Date: Tue, 09 Mar 93 13:50:53 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#023 Computer Privacy Digest Tue, 09 Mar 93 Volume 2 : Issue: 023 Today's Topics: Moderator: Dennis G. Rears Re: Digitizing signatures for credit card purchases Re: Digitizing signatures for credit card purchases Privacy Journal newsletter Privacy in Communication Technology NEW EDITION OF THE PRIVACY GUIDE? Credit Card Validation Re: Social Security Number FAQ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Bill Campbell Subject: Re: Digitizing signatures for credit card purchases Organization: Celestial Software, Mercer Island, WA Date: Tue, 02 Mar 1993 05:10:05 GMT In "Glenn S. Tenney" writes: .................... :Actually, just like simple contracts, you are given a copy for your :signature. The copy you have, is the exact same as the copy they have. It :is up to them to have your signature on their copy, just as it would be up :to you to have THEIR signature on a credit voucher. You would be amazed at :how many stores want ME to sign the credit voucher when I return something. : I have to tell them that THEY have to sign it, since they are giving me :money -- yes, the store does have to authorize the credit just as you have :to authorize the charge. The reason the stores have the customer sign credit vouchers is to keep the employees from writing up false credits and pocketing the cash! Some stores also offer cash rewards to customers who report cash sales made where no receipt is given or the amount on the receipt is different than the amount of the sale. Bill -- INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software UUCP: ...!thebes!camco!bill 6641 East Mercer Way uunet!camco!bill Mercer Island, WA 98040; (206) 947-5591 SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO? ------------------------------ From: Dan Hartung Subject: Re: Digitizing signatures for credit card purchases Organization: Chinet - Public Access UNIX Date: Tue, 2 Mar 1993 23:06:40 GMT wicklund@intellistor.com (Tom Wicklund) writes: > >Many stores are going to non-computerized forms of this -- they print >you a receipt, then print a second receipt which you sign and they >keep. You don't have a receipt with your signature. > >Since I doubt the store physically sends the signed receipt to the >bank, your bank also doesn't have a signed receipt unless they get it >from the store, which will have a hard time finding a particular >receipt out of the hundreds for a certain day. Good question. There may be a difference in the handling of electronically approved transactions, however, which are becoming more common. >>*IF* someone took your carbons or forged your signature, then >>the signature would not be yours. You could go through all of >>your receipts and see for yourself. The merchant could NOT produce >>a forged receipt with un-forged signature. > >However, sometimes the customer receives the original of the signature >while the store keeps a carbon. If the store's (valid) carbon >signature is proof enough of the transaction, it's not hard for an >unscrupulous store to get your signature on an extra carbon underneath >the one you sign -- especially with new cash register printed >carbonless reciepts, in which an extra sheet underneath would be easy >to insert but hard for the customer to notice. True, but all they really need to do some mischief is your credit card number, and you give that to them anyway. >>However, if a merchant (or actually someone working there) wanted >>to defraud someone, they could claim you had made purchases when you >>had not. When the bank or credit card company asked for a receipt, >>they could easily produce one with your signature on it -- just like >>the other ten thousand receipts they "keep on-line". Obviously, >>you did make the purchase since the signature is yours and is not >>forged. > >True, this will be simpler -- though for systems like the one >originally described I'm not too worried -- I doubt it has a built in >ability to patch an arbitrary signature on an arbitrary receipt. > >I wonder how important the signature is. Many companies operate mail >order by taking phone orders. These companies never get a signature >from the purchaser, yet I haven't heard of either massive abuse of >credit card numbers (there are some, but it's not industry wide). >Hotels also routinely take card numbers for guaranteed reservations >and I assume they sometimes run the charges through. For one thing the rules are different for mail-order. #1, you have certain laws governing return/canceling of transactions. #2, most credit card companies will put up much less stink about cancelling a mail order purchase than a fraudulent "in-store" purchase. #3, it's governed by interstate commerce regulations. >I assume credit card companies would need to handle digitized >signatures in the same way they handle lack of signature. In both >cases it's possible to create a fraudulent charge for which the card >holder has no record. -- The Presidential Towers complex here | Dan Hartung | Ask me in Chicago is bounded by four streets: | dhartung@chinet.chi.il.us | about Jefferson, Adams, Monroe ..... | Birch Grove Software | Rotaract! and Clinton! ------------------------------ Date: Wed, 3 Mar 93 04:08 GMT From: Robert Ellis Smith <0005101719@mcimail.com> Subject: Privacy Journal newsletter Computer Privacy Digest Moderator: Rasch at dockmaster asked Feb. 24 about compendium of state laws on privacy. Privacy Journal newsletter publishes a 137-page Compilation of State and Federal Privacy Laws, current as of June 1992. Price is $29, with a 20 percent discount for Computer Privacy Digest users, from Privacy Journal, PO Box 28577, Providence RI 02908. Use credit card by phone at 401/274-7861, or e-mail, rsmith, MCI Mail 510-1719. The Compilation includes laws on criminal records, credit, medical, students, federal and state government, Caller ID, wiretapping, and much more. Digest