Schneier on Security
A blog covering security and security technology.
« Googling for Covert CIA Agents |
| Bypassing the Airport Identity Check »
March 13, 2006
Credit Card Companies and Agenda
This has been making the rounds on the Internet. Basically, a guy tears up a credit card application, tapes it back together, fills it out with someone else's address and a different phone number, and send it in. He still gets a credit card.
Imagine that some fraudster is rummaging through your trash and finds a torn-up credit card application. That's why this is bad.
To understand why it's happening, you need to understand the trade-offs and the agenda. From the point of view of the credit card company, the benefits of giving someone a credit card is that he'll use it and generate revenue. The risk is that it's a fraudster who will cost the company revenue. The credit card industry has dealt with the risk in two ways: they've pushed a lot of the risk onto the merchants, and they've implemented fraud detection systems to limit the damage.
All other costs and problems of identity theft are borne by the consumer; they're an externality to the credit card company. They don't enter into the trade-off decision at all.
We can laugh at this kind of thing all day, but it's actually in the best interests of the credit card industry to mail cards in response to torn-up and taped-together applications without doing much checking of the address or phone number. If we want that to change, we need to fix the externality.
Posted on March 13, 2006 at 2:18 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wow. I thought I just might be too paranoid. Thanks for totally justifying that shredder I've been using, Bruce!
That is too funny. I now have a reason to burn all those credit card applications and convenience checks instead of just ripping them up.
I think it's an externality because they tell people it is and the people believe them. If fraudulent accounts were opened in my name, as soon as I informed them of the fraud, I would think that they would be in violation of the Fair Credit Reporting Act for not immediately removing the accounts from my credit report and an active participant in the fraud against me for trying to collect. Is the problem that the majority of victims can't afford lawyers to sue them? It's not like the companies aren't aware that they play an active role in credit card fraud.
Well, the guy got his card because he filled in his SS#, date of birth, and probably mother's maiden name. I don't think that these applications are worth much themselves -- the attacker would need person's SS# to succeed. If victim's identity is stolen, attacker can fill out the same application on the web quite easily.
In Canada at least, the Social Insurance Number (our SSN) is not required to apply for a credit card (but it helps the bank to check your credit record and not someone else's...)
So in Canada, it's even easier...
Max - Are you saying the items required are hard to find? The point is - it was torn up, the address was different and so too was the phone number.
I think Max's point is that a shredder wouldn't help: if you have the information to fill in the form, you have the information to do it online without the form. The form isn't the problem.
(Note I don't know whether this assertion is correct - I don't have first hand experience on what you need to know to obtain a credit card online.)
I'd be curious to know if pre-approved credit card applications go through a secondary check to validate that the information is the SAME as the original application that they sent out. I suppose they're not going to re-run a full credit check, but do they at least validate that the info processed is the same as that which was "pre-approved"?
The way to "fix the extenality" is to hold the credit card companies legally liable for issuing cards to imposters, unless the card companies/banks can show that they took sufficient measures to verify the identity of the person applying for the card. This seems to require at least two things: a change in the law to allow victims to sue the card companies when this happens, and a "sufficient" way to verify the identity of someone unknown to the card company who applies for a new card.
I guess I'm confused about these exertanlities that Bruce mentioned. Can we play out the scenario a bit further?
A fraudster submits a torn-up and taped-up application with an alternate postal address and phone number. The fraudster receives the card in the mail. The fraudster activate the card. Is the fraudster forced to activate the card from the phone number they put on the application (i.e., the credit card company's toll-free activation number uses ANI)? The fraudster uses the card. A billing cycle goes by without any payment. Now what happens?
It seems this would be a case where the credit card company ultimately eats the loss -- the postal address is wrong, the phone number is wrong, the signature is wrong.
So now we come to this paragraph of Bruce's -- "All other costs and problems of identity theft are borne by the consumer; they're an externality to the credit card company. They don't enter into the trade-off decision at all."
