Date: Mon, 22 Feb 93 16:20:58 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#019
Computer Privacy Digest Mon, 22 Feb 93 Volume 2 : Issue: 019
Today's Topics: Moderator: Dennis G. Rears
Re: Digitizing signatures for credit card purchases
Re: Digitizing signatures for credit card purchases
Re: Digitizing signatures for credit card purchases
Re: Digitizing signatures for credit card purchases
privacy of salary history
Re: Radar Detectors vs. Poor Driving Habits
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: William Curtiss <wcurtiss@travis.csd.harris.com>
Subject: Re: Digitizing signatures for credit card purchases
Date: 19 Feb 1993 09:16:00 -0500
Organization: Harris CSD, Ft. Lauderdale, FL
"Glenn S. Tenney" <tenney@netcom.com> writes:
>
>My wife just told me that The Gap (a large clothing store chain) store near
>to us has a new computerized system. When making a credit card purchase
>with a Visa card, she had to "sign" on a digitizing tablet. Then, they
>printed out her receipt just like a cash register receipt with our credit
>card number on it, but no signature.
>
I have thought about the problems involved with this ever since I read an
article in our paper's business section about the company manufacturering
these systems. (I will try to dig up the reference, if anyone is
interested.) First, the reason for the system, is that a large merchnat
may have several hunder charge transactions on any given day. When a
transaction is disputed, they must search through all the paper receipts
to find the correct one. Avoiding the manual search is the benefit to the
merchant of the system.
Anyway, one possible means of protecting yourself would be to have a
different signature for each transaction you make. If these different
signatures follow a pattern such that you can prove what a given
signature should look like given past history, you maybe able to make a
case. For instance, you could append every signature with the month,
day and transaction number for that day in hex. Then the merchant would
have to figure out your code (how many merchants understand hex?), and
forge it appropriately. The catch is that you have to do this for every
transaction you make, including the paper ones, to establish presidence.
This may, or may not work, when it comes to a dispute with the credit
card company. However, I'm not particularly fond of it, since it puts
too much of a burden of proof on me, rather than the merchant.
So, does anyone have any other ideas for working within the system (i.e.
other than refusing to do business with that particular merchant, or using
cash, both of which are good choices)?
--
DISCLAIMER: The opinions expressed here are my own; |
they in no way reflect the opinion or policies | wcurtiss@csd.harris.com
of Harris Corporation nor John Hartley. |
------------------------------
Date: Fri, 19 Feb 93 03:55 PST
From: John Higdon <john@zygot.ati.com>
Reply-To: John Higdon <john@zygot.ati.com>
Organization: Green Hills and Cows
Subject: Re: Digitizing signatures for credit card purchases
"Glenn S. Tenney" <tenney@netcom.com> writes:
> However, if a merchant (or actually someone working there) wanted
> to defraud someone, they could claim you had made purchases when you
> had not. When the bank or credit card company asked for a receipt,
> they could easily produce one with your signature on it -- just like
> the other ten thousand receipts they "keep on-line". Obviously,
> you did make the purchase since the signature is yours and is not
> forged.
What am I missing here? If they produced all of the receipts for your
purchases, TWO of them would have identical signatures. Given that a
person never signs his name exactly the same way twice, it would be
compelling evidence that ONE of them was a forgery, electronic or
otherwise. You do sign you name on the pad for EACH purchase do you
not? (Else, what would be the point of signing anything at all?)
Forgery is forgery, regardless if it is electronic or graphic. One of
the things that gives value at all to a signature is the fact that it
is identifiable, and only you can produce it. The fact that each one is
SLIGHTLY different is what prevents others from affixing YOUR signature
to new documents with a stamp of some sort. A digitized version of your
signature would not seem very valuable in that context. BTW, write me a
letter, sign it, and I will send you a disk with your digitized
signature on it.
> Does that clarify why this is a problem? If not, I can get even more
> verbose :-)
Obviously not, since I still cannot see the problem.
--
John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX:
john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407
------------------------------
Subject: Re: Digitizing signatures for credit card purchases
From: jkuta@misvms.bpa.arizona.edu (Jeffrey Kuta)
Date: 20 Feb 1993 06:12 MST
Organization: University of Arizona MIS Department
In article <comp-privacy2.18.5@pica.army.mil>, jgd@dixie.com (John De Armond) writes...
>"Glenn S. Tenney" <tenney@netcom.com> writes:
>
>>If you thought that signing for a package onto a notebook computer was bad,
>>you ain't seen nothing yet...