users are welcome to a sample copy of Privacy Journal. Reach us at MCI mail, rsmith, 510-1719. / ------------------------------ From: Deborah Parker Subject: Privacy in Communication Technology Date: Thu, 4 Mar 1993 04:06:20 GMT Organization: University of Illinois I am looking for information concerning privacy and security in communication technology, especially regarding Caller ID, Cellular phones, and E-Mail. I am researching for a project regarding societal views and concerns with advancing technology. I am also interested in regulation by the FCC and its effect on security. Thanks in advance! Deborah Parker (parker3@uxa.cso.uiuc.edu) ------------------------------ From: Mark McFadden Subject: NEW EDITION OF THE PRIVACY GUIDE? Date: 4 Mar 1993 09:06:42 -0600 Organization: UTexas Mail-to-News Gateway In article 1057 of comp.society.privacy Jonathan Thornburg gives a reference to a book: "Your Right to Privacy: A Basic Guide to Legal Rights in an Information Society -- An American Civil Liberties Union Handbook" 2nd Edition Evan Hendricks, Trudy Hayden, Jack D. Novik SIU Press, 1980 Whoa! No edition since 1980!?! Does anyone know if another is planned? =============================================================================== Mark McFadden EMail: mcfadm@dnrmai.dnr.wisc.gov Wisconsin Department of Natural Resources Madison, Wisconsin 53707 fax: (608)267-9380 voice: (608)267-9804 ------------------------------ Date: Fri, 5 Mar 93 0:18:29 EST From: Brinton Cooper Subject: Credit Card Validation We've all heard horror stories about how one person fraudulently accessed another's credit card account (or utility account or phone account, etc) and, with malice, altered or canceled service or otherwise, posing as the customer, caused some change in the status of the account. Now, Citibank is asking (US Government employee) users of it's Diner's club cards to supply them with validation info. When activating a new (e.g., personal) account, changing address, or otherwise enquiring about one's file, the caller may be asked to supply such information in order to assure the credit company of the caller's legitimate identity. Information requested is: Name Acccount # Address Date of Birth Social Security Number (you were surprised, maybe?) Mother's Maiden Name (My hospital asks for this one, too.) Business and home phones Other Diner's accounts to which this info applies. Finally, you are asked if you would like "...to designate another person to manage your account..." On the one hand, this has the potential to expose what little privacy we have left. On the other hand, one can argue that it protects us from malicious persons. I don't yet know whether I shall comply. _Brint [Moderator's Note: I don't use the Diner Card Club. It's one less card I have to carry around. On the other hand I have passworded all my accounts (credit card, utilities, insurance, etc) that can be accessed by phone. I started this after my phone and electric service was cut off by someone claiming to be me. The "Mother's maiden name" is no security. ._dennis ] ------------------------------ Date: Fri, 5 Mar 93 14:30:46 EST From: ran@cblpo.att.com Subject: Re: Social Security Number FAQ In article , hibbert@xanadu.com (Chris Hibbert) writes: > The Privacy Act of 1974 (5 USC 552a) requires that any federal, state, or ^^^^^^^^^ > local government agency that requests your Social Security Number has to ^^^^^ > tell you four things: > 1: Whether disclosure of your Social Security Number is required or > optional, > 2: What law authorizes them to ask for your Social Security Number, > 3: How your Social Security Number will be used if you give it to them, > and > 4: The consequences of failure to provide an SSN. > In addition, the Act says that only Federal law can make use of the Social > Security Number mandatory. So anytime you're dealing with a government > institution and you're asked for your Social Security Number, just look for > the Privacy Act Statement. If there isn't one, complain and don't give your > number. If the statement is present, read it. If it says giving your > Social Security Number is voluntary, you'll have to decide for yourself > whether to fill in the number. Can somebody document this claim that state and local governments also have to follow the Privacy Act? I have a copy of the House Report 100-199, "A Citizen's Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records" (1987), and it says the following: (In an informational part, p. 18) The Privacy Act does not generally apply to records maintained by state and local governments of private companies or organizations. The actual act itself, in the section of interest, says: 552a(e) Agency requirements Each agency that maintains a system of records shall-- . . . (3) inform each individual whom it asks to supply information, on the form which it uses to collect the inforamtions or on a separate form that can be retained by the individual-- (A) the authority (whether granted by statute, or by executive order of the President) which authorizes the solicitation of the information and whether disclosure of such information is mandantory or voluntary; (B) the principal purpose or purposes for which the information is intended to be used; (C) the routine uses which may be made of the information, as published pursuanr to paragraph (4)(D) of this subsection; and (D) the effects on him, if any, of not providing all or any part of the requested information; . . . > In addition, the Act says that only Federal law can make use of the Social > Security Number mandatory. Also, I can find nothing in the Act that says this; in fact the Act never even mentions the Social Security Number by name at all. So, does anybody know?? Bob -- _ ". . . and shun the frumious Bandersnatch." Nipetlahuini. Robert Neinast (ran@cblpo.att.com) AT&T-Bell Labs ------------------------------ End of Computer Privacy Digest V2 #023 ******************************