And this is where I'm missing something. Are you saying that the credit card is used to establish a false identity in another context?
Looking at the "My Torn Up Credit Card Application" Web site, the experimenter did not even use a shredder. He just hand-tore the application into what appear to be 16 pieces.
An interesting test would have been to use a strip cutting shredder and taped the application together. Cross cutting shredders would be much more difficult.
But not impossible. There is a great snippet from a New York Times Technology story on document reconstruction:
After the takeover of the United States Embassy in Tehran in 1979, Iranian captors laid pieces of documents on the floor, numbered each one and enlisted local carpet weavers to reconstruct them by hand, said Malcolm Byrne of the National Security Archive at George Washington University. ''For a culture that's been tying 400 knots per inch for centuries, it wasn't that much of a challenge,'' he said. The reassembled documents were sold on the streets of Tehran for years.
Then again, the crooks' determination can vary and, for most people's credit application documents, it is likely that fine cross cut shreds will be relative safe. Added precautions can include adding non-sensitive documents to the shred jobs, mix, separate into different day's disposal, add in yucky additives (spoiled food leftovers or used kitty litter work nicely), use an old blender to pulp the paper, etc. Only the intensely paranoid need to eat the shreds or pulp of most documents.
I deal with credit card apps by shredding them, stuffing everything back into the return envelope and send it back to the credit card company.
Also, you can sign *anything* on a credit card receipt, and unless you are buying thousands of dollars worth of stuff, no one checks.
I recall reading somewhere that at least one of the 'three letter agencies' shreds the documents, then bleaches the cross-cut shreds while stirring them together, then actually turns it all back into paper.
Now -that's- secure. :)
on the other hand...I was recently turned down for an ordinary credit card. my credit score is somewhere around 850, same job for 7 years, very well paid, famous company, very low debt, lots of cash, no banking problems of any kind, fabulous credit history (no bounces, misses, etc), and I only have two existing cards, both of which I've had for more than 10 years with no issues whatsoever. so why was I denied? as near as I can figure it is because I don't have a physical, land-line telephone, just a cell phone. they rejected me because they couldn't verify my identity, they said, although the current utility bill and current paystub both had the same address and of course so did the bank accounts etc etc etc.
maybe I should have torn it up first.
Last time I got an answer like that ("we can't verify your identity"), it turned out that someone else's information got comingled with my credit report, so my report showed "aliases" and "alternate SSNs" that weren't really mine. After getting the credit reporting agencies to fix it (thankfully very simple), I had no trouble. It's probably worth pulling a copy of your credit reports if you haven't already.
"Pre-approved" means absolutely nothing. My coworkers with horrible credit get pre-approved offers all of the time. If they attempt to follow up on one of those offers, they get told they don't match the selection criteria.
Frank J. Abagnale goes into this subject to some extent in 'The Art of the Steal', as well as some of the rather surprising consequences: such as that getting a credit card may make it easier to obtain other services that come with greater damage bills.
This does make a lot of sense. Guess how the information on your credit report gets updated? You certainly don't do it. I don't know the mechanics of it, but the various checks also cause updates. For example if you had a blank credit history and then applied for a card, the credit agency would then update the record associated with your ssn with your name, an address, whatever mother's maiden name you supplied etc.
Interesting but I wonder if he had:
1) Used a phone number not associated with himself.
2) Not used an address associated with himself. A prior address or even one that might still be on record?
I just wonder how much weight the data matching had. No excuse for the torn up application.
But then, when you are dealing with people via mail, how do you ever know who is on the other end for sure?
i don't understand why a crook would tape together a credit card application and use his own, or a fake name, when he can go into any bank branch and they'll give him an application that hasn't been pre-shredded. as long as it isn't my name being used, i don't give a damn.
Exactly, the "pre-approved" is just marketing. They aren't handled any differently than random application forms. Now this shows that CC companies will send credit cards to folks without a second thought, but Bruce already said that.
