processing networks were forbidden from prohibiting merchants from establishing certain "minimum charges" to use a CC, merchants may also charge an extra fee to use a CC; see, the Dodd-Frank Wall Street Reform and Consumer Protection act Of 2010; S 1075 page 693. " (3) LIMITATION ON RESTRICTIONS ON SETTING TRANSACTION MINIMUMS OR MAXIMUMS. (A) IN GENERAL.—A payment card network shall not, directly or through any agent, processor, or licensed member of the network, by contract, requirement, condition, penalty, or otherwise, inhibit the ability (i) of any person to set a minimum dollar value for the acceptance by that person of credit cards, to the extent that (I) such minimum dollar value does not differentiate between issuers or between payment card networks; and (II) such minimum dollar value does not exceed $10.00 … "
violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html ... JG
-- -JH
The credit card companies should pull their heads out of their asses about this. It is much better from an anti-fraud perspective for a stolen card not to contain a specimen signature for the thief to learn to forge. It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer. I've never had my card refused because I wrote SEE ID on the signature panel in lieu of my signature. I have been frequently asked for my ID and make a point of thanking the merchant for their diligence in each of those cases. I've only had one merchant get a little persnickety about the lack of a signature technically invalidating the card. I basically explained why I did it that way and informed them that they could cancel the transaction if they didn't like my methods. They chose not to cancel the transaction. (Which was a rather significant sale in a relatively small shop) Owen Sent from my iPad On Jun 10, 2012, at 3:58 AM, Joe Greco <jgreco@ns.sol.net> wrote:
----- Original Message -----
From: "Barry Shein" <bzs@world.std.com>
A friend would print in block letters in the sig area of his credit cards "ASK FOR PHOTO ID". He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card.
This seems like an altogether excellent time to haul out *this* old chestnut:
http://www.zug.com/pranks/credit/
FWIW, My cards have always said SEE ID, and I get about a 40% or so hit rate on that. It's been odd recently, cause I sometimes forget, and the privacy reflex kicks in and makes me want to say "Why??" :-)
If your card is not signed, your card is invalid and should not be accepted by any merchant.
http://www.mastercard.com/us/merchant/pdf/MerchantAcceptanceGuide_Manual.pdf
Page 8-2; "Unsigned Credit Cards". VISA has similar requirements.
Writing "SEE ID" in the signature panel primarily makes your card invalid *unless* your signature is also present.
One of the design goals of the V/MC system is that a cardholder is not supposed to need anything other than their card and the ability to sign. The comparison of the signature provided to the card signature is supposed to be one of the primary ways to validate a cardholder, but of course these days, most vendors are lazy and don't.
In fact, one of my favorite abusive merchant practices, trying to require ID, is expressly prohibited:
http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf
Page 5-14, sec. 5.8.4, "Additional Cardholder Identification".
They're allowed to ask, you're allowed to refuse, and absent a good reason, they're not allowed to refuse your transaction. Now, if your signature doesn't match or something else is particularly fishy, yes, then they should require it, but they cannot require it by default for all transactions they process.
That and a "minimum charge" are among the two most common merchant violations I see.
For MasterCard violations, report them!
http://www.mastercard.us/support/merchant-violations.html
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
The credit card companies should pull their heads out of their asses about t= his.
It is much better from an anti-fraud perspective for a stolen card not to co= ntain a specimen signature for the thief to learn to forge.
It is far preferable for the merchant to request ID and verify that the sign= ature matches the ID _AND_ the picture in the ID matches the customer.
So, what ID do you consider to be acceptable? Especially when traveling, you've just opened up a can of worms. As a merchant, do you know what a Canadian driver's license is supposed to look like, for example? The reality is that forging signatures is not particularly easy, and since merchants generally don't check ANYWAYS, the whole issue is kind of nebulous. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Jun 10, 2012, at 12:25 PM, Joe Greco wrote:
The credit card companies should pull their heads out of their asses about t= his.
It is much better from an anti-fraud perspective for a stolen card not to co= ntain a specimen signature for the thief to learn to forge.
It is far preferable for the merchant to request ID and verify that the sign= ature matches the ID _AND_ the picture in the ID matches the customer.
So, what ID do you consider to be acceptable? Especially when traveling, you've just opened up a can of worms. As a merchant, do you know what a Canadian driver's license is supposed to look like, for example?
From someone who supplies an out-of-country drivers license, I'd request to see their passport. From someone who supplies an out-of-state drivers license, I'd probably accept it, but the risks there are somewhat reduced at least. Mostly, I'd accept any domestic government issued photo ID and/or any passport. Generally when someone asks for my ID, I use my passport.
