Schneier on Security
A blog covering security and security technology.
« ATM Fraud and British Banks |
| FBI Abuses of the USA Patriot Act »
October 24, 2005
Supermarket Loyalty Program Used to Pinpoint Location
This is an interesting (six-month-old) story about a supermarket loyalty program.
Person 1 loses a valuable watch in a supermarket. Person 2 finds it and, instead of returning it as required by law, keeps it. Two years later, he brings it in for repair. The repairman checks the serial number against a lost/stolen database. Person 2 doesn't admit he found the watch, but instead claims that he bought it in some sort of used watch store. The police check the loyalty-program records from the supermarket and find that Person 2 was in the supermarket within hours of when Person 1 said he lost the watch.
EDITED TO ADD: Earlier confusion about video surveillance fixed, and two comments pointing out the error deleted. Thank you.
Posted on October 24, 2005 at 1:30 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Using records from his supermarket loyalty card, police were able to prove that he had visited the Tesco store in Poole, Dorset, within two hours of the watch’s real owner on January 16, 2002."
I couldn't find anything in the article about surveillance cameras.
Wow, that is my local Tesco!
So what proves that person 2 really was at the supermarket? Someone was shopping there at that time, and upon request gave the cashier a card or a phone number or something, but it's doubtful anyone verified that the card or phone number really belonged to Person 2, who originally registered them. My phone number is in Albertson's loyalty card database, but only because someone who had the phone number before it was assigned to us signed up at Albertson's. And the supermarket will accept that phone number and give me loyalty card discounts. Nothing about "Bob"'s loyalty account being used in a particular place at a particular time can prove "Bob"'s location unless there's some verification that the person using the account really is "Bob".
Eggy: You right the card is not a biometric authentication mechanism but it is nonetheless a piece of evidence used against him.
when you take into account hes carrying stolen goods, cant provide a record for purchasing it, and tries to make up a ficticious store then this is really piece of solid evidence to show where either him or someone he knows well enough to give his# of his card for the loyalty program could have obtained the "stolen" item
I have to agree with Eggy... All this proves is that someone used the magistrate's loyalty card not specifically who used it. However the coincidence of the loyalty card being used on the same day and the magistrate having possesion of the watch is pretty damning...
This just goes to show that personally identifiable collected data will eventually be used in unintended and unpredictable ways.
Can anyone say RealID?
A preponderance of evidence (including circumstantial) is sufficient to dispel reasonable doubt (in the US, anyway).
@Joel: sure, it's evidence against him, but it's still not proof of anything. It makes his story unlikely, but it does not make it impossible, so I don't think it could (or at least should) be enough for a conviction.
On a side note, watches have serial numbers? Who would've thought.
It seems as credible as any documented eye-witness account of the two men visiting the store at the same time. Not enough on its own, perhaps, but coupled with the giant holes in the suspect's story, lack of receipt, etc. it pushes things in the direction that investigators were already headed.
The accused doesn't seem to have a compelling story for where he purchased the watch, and it was listed in a registry as stolen/lost. Those two items seem to create a much bigger issue on their own than whether he had a habit of sharing his loyalty number with others (or even regularly used someone else's) both of which would cast a shadow on the credibility of evidence from Tesco.
"Preponderance of the evidence" is the standard for civil, not criminal cases, in the united states. Of course, enough circumstantial evidence can remove "reasonable doubt". This the point of the "reasonable" bit.
They seem to have an only somewhat reliable system used by many to estimate a production date. You can see it on the side of the watch "case" when you remove the band, and apparently some have it inside the caseback. The also have a special number for replacement casebacks.
Here's more info on the numbers and an interesting side-note:
"Rolex reached the production number of 999,999 in the early 1950's. Rather than going on to a seven digit system, they started over with serial numbers at 100,000. [...] In the late '50's, Rolex again reached the 999,999 production serial. This time, they moved into the seven digit serial number system."
