[TriLUG] OT: lack of security at BofA

Joseph Mack NA3T jmack at austintek.com
Sun Dec 21 22:53:49 EST 2014 

On Sun, 21 Dec 2014, Aaron Joyner wrote:

> Don't forget that a solid portion of the fraud costs get pushed onto the
> merchant, rather than the bank.  If you wish to learn more, read about
> "chargebacks".  One view is that it's reasonable if you consider that the
> merchant has the best chance of evaluating the person in the store for
> fraud,

well ...

there's no training of PoS people to check for fraud. They just learn to operate 
the PoS system and that's it. When I started using credit cards, I was surprised 
to find that none of the PoS people were trained in handwriting recognition. Not 
even the bank tellers are trained in it (or weren't back then). How would they 
know if the signature was forged? They don't and no-one pretends they do. It's 
theatre.

It's quite difficult to tell if people are lying, particularly the people who've 
made a lifestyle out of it. It takes months to train people to detect lying with 
any confidence (eg police, interogators). There are courses on detecting lying. 
They take weeks, then you have to practice.

I had to check photo IDs and signatures for about 200 people in less than 30mins 
once for accreditation for an event. I have no idea if any interlopers got in. 
No-one gave me any training. I would hate to do that for 8hrs every day. After a 
year I don't expect I'd care a lot, at the pay of a checkout person. The vendor 
people are supposed to know what a hologram card looks like when most cards 
aren't holograms. How many people are nervous because they're committing fraud 
and how many are just that way anyhow or are late for an appointment or are 
having a bad day.

I don't know what the fraud rate is (% of transactions) but from the numbers I 
got today ($100/person and I do $10k/yr) it's 1%. So the checkout person has to 
lookout for a low signal, when the cost of a false +ve (calling fraud when the 
PoS machine says OK) is enormous. You have to call the manager, stop the line at 
the grocery store...

Forget it. If the PoS accepts it, then it's not my problem.

the credit card company is in the best position to stop fraud. Beyond making 
sure the required info is there, the vendor can't do anything. If they have a 
cloned card, there's nothing they can do.

> and putting a large portion of the liability at their feet encourages them to 
> be vigilant, such as requiring the card to be present, asking for ID, 
> comparing signatures,

the signatures are always perfect. I get my card through the mail and it's 
blank. I can put any signature on it I want. You should have to sign it at the 
bank and compare it to the signature on file. I can erase it any time I like and 
put on a new one. The signature should not be erasable. Even if it's not 
eraseable, anyone can forge a signature, anyone's signature, if you have the 
original in front of you to practice from. Similarly the person who clones the 
cards can put on any signature they want.

I found a card with signature on the ground once. I called the bank at the 
number on the back. They didn't want to talk to me about it and hung up. I cut 
it up an put it in the garbage.

> considering if you appear nervous or shady.. all the things you'd expect if 
> they were taking a paper IOU.

as an untrained person I wouldn't expect anything. I just want to keep the line 
moving and not have to call the manager.

> For those of us who frequently use plastic for purchases (likely everyone who 
> will ever read this), most merchants are not particularly vigilant, because 
> they do not encounter enough fraud to warrant it.

yes. And it doesn't come out of the PoS person's pocket.

However after today, I'll be more sympathetic to all the IDs the PoS person asks 
for. I've always thought that if the card swipes that should be it and that they 
were just trying to make my life difficult. I didn't realise that the system 
doesn't work and needs a whole lot of other band-aid layers to back it up 
(driver's license, photo ID...).

> In the big picture, the payments market has essentially solved this problem
> by using "big data" analysis techniques to keep those trying to game the
> system from being successful repetitively,

making five $200 purchases in an hour in two towns yesterday (Creedmore, Oxford) 
in two Food Lions and Wallgreens, before the system shut them out, is not an 
example of a problem solved. These people must have been running from store to 
store and shovelling stuff into the shopping carts as fast as they could. The 
limitation was the mechanics of getting the stuff out of the stores, not the 
bank's AI software locking them out.

> or with a high rate, and writing off the minor amount of fraud that slips 
> through that system, in the name of making the economic wheels roll as 
> smoothly as possible for every legitimate transaction.

2% of transactions being fraudulent is a minor amount? $18G a year is minor? 
Minor maybe for a bank that knows it can be covered with bailouts and doesn't 
know that they should authenticate when they call a customer.

for some perspetive, 18G is the budget of NASA. NASA operates on the amount of 
money that is written off as fraud in banks.

http://en.wikipedia.org/wiki/Budget_of_NASA

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) austintek (dot) com - azimuthal equidistant
map generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

More information about the TriLUG mailing list