>
>>My wife just told me that The Gap (a large clothing store chain) store near
>>to us has a new computerized system. When making a credit card purchase
>>with a Visa card, she had to "sign" on a digitizing tablet. Then, they
>>printed out her receipt just like a cash register receipt with our credit
>>card number on it, but no signature.
>
>>When I sign for packages, I just print my name. For this, I might do the
>>same if push came to shove, but I do *NOT* like the idea of some store
>>having my signature actually "on-file" digitally!
>
>This is a bug in the system. There is a workaround :-) What I do is
>two-fold. One, I have a markedly different signature that I use for
>non-negotiable things such as shipment receipts as opposed to the one I
>use for negotiable instruments. The second tact is to simply mark an
>"X" on electronic signature devices.
>
>This isn't as satisfying as organizing a boycott or a protest but it does
>work and it let you have one less thing to worry about.
I kinda like that 'X' tactic. But I'd appreciate it if you could give a
little better description of "negotiable" vs. "non-nbegotiable" for those
of us who are ignorant of those terms. :)
Thanks.
>
>John
>--
>John De Armond, WD4OQC |Interested in high performance mobility?
>Performance Engineering Magazine(TM) | Interested in high tech and computers?
>Marietta, Ga | Send ur snail-mail address to
>jgd@dixie.com | perform@dixie.com for a free sample mag
>Need Usenet public Access in Atlanta? Write Me for info on Dixie.com.
Jeffrey Kuta
------------------------------
From: Dean Collins <dean@crow.csrv.uidaho.edu>
Subject: Re: Digitizing signatures for credit card purchases
Date: 21 Feb 1993 08:08:08 GMT
Organization: University of Idaho, Moscow, Idaho
Scott Coleman (tmkk@uiuc.edu) wrote:
> In article <comp-privacy2.17.1@pica.army.mil> "Glenn S. Tenney" <tenney@netcom.com> writes:
> In short, boycotting merchants who use such systems won't prevent the
> collection of digitized signatures. If a merchant wants to badly enough,
> he can do it already.
I agree. It's things like this that give me chills down the spine.
Neither a computerized signature nor a paper signature is safe
since both are easily reproduced. For this reason a signature
will no longer be accepted as a valid authentication method
in a few short years. We will undoubtably move to more secure
procedures, such as retinal scans or DNA fingerprints.
During this interim period when signatures are still used for
authentication we must be aware of the potential
risks involved. We should also do our best to make the general
public aware of the situation.
Society is always playing catch-up with technology.
--
Dean Collins (dean@uidaho.edu, dean@cs.uidaho.edu)
------------------------------
Date: Sun, 21 Feb 93 01:16:23 PST
Subject: privacy of salary history
Organization: UCLA Protein Structure Group
From: "E. Coli" <butwho@bravais.mbi.ucla.edu>
I am considering accepting a job offer from a company which
just happens to have one of the major Credit reporting agencies
as one of its divisions.
They want to know my current salary and SSN on the application.
Now, I consider myself to be very underpaid and don't want them
basing my new salary on the pittance I am now earning. With my
SSN can they find out? To further complicate things, I will at
some time in the future, if I work for this company, be required
to get a Security Clearance. Do I have a hope in hell of concealing
my salary?
I will not be working for the Credit division, but still, even without
my SSN I wouldnt be suprised if they could get my credit report with
a single phone call. (This is a private company)
------------------------------
From: Flint Pellett <flint@gistdev.gist.com>
Subject: Re: Radar Detectors vs. Poor Driving Habits
Date: 22 Feb 93 17:41:44 GMT
Organization: Global Information Systems Technology Inc., Savoy, IL
olson@dstl86.gsfc.nasa.gov (Paul Olson) writes:
>5) If the government really wanted to eliminate radar detectors and
>control speed instead of using speeding tickets as a revenue source,
>they'd do a couple of things: a) use non-standard cars for unmarked
>units. Here in MD, the state buys in large orders, so most of the
>state patrol cars are Chevy Caprice's, even the unmarked units,
>although a few Ford Taurus' are showing up. The best unmarked unit
>I've ever seen was a 1975 rusty Ford LTD
I don't know about you, but if a rusty '75 Ford was trying to pull
me over, I wouldn't pull over, whether they had an official looking
light/siren or not. I'd have to see more evidence that this wasn't
some scheme someone was using to rob me.
--
Flint Pellett, Global Information Systems Technology, Inc.
100 Trade Centre Drive, Suite 301, Champaign, IL 61820 (217) 352-1165
uunet!gistdev!flint or flint@gistdev.gist.com
------------------------------
End of Computer Privacy Digest V2 #019
******************************