The reality is that forging signatures is not particularly easy, and since merchants generally don't check ANYWAYS, the whole issue is kind of nebulous.
Sure. However, if you provide the forger a specimen of your signature on the card, you're just asking for trouble IMHO. If the merchant is going to go to the trouble of checking the signature, the extra step of matching that against ID that matches the cardholder name instead of just matching it to the back of the card is a negligible additional inconvenience while providing an additional layer of protection. Owen
From someone who supplies an out-of-country drivers license, I'd request to see their passport. From someone who supplies an out-of-state drivers license, I'd probably accept it, but the risks there are somewhat reduced at least.
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what? Although banks have different tradeoffs in risk management than you might like, they're not dumb. I expect they figured that the increased volume from not slowing down transactions and demanding more than makes up for whatever the increased fraud. This theory is reinforced by my observation that at my local supermarket, they don't even ask for the signature that they don't look at for purchases under $50. R's, John
On Jun 11, 2012, at 2:35 PM, John Levine wrote:
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what?
Banks and most retailers actually have a book with photos and details of various security aspects of the license and ID cards in-use. For fun, I have presented my "Global Entry" ID card at the bank for a transaction to see if they had seen it before. The US Federal Government tried to standardize on HSPD-12, now about 5 years old. Making a secure document, or something that uses PKI such as this is harder than it may initially seem. This is why I'm not the one designing them. - Jared
----- Original Message -----
From: "John Levine" <johnl@iecc.com>
Although banks have different tradeoffs in risk management than you might like, they're not dumb. I expect they figured that the increased volume from not slowing down transactions and demanding more than makes up for whatever the increased fraud. This theory is reinforced by my observation that at my local supermarket, they don't even ask for the signature that they don't look at for purchases under $50.
Another point here is that *just asking for ID, and observing the patron's mien when they give it to you* filters out 2 whole categories of low-hanging fruit attackers. Cheers, -- jr 'each user discovers a new category of bugs' a -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Sent from my iPad On Jun 11, 2012, at 11:35 AM, "John Levine" <johnl@iecc.com> wrote:
From someone who supplies an out-of-country drivers license, I'd request to see their passport. From someone who supplies an out-of-state drivers license, I'd probably accept it, but the risks there are somewhat reduced at least.
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what?
To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago. So, I'd probably pass on the transaction unless she wanted to select another form of payment.
Although banks have different tradeoffs in risk management than you might like, they're not dumb. I expect they figured that the increased volume from not slowing down transactions and demanding more than makes up for whatever the increased fraud. This theory is reinforced by my observation that at my local supermarket, they don't even ask for the signature that they don't look at for purchases under $50.
Indeed, as I have said, for small purchases where the transaction rate can be high, swipe and go makes sense to me. I'm talking about larger purchases that involve a lengthier sales process anyway. Owen
On 2012-06-11 15:05, Owen DeLong wrote:
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what?
To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.
Your knowledge needs an update! ;) http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
On 12-06-11 03:14 PM, Simon Perreault wrote:
On 2012-06-11 15:05, Owen DeLong wrote:
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what?
To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.
Your knowledge needs an update! ;)
http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php
Simon
Yup, various Canadian provinces now issue "newer, better" driver's licenses that are accepted by ICE for entry to the US by land or sea only (not by air, you still need a passport or NEXUS for that). Here in Ontario, they're called "Enhanced" driver's licenses, and only have minor differences from regular driver's licenses -- they have the word "Enhanced" on them, and they contain an RFID chip which is scanned at the border for ID & verification purposes. Oh, and they cost an extra $40 when you renew them. The enhanced licenses were rolled out at pretty much the same time as the US entry requirements changed, so if you were a keener and got an enhanced card when they were first available, absolutely nothing would have changed for you, except that your wallet is now a bit lighter and you have a shiny new card. It's left as an exercise to the reader as to whether the word "Enhanced" printed on a card and an RFID tag are, in fact, any more secure than what we had before.... - Pete
On Jun 11, 2012, at 3:14 PM, Simon Perreault wrote:
On 2012-06-11 15:05, Owen DeLong wrote:
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what?
To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.
Your knowledge needs an update! ;)
http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php
How the heck did this conversation go from Linkedin to a Quebec drivers license? I'm not sure how relevant this is to NANOG. Both subject matters that is. -Gabe
On 11-Jun-12 14:05, Owen DeLong wrote:
On Jun 11, 2012, at 11:35 AM, "John Levine" <johnl@iecc.com> wrote:
OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what? To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.
