Date: Tue, 09 Mar 93 13:50:53 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#023
Computer Privacy Digest Tue, 09 Mar 93 Volume 2 : Issue: 023
Today's Topics: Moderator: Dennis G. Rears
Re: Digitizing signatures for credit card purchases
Re: Digitizing signatures for credit card purchases
Privacy Journal newsletter
Privacy in Communication Technology
NEW EDITION OF THE PRIVACY GUIDE?
Credit Card Validation
Re: Social Security Number FAQ
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Bill Campbell <bill@camco1.celestial.com>
Subject: Re: Digitizing signatures for credit card purchases
Organization: Celestial Software, Mercer Island, WA
Date: Tue, 02 Mar 1993 05:10:05 GMT
In <comp-privacy2.21.1@pica.army.mil> "Glenn S. Tenney" <tenney@netcom.com> writes:
....................
:Actually, just like simple contracts, you are given a copy for your
:signature. The copy you have, is the exact same as the copy they have. It
:is up to them to have your signature on their copy, just as it would be up
:to you to have THEIR signature on a credit voucher. You would be amazed at
:how many stores want ME to sign the credit voucher when I return something.
: I have to tell them that THEY have to sign it, since they are giving me
:money -- yes, the store does have to authorize the credit just as you have
:to authorize the charge.
The reason the stores have the customer sign credit vouchers is
to keep the employees from writing up false credits and pocketing
the cash! Some stores also offer cash rewards to customers who
report cash sales made where no receipt is given or the amount on
the receipt is different than the amount of the sale.
Bill
--
INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software
UUCP: ...!thebes!camco!bill 6641 East Mercer Way
uunet!camco!bill Mercer Island, WA 98040; (206) 947-5591
SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO?
------------------------------
From: Dan Hartung <dhartung@chinet.chi.il.us>
Subject: Re: Digitizing signatures for credit card purchases
Organization: Chinet - Public Access UNIX
Date: Tue, 2 Mar 1993 23:06:40 GMT
wicklund@intellistor.com (Tom Wicklund) writes:
>
>Many stores are going to non-computerized forms of this -- they print
>you a receipt, then print a second receipt which you sign and they
>keep. You don't have a receipt with your signature.
>
>Since I doubt the store physically sends the signed receipt to the
>bank, your bank also doesn't have a signed receipt unless they get it
>from the store, which will have a hard time finding a particular
>receipt out of the hundreds for a certain day.
Good question. There may be a difference in the handling of electronically
approved transactions, however, which are becoming more common.
>>*IF* someone took your carbons or forged your signature, then
>>the signature would not be yours. You could go through all of
>>your receipts and see for yourself. The merchant could NOT produce
>>a forged receipt with un-forged signature.
>
>However, sometimes the customer receives the original of the signature
>while the store keeps a carbon. If the store's (valid) carbon
>signature is proof enough of the transaction, it's not hard for an
>unscrupulous store to get your signature on an extra carbon underneath
>the one you sign -- especially with new cash register printed
>carbonless reciepts, in which an extra sheet underneath would be easy
>to insert but hard for the customer to notice.
True, but all they really need to do some mischief is your credit card
number, and you give that to them anyway.
>>However, if a merchant (or actually someone working there) wanted
>>to defraud someone, they could claim you had made purchases when you
>>had not. When the bank or credit card company asked for a receipt,
>>they could easily produce one with your signature on it -- just like
>>the other ten thousand receipts they "keep on-line". Obviously,
>>you did make the purchase since the signature is yours and is not
>>forged.
>
>True, this will be simpler -- though for systems like the one
>originally described I'm not too worried -- I doubt it has a built in
>ability to patch an arbitrary signature on an arbitrary receipt.
>
>I wonder how important the signature is. Many companies operate mail
>order by taking phone orders. These companies never get a signature
>from the purchaser, yet I haven't heard of either massive abuse of
>credit card numbers (there are some, but it's not industry wide).
>Hotels also routinely take card numbers for guaranteed reservations
>and I assume they sometimes run the charges through.
For one thing the rules are different for mail-order. #1, you have
certain laws governing return/canceling of transactions. #2, most
credit card companies will put up much less stink about cancelling
a mail order purchase than a fraudulent "in-store" purchase. #3,
it's governed by interstate commerce regulations.
>I assume credit card companies would need to handle digitized
>signatures in the same way they handle lack of signature. In both
>cases it's possible to create a fraudulent charge for which the card
>holder has no record.
--
The Presidential Towers complex here | Dan Hartung | Ask me
in Chicago is bounded by four streets: | dhartung@chinet.chi.il.us | about
Jefferson, Adams, Monroe ..... | Birch Grove Software | Rotaract!
and Clinton!
------------------------------
Date: Wed, 3 Mar 93 04:08 GMT
From: Robert Ellis Smith <0005101719@mcimail.com>
Subject: Privacy Journal newsletter
Computer Privacy Digest Moderator:
Rasch at dockmaster asked Feb. 24 about compendium of state laws on
privacy. Privacy Journal newsletter publishes a 137-page Compilation
of State and Federal Privacy Laws, current as of June 1992. Price is
$29, with a 20 percent discount for Computer Privacy Digest users,
from Privacy Journal, PO Box 28577, Providence RI 02908. Use credit
card by phone at 401/274-7861, or e-mail, rsmith, MCI Mail 510-1719.
The Compilation includes laws on criminal records, credit, medical,
students, federal and state government, Caller ID, wiretapping, and
much more. Digest users are welcome to a sample copy of Privacy
Journal. Reach us at MCI mail, rsmith, 510-1719.