When I was 8 years old, my Dad worked at the Pentagon. When I visited his office , the parts I liked best were the guys on big tricycles with a safe on the back and a pistol on their belt delivering secrets. That and looking through the glass window at the big machine that washed the secrets off before the paper was pulped and turned back into paper again. In my memory there was a big tank where they saved the ink for recycling, too.
>The risk is that it's a fraudster who will cost the company revenue.
Actually the CC company _makes_ money on fraudulent cards because they have a chargeback fee that the merchant has to pay (along with the merchant taking the loss) when the merchant honors a fraudulent card.
The ultimate looser is the consumer.
> they have a chargeback fee that the merchant has to pay when the merchant
> honors a fraudulent card.
Doesn't this apply only to fradulent use of a normal card (ie, someone uses my card without my authorization, as opposed to someone getting a new account in my name and uses the card)? If the CC company issues a card to an unauthorized user and that card is misused, I would think that they have to eat the loss (assuming I can prove that it wasn't me that opened the account).
I recently sent in one of those cards for my own use and they called me 2 or 3 times trying to extract more personal information than originally asked for on the card from me and now you tell me that everybody else can just send it in without them checking. Did I miss the memo on how to get a credit card without a friggin' hassle? They want my SSN for pity's sake!
This isn't a very good test case because the person used an address (his parents') that may be identified with him on his credit report (all known past addresses show up) as well as a phone number that is, in some way, tied to him. Also, it's unclear whether he used his real SSN and employer name (he *might* really work for "Blue Moon Printing".)
A better test would be to use a friend's address and phone, plus a fake employer and SSN - because that's what a typical dumpster diver will have. If the CC company still opens the account, there's no need to worry. There's almost no chance any delinquencies would show up on your credit report, and if they did it would be simple to contest.
If they have both your trash and your SSN, you probably are dealing with someone more sophisticated than a casual dumpster diver, and a shredder is unlikely to stop them.
I'm also unsure about the hypothesis that credit card companies are intentionally opening accounts in response to obviously fraudulent applications in order to bost their revenue. If they'e going to do that, why not just start sending 'fraudulent' cards to random address, hope people will use them, and then slap the delinquency on some random shmuck's credit report?
Finally, IANAL, but I believe in cases of fraud, the financial cost (assuming the perpetrator isn't caught or can't pay) is borne by the entity in the best position to have prevented it - which would clearly be the CC company, not the consumer or merchant.
Quote - The way to "fix the externality" is to hold the credit card companies legally liable for issuing cards to imposters. - end quote. Never happen. The banks (big, big businesses) will never acquiesce to this. They are here for only one purpose - to make lots of profits. If they have to remove a member of Congress or the Senate to get one that will do as they wish, this they will do. Quote - Cross cutting shredders would be much more difficult. - end quote. Never feed the paper straight in, it's easy to read the individual small strips, try it. Before you place the paper in, rip it in half, now place the paper in at a 45 degree angle. If each piece went in at an angle and you didn't place each one in with the print facing the same direction, I doubt if ANYONE can recover the info, try it. Of course the US Gummit has the time and our money to recover anything (big grin). Quote - The ultimate loser is the consumer. - end quote. Amen. It's all about profits, nothing else, we're just pawns in the game.
@ Consumer be Damned
> The banks will never acquiesce to this... [they'll] remove a member of
> Congress or the Senate ...
If this were true, then the Fair Billing Act would never have been passed. True, lobbying by business concerns has a high impact on legislation, but it *is* possible to get meaningful legislation passed.
Quote - If this were true, then the Fair Billing Act would never have been passed. - end quote.
Throw them a bone now and then. That was then, going forward things will only get worse and worse. The good old days are gone, big money only wants a "company store" atmosphere and they are getting it little by little. We've lost much ground these last 5+ years but gained more billionaires. The rich will not allow us too many privileges, the choker chain gets tighter everyday. I see plenty of good things out there but I also see many of out rights being trashed.