Only non-enhanced ("plus" in Quebec) drivers licenses. See: http://www.dhs.gov/files/crossingborders/travelers.shtm S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer.
In the late 1990s I had a Visa card from (I think) Citibank that had my picture embossed on the front of the card. I'm surprised this didn't catch on with more card issuers. I see that Bank of America offers this free of charge to their Visa clients, as do some US based credit unions. That card was never lost or stolen, so I don't know if the photo verification would fail as spectacularly as signatures do. --lyndon
On Sun, 10 Jun 2012, Lyndon Nerenberg wrote:
In the late 1990s I had a Visa card from (I think) Citibank that had my picture embossed on the front of the card. I'm surprised this didn't catch on with more card issuers. I see that Bank of America offers this free of charge to their Visa clients, as do some US based credit unions.
That card was never lost or stolen, so I don't know if the photo verification would fail as spectacularly as signatures do.
That's obviously only going to be of use in cases where the card is physically stolen and used in-person. I don't have the numbers, but I strongly suspect that sort of credit card fraud is a small minority, with the majority being CNP transactions. I've personally had several instances of one of my card numbers being used fraudulently (for everything from online casino gambling to tractor parts to hotel charges in countries I've never been to), but never via the card having physically been stolen. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
A few years ago I had a checkbook stolen. The genius bank branch decided it was sufficient to just print new checks starting at a much higher number and "put it in the system" rather than cancel the account number. I protested but hey so long as they were responsible for any fraud*. Then thousands of dollars of cashed checks began appearing. What was amusing was they each had info like my driver's license number and date of birth carefully hand-printed on them. EXCEPT, it wasn't *my* driver's license # or date of birth, it was all just kinda random. Which led us to believe (when talking to bank security) that they just have friends who work as cashiers, these were all at places like Wal-Mart, big retail stores, who just accept the bad checks for a cut. I agree it's all a matter of percentages but it says something about putting photos on credit cards etc. I had something similar happen with business checks (a small vendor was burglarized), similar result and conclusion: The crooks were working with bank tellers or other insiders, they even knew the magic amounts at each branch beyond which more security checks kick in, again, according to the bank security people I was clearing this up with. * I sort of regretted that because they managed to burn up quite a few hours of my time when it all went bad. They've got you at that point, show up here, show up now, fill out all these affidavits, etc or we won't cover the fraud. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
In such a circumstance I use the following: "Close this account. Either send me a check for the remaining balance or deposit into my newly created account at your institution. Whichever you prefer." Owen On Jun 10, 2012, at 2:45 PM, Barry Shein wrote:
A few years ago I had a checkbook stolen. The genius bank branch decided it was sufficient to just print new checks starting at a much higher number and "put it in the system" rather than cancel the account number. I protested but hey so long as they were responsible for any fraud*.
Then thousands of dollars of cashed checks began appearing.
What was amusing was they each had info like my driver's license number and date of birth carefully hand-printed on them.
EXCEPT, it wasn't *my* driver's license # or date of birth, it was all just kinda random.
Which led us to believe (when talking to bank security) that they just have friends who work as cashiers, these were all at places like Wal-Mart, big retail stores, who just accept the bad checks for a cut.
I agree it's all a matter of percentages but it says something about putting photos on credit cards etc.
I had something similar happen with business checks (a small vendor was burglarized), similar result and conclusion: The crooks were working with bank tellers or other insiders, they even knew the magic amounts at each branch beyond which more security checks kick in, again, according to the bank security people I was clearing this up with.
* I sort of regretted that because they managed to burn up quite a few hours of my time when it all went bad. They've got you at that point, show up here, show up now, fill out all these affidavits, etc or we won't cover the fraud.
-- -Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said:
It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer.
Maybe from the anti-fraud standpoint, but not necessarily from the merchant's viewpoint. It's only better if nobody's standing in line. If matching the ID and signature and picture reduces fraud from 4% to 3%, but increases the time to serve the customer by 5%, you're losing money due to fewer sales/hour. And the local supermarket can save a *whole* bunch of money if they can get me to scan my own stuff and pay with a debit card with minimal/no interaction with the staff. Sure, might be a bit higher fraud rate, but being able to run 4 almost-unattended checkout lines more than covers it. Figure a warm body costs $8/hour - as long as the added fraud is under $32/hour, they're coming out ahead.
On Sun, Jun 10, 2012 at 04:34:55PM -0400, valdis.kletnieks@vt.edu wrote:
On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said:
It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer.
Maybe from the anti-fraud standpoint, but not necessarily from the merchant's viewpoint.