/
------------------------------
From: Deborah Parker <parker3@uxa.cso.uiuc.edu>
Subject: Privacy in Communication Technology
Date: Thu, 4 Mar 1993 04:06:20 GMT
Organization: University of Illinois
I am looking for information concerning privacy and security in
communication technology, especially regarding Caller ID, Cellular
phones, and E-Mail. I am researching for a project regarding societal
views and concerns with advancing technology. I am also interested in
regulation by the FCC and its effect on security. Thanks in advance!
Deborah Parker (parker3@uxa.cso.uiuc.edu)
------------------------------
From: Mark McFadden <mcfadm@dnrmai.dnr.wisc.gov>
Subject: NEW EDITION OF THE PRIVACY GUIDE?
Date: 4 Mar 1993 09:06:42 -0600
Organization: UTexas Mail-to-News Gateway
In article 1057 of comp.society.privacy Jonathan Thornburg gives a
reference to a book:
"Your Right to Privacy: A Basic Guide to Legal Rights in an
Information Society -- An American Civil Liberties Union
Handbook"
2nd Edition
Evan Hendricks, Trudy Hayden, Jack D. Novik
SIU Press, 1980
Whoa! No edition since 1980!?! Does anyone know if another is
planned?
===============================================================================
Mark McFadden
EMail: mcfadm@dnrmai.dnr.wisc.gov
Wisconsin Department of Natural Resources
Madison, Wisconsin 53707
fax: (608)267-9380 voice: (608)267-9804
------------------------------
Date: Fri, 5 Mar 93 0:18:29 EST
From: Brinton Cooper <abc@brl.mil>
Subject: Credit Card Validation
We've all heard horror stories about how one person fraudulently
accessed another's credit card account (or utility account or phone
account, etc) and, with malice, altered or canceled service or
otherwise, posing as the customer, caused some change in the status of
the account.
Now, Citibank is asking (US Government employee) users of it's Diner's
club cards to supply them with validation info. When activating a new
(e.g., personal) account, changing address, or otherwise enquiring about
one's file, the caller may be asked to supply such information in order
to assure the credit company of the caller's legitimate identity.
Information requested is:
Name
Acccount #
Address
Date of Birth
Social Security Number (you were surprised, maybe?)
Mother's Maiden Name (My hospital asks for this one, too.)
Business and home phones
Other Diner's accounts to which this info applies.
Finally, you are asked if you would like "...to designate another
person to manage your account..."
On the one hand, this has the potential to expose what little privacy we
have left. On the other hand, one can argue that it protects us
from malicious persons. I don't yet know whether I shall comply.
_Brint
[Moderator's Note: I don't use the Diner Card Club. It's one less card
I have to carry around. On the other hand I have passworded all my
accounts (credit card, utilities, insurance, etc) that can be accessed
by phone. I started this after my phone and electric service was cut off
by someone claiming to be me. The "Mother's maiden name" is no security.
._dennis ]
------------------------------
Date: Fri, 5 Mar 93 14:30:46 EST
From: ran@cblpo.att.com
Subject: Re: Social Security Number FAQ
In article <ssn-privacy_731078125@Aktis.COM>, hibbert@xanadu.com (Chris Hibbert) writes:
> The Privacy Act of 1974 (5 USC 552a) requires that any federal, state, or
^^^^^^^^^
> local government agency that requests your Social Security Number has to
^^^^^
> tell you four things:
> 1: Whether disclosure of your Social Security Number is required or
> optional,
> 2: What law authorizes them to ask for your Social Security Number,
> 3: How your Social Security Number will be used if you give it to them,
> and
> 4: The consequences of failure to provide an SSN.
> In addition, the Act says that only Federal law can make use of the Social
> Security Number mandatory. So anytime you're dealing with a government
> institution and you're asked for your Social Security Number, just look for
> the Privacy Act Statement. If there isn't one, complain and don't give your
> number. If the statement is present, read it. If it says giving your
> Social Security Number is voluntary, you'll have to decide for yourself
> whether to fill in the number.
Can somebody document this claim that state and local governments also
have to follow the Privacy Act? I have a copy of the House Report 100-199,
"A Citizen's Guide on Using the Freedom of Information Act and the Privacy
Act of 1974 to Request Government Records" (1987), and it says the following:
(In an informational part, p. 18)
The Privacy Act does not generally apply to records maintained by state
and local governments of private companies or organizations.
The actual act itself, in the section of interest, says:
552a(e) Agency requirements
Each agency that maintains a system of records shall--
.
.
.
(3) inform each individual whom it asks to supply information,
on the form which it uses to collect the inforamtions or on a
separate form that can be retained by the individual--
(A) the authority (whether granted by statute, or by executive
order of the President) which authorizes the solicitation of
the information and whether disclosure of such information
is mandantory or voluntary;
(B) the principal purpose or purposes for which the information
is intended to be used;
(C) the routine uses which may be made of the information, as
published pursuanr to paragraph (4)(D) of this subsection; and
(D) the effects on him, if any, of not providing all or any part
of the requested information;
.
.
.
> In addition, the Act says that only Federal law can make use of the Social
> Security Number mandatory.
Also, I can find nothing in the Act that says this; in fact the Act never
even mentions the Social Security Number by name at all.
So, does anybody know??
Bob
--
_
". . . and shun the frumious Bandersnatch." Nipetlahuini.
Robert Neinast (ran@cblpo.att.com)
AT&T-Bell Labs
------------------------------
End of Computer Privacy Digest V2 #023
******************************