It doesn't mean a thing. I don't like the idea of being traced just to save money, so I print out a bunch of random bar codes following the numbering format of the real cards, and scan a new one each time I go through the self check-out aisle.
"Surviellance" is properly spelled "surveillance." Just a helpful note...
And this is exactly why I use the local pizza joint's number (which is very easy to remember). The number was suggested to me by a supermarket clerk...
So, if you want to do something bad, don't use your supermarket loyalty card, or credit card. Use cash!
But, if that British Magistrate actually did this -- it is a bit appalling.
Jimbo: You never have to give them any number. When they ask for a number, i always say, "I'd rather not," and that's that. It happens often enough that they don't seem at all surprised.
IMHO, the only reason to use one of those cards is to get the daily/weekly special super deep discounts anyway. so you just use a name like "joey joe joe shabadoo." in my experience, no one at the market asks any questions. (they never check my ID when I use my credit card, even though the signature says "CID", so the likelihood of getting carded because I want to buy grapes for 99 cents a pound seems infinitesimal.)
shopping at a supermarket in Hawaii once, i got the super discount "club card holder's" price on a half pound of sesame flavored poke even though I was an out of town tourist. the cashier just ran a special card through for me. that's what i call aloha spirit.
keep your shopping simple: fake the club card data....
What an idiot. You would think a magistrate would know better than to hang on to stolen goods. Giving it to his wife as a present was just
err, in england, there is nothing ilegal about picking a watch off the floor and keeping it. It is a legal requirement to return it to the owner if you see the owner mislay it. But if you just see it on the floor, "finders keepers".
In response to those commenting on using fake barcodes/names/addresses for loyalty cards, almost all loyalty schemes here work on a cashback scheme, meaning that if you don't provide proper details, you don't get any benefit.
A lot of the comments on how people use loyalty cards suggest that they work very differently in the US than in the UK. I've never heard that giving a number is a substitute for carrying the card, even when I say I lost the card.
Here in the UK, you don't get discounts when purchasing -- except at the Co-op http://www.co-op.co.uk/ , but that's a membership card, not a loyalty card.
Here, you get points credited to an account. When you've accumulated enough points, you can trade them for a cash discount or goods.
Wow! That pretty tough, it is against the law to keep something that you find on the floor. Here in the states you would be SOL.
It is just a matter of degrees. Which of these is reasonable to keep and use if you find it on the floor:
a five dollar bill?
a five dollar bill that someone has just dropped and is about to pick up?
a credit card?
In the UK the presumption is nothing has been abandoned and therefore it is not reasonable to take things.
"I print out a bunch of random bar codes"....wow, that works? I would've thought the number would have to be in the database.
a magistrate who gives his wife a hot watch for her birthday, omg, how utterly appalling.
i have charlie manson's safeway card and james dean's albertson's card.
To add a bit of clarity to the concept of theft by finding:
Case law has stated that a finder ought to make "reasonable effort" tro find the owner. This is usually dependant on the value of the object found. A penny sweet, no one is going to care if the finder makes no attempt whatsoever to find the looser.
A £50 note - the finder would be expected to hand it in at a Police station, wait their 28 days then collect it if the orriginal owner did not.
A £10,000 Rolex - different matter completely. Any reasonable person is assumed to know that the owner would want it back very badly. So, they would be expected to try (again, hand it in at a Police station) to return it to the orriginal owner.
I agree that this is nebulous at best, but then show me a law that isn't...
#1 Assuming cash wasn't used, isn't the loyal card and (check or credit card) two factor identification.
#2 Is this an example of information warehousing that has a good result?
No, A credit card and Loyalty card is not two factor authentication. It is two item authentication - and someone who has found/stolen the wallet would have both.
However if the credit card needs a PIN then that would be two factor. But 2 factor + 1 factor = 2 factor
Bottom line seems to be that if you 'find' a watch worth keeping, don't bring it in to get fixed!
Moral is - buy a cheap watch so you don't mind if you lose it
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.