It's only better if nobody's standing in line. If matching the ID and signature and picture reduces fraud from 4% to 3%, but increases the time to serve the customer by 5%, you're losing money due to fewer sales/hour.
For the most part, fraud in a card present transaction isn't eaten by the merchant. But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay. Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. And, sometimes, they'll choose to accept a higher rate of fraud if it will generate enough revenue to offset it ... consider how many places you can now avoid signing for small dollar purchases. The cost of accepting the additional fraud was considered worth it in comparison to the revenue generated from getting people to use their cards for small transactions. -- Brett
On Jun 10, 2012, at 3:06 PM, Brett Frankenberger wrote:
On Sun, Jun 10, 2012 at 04:34:55PM -0400, valdis.kletnieks@vt.edu wrote:
On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said:
It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer.
Maybe from the anti-fraud standpoint, but not necessarily from the merchant's viewpoint.
It's only better if nobody's standing in line. If matching the ID and signature and picture reduces fraud from 4% to 3%, but increases the time to serve the customer by 5%, you're losing money due to fewer sales/hour.
For the most part, fraud in a card present transaction isn't eaten by the merchant.
But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay.
Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. And, sometimes, they'll choose to accept a higher rate of fraud if it will generate enough revenue to offset it ... consider how many places you can now avoid signing for small dollar purchases. The cost of accepting the additional fraud was considered worth it in comparison to the revenue generated from getting people to use their cards for small transactions.
-- Brett
Right, but eliminating fraud should be an objective of consumers because ultimately, we are the ones paying for it regardless of who "eats it" on the actual transaction. If the merchant eats it, the merchant has to make up for it with increased prices. If the card processing company eats it, they have to use high discount rates or other fees to cover it. If the card issuing company eats it, they have to use fees and/or interest rates to make up for it. If the bank eats it, they have to make up for it in other fees, reduced services, reduced interest on accounts, increased interest rates, etc. Ultimately, no matter who eats it, it gets passed along to the consumer. So, any card company that starts getting their merchants to decline transactions based on my anti-fraud efforts will find that I consider their product too risky and will use an alternate form of payment. Owen
On Sun, Jun 10, 2012 at 03:47:20PM -0700, Owen DeLong wrote:
On Jun 10, 2012, at 3:06 PM, Brett Frankenberger wrote:
Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. And, sometimes, they'll choose to accept a higher rate of fraud if it will generate enough revenue to offset it ... consider how many places you can now avoid signing for small dollar purchases. The cost of accepting the additional fraud was considered worth it in comparison to the revenue generated from getting people to use their cards for small transactions.
Right, but eliminating fraud should be an objective of consumers because ultimately, we are the ones paying for it regardless of who "eats it" on the actual transaction.
That assumes that minimizing cost is an objective of consumers. In general, it's not. Maximizing utility is. For some, minimizing cost is a major part of that. For me, I routinely trade money for convenience. And I'll gladly pay a percentage point or two more in exchange for all my credit transactions being handled more quickly. I'm far from the only one. Credit card companies keep making it easier to use their card, because they've found it more profitable to do so. There doesn't seem to be a market for a card that is harder to use, but saves consumers a little money through reduced fraud. -- Brett
Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers.
Right, but eliminating fraud should be an objective of consumers because ultimately, we are the ones paying for it regardless of who "eats it" on the actual transaction.
This applies just as well to fraud-prevention measures, a cost is a cost is a cost, your perceived morality of the cost makes no difference, money is fungible! Which means, money doesn't care! You'd have to make up the cost of all that fraud-prevention in the same way. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
----- Original Message -----
From: "Barry Shein" <bzs@world.std.com>
This applies just as well to fraud-prevention measures, a cost is a cost is a cost, your perceived morality of the cost makes no difference, money is fungible! Which means, money doesn't care! You'd have to make up the cost of all that fraud-prevention in the same way.
The money doesn't care... but the customers sure the hell do. Alas, getting the corporation in the middle to eat it out of profit -- I'm not clear why we're at a place where no one even considers that possibility, but we very clearly are; I'm sure the corporations are thrilled -- is next to impossible. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
----- Original Message -----
From: "Brett Frankenberger" <rbf+nanog@panix.com>
But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay.
Except for Amex, who have always *stringently* required this; I've even seen customer-facing advertising pointing it out. They have to do something to get merchants to take their card with the higher discount rate. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Don't know if someone already posted this but there forcing people the reset there passwords, but it let's you reset it to the same password as before... How many people are going to use the same pass? I'd say a good portion, LinkedIn needs some new isec employees On Jun 10, 2012, at 6:11 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Brett Frankenberger" <rbf+nanog@panix.com>
But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay.
