Date: Mon, 22 Feb 93 16:20:58 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#019 Computer Privacy Digest Mon, 22 Feb 93 Volume 2 : Issue: 019 Today's Topics: Moderator: Dennis G. Rears Re: Digitizing signatures for credit card purchases Re: Digitizing signatures for credit card purchases Re: Digitizing signatures for credit card purchases Re: Digitizing signatures for credit card purchases privacy of salary history Re: Radar Detectors vs. Poor Driving Habits The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: William Curtiss Subject: Re: Digitizing signatures for credit card purchases Date: 19 Feb 1993 09:16:00 -0500 Organization: Harris CSD, Ft. Lauderdale, FL "Glenn S. Tenney" writes: > >My wife just told me that The Gap (a large clothing store chain) store near >to us has a new computerized system. When making a credit card purchase >with a Visa card, she had to "sign" on a digitizing tablet. Then, they >printed out her receipt just like a cash register receipt with our credit >card number on it, but no signature. > I have thought about the problems involved with this ever since I read an article in our paper's business section about the company manufacturering these systems. (I will try to dig up the reference, if anyone is interested.) First, the reason for the system, is that a large merchnat may have several hunder charge transactions on any given day. When a transaction is disputed, they must search through all the paper receipts to find the correct one. Avoiding the manual search is the benefit to the merchant of the system. Anyway, one possible means of protecting yourself would be to have a different signature for each transaction you make. If these different signatures follow a pattern such that you can prove what a given signature should look like given past history, you maybe able to make a case. For instance, you could append every signature with the month, day and transaction number for that day in hex. Then the merchant would have to figure out your code (how many merchants understand hex?), and forge it appropriately. The catch is that you have to do this for every transaction you make, including the paper ones, to establish presidence. This may, or may not work, when it comes to a dispute with the credit card company. However, I'm not particularly fond of it, since it puts too much of a burden of proof on me, rather than the merchant. So, does anyone have any other ideas for working within the system (i.e. other than refusing to do business with that particular merchant, or using cash, both of which are good choices)? -- DISCLAIMER: The opinions expressed here are my own; | they in no way reflect the opinion or policies | wcurtiss@csd.harris.com of Harris Corporation nor John Hartley. | ------------------------------ Date: Fri, 19 Feb 93 03:55 PST From: John Higdon Reply-To: John Higdon Organization: Green Hills and Cows Subject: Re: Digitizing signatures for credit card purchases "Glenn S. Tenney" writes: > However, if a merchant (or actually someone working there) wanted > to defraud someone, they could claim you had made purchases when you > had not. When the bank or credit card company asked for a receipt, > they could easily produce one with your signature on it -- just like > the other ten thousand receipts they "keep on-line". Obviously, > you did make the purchase since the signature is yours and is not > forged. What am I missing here? If they produced all of the receipts for your purchases, TWO of them would have identical signatures. Given that a person never signs his name exactly the same way twice, it would be compelling evidence that ONE of them was a forgery, electronic or otherwise. You do sign you name on the pad for EACH purchase do you not? (Else, what would be the point of signing anything at all?) Forgery is forgery, regardless if it is electronic or graphic. One of the things that gives value at all to a signature is the fact that it is identifiable, and only you can produce it. The fact that each one is SLIGHTLY different is what prevents others from affixing YOUR signature to new documents with a stamp of some sort. A digitized version of your signature would not seem very valuable in that context. BTW, write me a letter, sign it, and I will send you a disk with your digitized signature on it. > Does that clarify why this is a problem? If not, I can get even more > verbose :-) Obviously not, since I still cannot see the problem. -- John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX: john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407 ------------------------------ Subject: Re: Digitizing signatures for credit card purchases From: jkuta@misvms.bpa.arizona.edu (Jeffrey Kuta) Date: 20 Feb 1993 06:12 MST Organization: University of Arizona MIS Department In article , jgd@dixie.com (John De Armond) writes... >"Glenn S. Tenney" writes: > >>If you thought that signing for a package onto a notebook computer was bad, >>you ain't seen nothing yet... > >>My wife just told me that The Gap (a large clothing store chain) store near >>to us has a new computerized system. When making a credit card purchase >>with a Visa card, she had to "sign" on a digitizing tablet. Then, they >>printed out her receipt just like a cash register receipt with our credit >>card number on it, but no signature. > >>When I sign for packages, I just print my name. For this, I might do the >>same if push came to shove, but I do *NOT* like the idea of some store >>having my signature actually "on-file" digitally! > >This is a bug in the system. There is a workaround :-) What I do is >two-fold. One, I have a markedly different signature that I use for >non-negotiable things such as shipment receipts as opposed to the one I >use for negotiable instruments. The second tact is to simply mark an >"X" on electronic signature devices. > >This isn't as satisfying as organizing a boycott or a protest but it does >work and it let you have one less thing to worry about. I kinda like that 'X' tactic. But I'd appreciate it if you could give a little better description of "negotiable" vs. "non-nbegotiable" for those of us who are ignorant of those terms. :) Thanks. > >John >-- >John De Armond, WD4OQC |Interested in high performance mobility? >Performance Engineering Magazine(TM) | Interested in high tech and computers? >Marietta, Ga | Send ur snail-mail address to >jgd@dixie.com | perform@dixie.com for a free sample mag >Need Usenet public Access in Atlanta? Write Me for info on Dixie.com. Jeffrey Kuta ------------------------------ From: Dean Collins Subject: Re: Digitizing signatures for credit card purchases Date: 21 Feb 1993 08:08:08 GMT Organization: University of Idaho, Moscow, Idaho Scott Coleman (tmkk@uiuc.edu) wrote: > In article "Glenn S. Tenney" writes: > In short, boycotting merchants who use such systems won't prevent the > collection of digitized signatures. If a merchant wants to badly enough, > he can do it already. I agree. It's things like this that give me chills down the spine. Neither a computerized signature nor a paper signature is safe since both are easily reproduced. For this reason a signature will no longer be accepted as a valid authentication method in a few short years. We will undoubtably move to more secure procedures, such as retinal scans or DNA fingerprints. During this interim period when signatures are still used for authentication we must be aware of the potential risks involved. We should also do our best to make the general public aware of the situation. Society is always playing catch-up with technology. -- Dean Collins (dean@uidaho.edu, dean@cs.uidaho.edu) ------------------------------ Date: Sun, 21 Feb 93 01:16:23 PST Subject: privacy of salary history Organization: UCLA Protein Structure Group From: "E. Coli" I am considering accepting a job offer from a company which just happens to have one of the major Credit reporting agencies as one of its divisions. They want to know my current salary and SSN on the application. Now, I consider myself to be very underpaid and don't want them basing my new salary on the pittance I am now earning. With my SSN can they find out? To further complicate things, I will at some time in the future, if I work for this company, be required to get a Security Clearance. Do I have a hope in hell of concealing my salary? I will not be working for the Credit division, but still, even without my SSN I wouldnt be suprised if they could get my credit report with a single phone call. (This is a private company) ------------------------------ From: Flint Pellett Subject: Re: Radar Detectors vs. Poor Driving Habits Date: 22 Feb 93 17:41:44 GMT Organization: Global Information Systems Technology Inc., Savoy, IL olson@dstl86.gsfc.nasa.gov (Paul Olson) writes: >5) If the government really wanted to eliminate radar detectors and >control speed instead of using speeding tickets as a revenue source, >they'd do a couple of things: a) use non-standard cars for unmarked >units. Here in MD, the state buys in large orders, so most of the >state patrol cars are Chevy Caprice's, even the unmarked units, >although a few Ford Taurus' are showing up. The best unmarked unit >I've ever seen was a 1975 rusty Ford LTD I don't know about you, but if a rusty '75 Ford was trying to pull me over, I wouldn't pull over, whether they had an official looking light/siren or not. I'd have to see more evidence that this wasn't some scheme someone was using to rob me. -- Flint Pellett, Global Information Systems Technology, Inc. 100 Trade Centre Drive, Suite 301, Champaign, IL 61820 (217) 352-1165 uunet!gistdev!flint or flint@gistdev.gist.com ------------------------------ End of Computer Privacy Digest V2 #019 ******************************