[TriLUG] OT: lack of security at BofA
Joseph Mack NA3T
jmack at austintek.com
Sun Dec 21 22:53:49 EST 2014
On Sun, 21 Dec 2014, Aaron Joyner wrote:
> Don't forget that a solid portion of the fraud costs get pushed onto the
> merchant, rather than the bank. If you wish to learn more, read about
> "chargebacks". One view is that it's reasonable if you consider that the
> merchant has the best chance of evaluating the person in the store for
> fraud,
well ...
there's no training of PoS people to check for fraud. They just learn to operate
the PoS system and that's it. When I started using credit cards, I was surprised
to find that none of the PoS people were trained in handwriting recognition. Not
even the bank tellers are trained in it (or weren't back then). How would they
know if the signature was forged? They don't and no-one pretends they do. It's
theatre.
It's quite difficult to tell if people are lying, particularly the people who've
made a lifestyle out of it. It takes months to train people to detect lying with
any confidence (eg police, interogators). There are courses on detecting lying.
They take weeks, then you have to practice.
I had to check photo IDs and signatures for about 200 people in less than 30mins
once for accreditation for an event. I have no idea if any interlopers got in.
No-one gave me any training. I would hate to do that for 8hrs every day. After a
year I don't expect I'd care a lot, at the pay of a checkout person. The vendor
people are supposed to know what a hologram card looks like when most cards
aren't holograms. How many people are nervous because they're committing fraud
and how many are just that way anyhow or are late for an appointment or are
having a bad day.
I don't know what the fraud rate is (% of transactions) but from the numbers I
got today ($100/person and I do $10k/yr) it's 1%. So the checkout person has to
lookout for a low signal, when the cost of a false +ve (calling fraud when the
PoS machine says OK) is enormous. You have to call the manager, stop the line at
the grocery store...
Forget it. If the PoS accepts it, then it's not my problem.
the credit card company is in the best position to stop fraud. Beyond making
sure the required info is there, the vendor can't do anything. If they have a
cloned card, there's nothing they can do.
> and putting a large portion of the liability at their feet encourages them to
> be vigilant, such as requiring the card to be present, asking for ID,
> comparing signatures,
the signatures are always perfect. I get my card through the mail and it's
blank. I can put any signature on it I want. You should have to sign it at the
bank and compare it to the signature on file. I can erase it any time I like and
put on a new one. The signature should not be erasable. Even if it's not
eraseable, anyone can forge a signature, anyone's signature, if you have the
original in front of you to practice from. Similarly the person who clones the
cards can put on any signature they want.
I found a card with signature on the ground once. I called the bank at the
number on the back. They didn't want to talk to me about it and hung up. I cut
it up an put it in the garbage.
> considering if you appear nervous or shady.. all the things you'd expect if
> they were taking a paper IOU.
as an untrained person I wouldn't expect anything. I just want to keep the line
moving and not have to call the manager.
> For those of us who frequently use plastic for purchases (likely everyone who
> will ever read this), most merchants are not particularly vigilant, because
> they do not encounter enough fraud to warrant it.
yes. And it doesn't come out of the PoS person's pocket.
However after today, I'll be more sympathetic to all the IDs the PoS person asks
for. I've always thought that if the card swipes that should be it and that they
were just trying to make my life difficult. I didn't realise that the system
doesn't work and needs a whole lot of other band-aid layers to back it up
(driver's license, photo ID...).
> In the big picture, the payments market has essentially solved this problem
> by using "big data" analysis techniques to keep those trying to game the
> system from being successful repetitively,
making five $200 purchases in an hour in two towns yesterday (Creedmore, Oxford)
in two Food Lions and Wallgreens, before the system shut them out, is not an
example of a problem solved. These people must have been running from store to
store and shovelling stuff into the shopping carts as fast as they could. The
limitation was the mechanics of getting the stuff out of the stores, not the
bank's AI software locking them out.
> or with a high rate, and writing off the minor amount of fraud that slips
> through that system, in the name of making the economic wheels roll as
> smoothly as possible for every legitimate transaction.
2% of transactions being fraudulent is a minor amount? $18G a year is minor?
Minor maybe for a bank that knows it can be covered with bailouts and doesn't
know that they should authenticate when they call a customer.
for some perspetive, 18G is the budget of NASA. NASA operates on the amount of
money that is written off as fraud in banks.
http://en.wikipedia.org/wiki/Budget_of_NASA
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) austintek (dot) com - azimuthal equidistant
map generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list