Except for Amex, who have always *stringently* required this; I've even seen customer-facing advertising pointing it out.
They have to do something to get merchants to take their card with the higher discount rate.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On June 10, 2012 at 19:47 apishdadi@gmail.com (Ameen Pishdadi) wrote:
Don't know if someone already posted this but there forcing people the reset there passwords, but it let's you reset it to the same password as before... How many people are going to use the same pass? I'd say a good portion, LinkedIn needs some new isec employees
It's only Linkedin not bank accounts -- not that most people's bank accounts are much to worry about either :-) But what's dumb is that what they're asking for with that policy is a big headache for themselves when accounts get messed up, whatever pranksterism or nefarious deed, I dunno, spamming from someone's cracked acct is a good example, and Linkedin's staff has to deal with each and every one. Maybe they lack imagination as to what they might be getting themselves into. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
The Cambridge University Computer Lab has had a crack at this question in their Technical Report 817 on Web authentication: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html Their conclusion is to use the Mozilla password manager (or close analogue, but they like it because it's open source, free, and available). Anyway, it's well worth reading. A question: password managers are obviously a great idea, and password manager + synchronisation takes care of multiple devices. However, if the passwords themselves are poor, this doesn't help. As well as a browser vault, we need a Passwords API to let a Web site request the creation of a password. You will need: a MakePassword() action that creates a random, cryptographically strong password for the specified domain and specified username, with the specified TTL, and registers it in the vault. a same-domain constraint an SSL only constraint a RequestLogin() action, leading to either automatic login or a user dialog as desired a RevokePassword() action, that flushes the existing password and forces the creation of a new one. this can be explicitly invoked, for example after a security incident, or else activated when a TTL runs out. a user interface action that permits the user to invoke Revoke on all or a subset of the passwords. This addresses: making up passwords, not sharing passwords, remembering passwords, revoking compromised passwords. No, it won't help if the evil maid sprays liquid nitrogen into your laptop in suspend mode to render analysis of RAM easier yadda yadda, but nothing will*, and if you face that kind of threat, you're operating in a different league and passwords are the least of your worries. Because you're not using them...are you? Also, if the enemy can defeat SSL they can still phish you, but that's going to be a very hard one to eliminate entirely, whatever happens. (and how many security incidents are like that compared to ones involving password compromises?) Why didn't W3C do this 10 years ago? Kind of amazing, given how common a pattern username/password is, that there is no mention of the word here: http://www.w3.org/TR/ *you can of course encrypt the disk that contains the password vault, but in general, someone with physical access will win. -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them
On 11/06/12 12:38 AM, Alexander Harrowell wrote:
A question: password managers are obviously a great idea, and password manager + synchronisation takes care of multiple devices.
Go ahead and use one of these password managers and load it with all your passwords. Then load it's smartphone app on your smartphone, and report back how well it works to load your secure password into the Facebook App, the Flickr App, the Twitter App, the (fill-in-the-blank) App for the 1001 Apps you have on your phone. To the best of my knowledge, there is no password manager that *seamlessly* syncs your password with a computer and with smartphone apps. And in case you haven't noticed, more and more computing (and logging in) is done with smartphone apps these days. This is still very much an un-solved problem. Fixing it so it works on just one computer (using a password manager) is solved. Fixing it so it works on several "regular" computers (synching password managers) is solved - although this also puts your passwords in the possession of another party (to allow the synching to work). Fixing it so you can login seamlessly and easily from all types of computers including computers you don't own (when visiting/traveling) is NOT a solved problem, and if you use a password manager and think it makes your life easy, then you suddenly find you can't login to anything (e.g. you are traveling and lose your phone and need to login to your email account, with a password you don't remember, you only have the secure password for your password manager) you will find out how NOT easy this solution really is. jc
participants (26)
-
Alexander Harrowell
-
Ameen Pishdadi
-
Barry Shein
-
Brett Frankenberger
-
Gabriel Blanchard
-
Hal Murray
-
Jared Mauch
-
Jay Ashworth
-
JC Dill
-
Jimmy Hess
-
Joe Greco
-
Joel jaeggli
-
John Levine
-
John T. Yocum
-
Jon Lewis
-
Lyle Giese
-
Lyndon Nerenberg
-
Michael Thomas
-
Mikael Abrahamsson
-
Mike Hale
-
Owen DeLong
-
Peter Kristolaitis
-
Robert Bonomi
-
Simon Perreault
-
Stephen Sprunk
-
valdis.kletnieks@vt.edu