Don't overestimate the little power the consumer has, as soon as some business with big bucks complains, new laws can be passed to circumvent old rights.
to J.D. Abolins:
I actually used to not just shred sensitive documents. We had a pet hamster who liked to chew on paper products. I gave him the sensitive papers, he cehwed them up, partially digested them, peed on them, and then I threw it into the compost heap. Biology helps security!
in response to Kurt:
I have written "Ask for photo ID" on the signature stripe of my credit card, and I think that only once has someone asked to see photo ID.
On the other hand, I have seen that with some new credit cards (specifically one here in Germany), you can get your photo printed on the card for an extra fee of only about $4.
Of course, none of this helps when making purchases online.
Another facet of credit card security is the signature on the back -- it's to protect the merchant.
While working at a store I encountered a number of customers who hadn't signed their credit card. Most of these would refuse to sign it if I asked them to since "a thief could then steal my signature". This seemed silly to me until I got involved in a case where the customer disputed the charges. It was a customer I served, so I knew that I'd checked that the signatures matched, but the signature didn't match the one the credit card company had on file, so they decided that we were at fault and refused to pay us.
Here in Australia, if you are living in a rented property, chances are you will be constantly spammed with credit card applications in someone else's name. You can easilly open the envelopes and inspect the undamaged contents...
What in the world do you mean by "fix the externality"? Which externality and how would you fix it?
There is NO excuse for accepting a torn up application period! This is internal to the credit company that accepted it and needs to be fixed internally.
>I have written "Ask for photo ID" on the signature stripe of my credit card, and I think that only once has someone asked to see photo ID.
The signature line on the back of the card signifies only that you agree to the terms of the financial lending institution. Visa's rules state that such a car MUST be signed in the presence of the cashier, and if you won't/don't, then they can either decline the sale or confiscate the card. The signature line on the card is not an identity check, it is a legality check that you're going to pay your bill
Here's a good way to alter the business model: take away some of the financial incentive for direct mail/junk mail. Mail back an empty "business reply envelope". That way, credit card companies at least pay more postage. If enough people did it, the cost/benefit analysis might just shift enough...
More info here:
I have received several credit card applications with my address on them and someone elses name. He finally got one of the companys to send him a card. It doesn't have my name on it, but someone is definitely using my address to try and establish an id of some kind........is this something to worry about if my name isn't on it??
i want to check the name and adress of a credit card sent to me
My Cousin works as a salesman for a Pennsylvania Vacation Time Share Company. The Company requires their consumers sign a form, giving the Company the right to check their credit report. Most who buy won't sign the form and don't want their credit checked. But the boss check the credit anyway. Is this legal? My Cousin is worried sick that he will get in trouble. But, if reported -- won't the boss be held responsible rather than the sales men and woman?
I had a friend who stayed at a hotel and paid with her credit card, turns out a month or so later, she received her statement and there it was "charges to her card" that she didn't make. Someone from the hotel helped themselves. You can only try and trust your employees. As for the paper applications, yes, shred them, or burn them in a barrel if your town, city allows. As for the computer applications, doesn't it seem logical that the computer IT address can be tracked to find the owner of the computer who made the initial application? So wouldn't the thief eventually be caught?
I APPLIED FOR A CREDIT CARD AND THE COMPANY SENT ME THE CARD WITH THE WRONG NAME ON IT. I KNOW HOW SHE MISUNDERSTOOD FOR SHE DID NOT SPEAK ENGLISH VERY WELL.
HOW DO I FIX THIS, I TRIED CALLING THEM BACK TO FIX BUT THEY KEEP GIVING ME ANOTHER NUMBER TO CALL.
WHAT DO I DO TO FIX THIS.
As "strike back" stated, if every mail-receiving citizen of the United States returned, empty, every pre-paid envelope from every unsolicited credit offer they receive, the fiscal incentive for these companies to participate in direct mail marketing would be kaput. I can't imagine there is anyone out there who ENJOYS receiving unsolicited offers of credit in the mail.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.