 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Car Forum / Driving, Maintenance, Tuning / Driving / November 2007Google at the Pump?!
For your consideration, the most stupid idea of 2007: By Walaika Haskins TechNewsWorld 11/07/07 2:02 PM PT Motorists who stop at certain gas stations to fill the tank may soon also be able to get directions via Google Maps. Gilbarco Veeder-Root, a maker of commercial gas pumps, has begun install Internet-connected touch screens running the map program to some of its pumps. Users can find out how to get where they're going and even get a written copy of directions using the pump's receipt printer. Instead of asking a stranger for directions, lost drivers may soon be able to turn to Google Maps for help as they fill up their gas tanks. Google has teamed with Gilbarco Veeder-Root, a commercial fueling supplier, to put Google Maps at the gas pump. "Getting directions at the pump is safer than using Internet-enabled devices from the driver's seat and far more reliable than just asking a stranger," said Kirsten Paust, vice president of global retail systems at Gilbarco Veeder-Root. "We believe consumers will prefer convenience stores that deliver useful information and ultimate convenience. Retailers who use these tools will make themselves more valuable to consumers and gain the competitive edge," she added. No PC, Mac or Smartphone Necessary The pumps, set to roll out to gas stations across the United States next month, include a live Internet connection that delivers information in real time. A small, color, touchscreen display allows lost users to view maps or search local listings by category (such as restaurant, hospital, gift shop, etc.) to locate the most convenient location. Once they have an idea where they are headed, drivers can leave with directions in hand by printing them out using the pump's built-in receipt printer. Despite its position as the leader in online ads, Google reportedly will receive no ad-related income from the service as it will not include any ads, though the company did not return calls seeking confirmation. Gas station owners, however, will be able to increase their take by offering merchants the opportunity to issue coupons. "It's a brilliant idea," said David Chamberlain, an In-Stat analyst. "I mean, think about it: The gas station is the one place you always stop for maps and directions. And men are notorious for not wanting to ask for directions but they sure as heck will play with any computer device." Light Bulb Moment For Google, the deal brings additional publicity, said Karsten Weide, an IDC analyst. "It puts their brand out there and shows they are cutting edge," he told TechNewsWorld. Gas station proprietors will likely benefit from additional gas sales. "It might promote a gas sale. Even if you don't need gas, you might buy a few dollars worth to get the map," Chamberlain told TechNewsWorld. <> http://www.technewsworld.com/story/Google-at-the-Pump-Maybe-Now-Men-Will-Stop-fo r-Directions-60206.html ----- - gpsman >For your consideration, the most stupid idea of 2007: <snip> It's only stupid, in your eyes, because you are too ineffectual to be able to use Google Maps. LMAO. Lame troll, by the way.  Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en >>For your consideration, the most stupid idea of 2007: > [quoted text clipped - 4 lines] > > Lame troll, by the way. Yeah, it seemed like a pretty clever idea to me. Not everyone has a laptop and/or GPS that they carry with them, and some people are not so good with maps. I guess I just didn't want to be the first to pile on gpsman, not sure why... maybe I'm getting soft in my old age. nate Signaturereplace "roosters" with "cox" to reply. http://members.cox.net/njnagel >>>For your consideration, the most stupid idea of 2007: >> [quoted text clipped - 8 lines] >laptop and/or GPS that they carry with them, and some people are not so >good with maps. I guess I just didn't want to be the first to pile on My mom would benefit from it greatly on her infrequent travels. She doesn't own a GPS (and wouldn't want one). She would use Google Maps on her laptop at home to plan her route, and take a hard copy with her, but she (fortunately) is not the type who would try to use a laptop while navigating a vehicle. This type of solution would be ideal for her, as she wouldn't have to write down any spoken directions she might receive from a clerk, and it allows for "in route rerouting". All in all, though, while I have no use for the technology, I think it's a good thing. Indeed, I appreciate the fact that more stations are moving to the "pay at the pump" method to reduce losses from drive-offs. This affords me much greater efficiency in the commutes that involve refueling, as I don't have to deal with the dullards in the queue or behind the counter. >gpsman, not sure why... maybe I'm getting soft in my old age. I held off for a while myself, but since no one else bit, I thought I'd give it a try. :-) Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en > I held off for a while myself, but since no one else bit, I thought > I'd give it a try. :-) Well, to his credit, he did post something that I was completely unaware of and that I found interesting. It's just his opinion that was completely wrong... nate Signaturereplace "roosters" with "cox" to reply. http://members.cox.net/njnagel >> I held off for a while myself, but since no one else bit, I thought >> I'd give it a try. :-) > >Well, to his credit, he did post something that I was completely unaware >of and that I found interesting. It's just his opinion that was >completely wrong... I have yet to see a post of his where his opinion wasn't completely wrong. :-) Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en > For your consideration, the most stupid idea of 2007: > [quoted text clipped - 8 lines] > find out how to get where they're going and even get a written copy of > directions using the pump's receipt printer. [snip...] But no mention whatsoever as to whether or not Google will be getting anyone's personal information as the result of using a credit or debit card at one of those pumps, whether or not they acutally use the maps service? Also, what about the potential of any entity having a coupon agreement also getting anyone's personal information as the result of using a credit or debit card at one of those pumps, whether or not they acutally request a coupon or offer? What is their privacy policy, if they have one? At the minimum, will the maker of these pumps get the customer information in order to track usage? And what is their privacy policy, if they have one? Until more information is available regarding data collection and information exchange, one should plan on only purchasing gas using cash at any gas station equipped with these pumps. >But no mention whatsoever as to whether or not Google will be getting >anyone's personal information as the result of using a credit or debit card >at one of those pumps, whether or not they acutally use the maps service? That is a non-issue. Google can buy the names and addresses of people who pay by credit card at gas pumps TODAY if they want. Advertising is the engine that drives Googles profits. You can rest assured that the driving force behind these pretty LCD screens is going to be advertising. You KNOW those maps are going to have ad banners all over them. You KNOW those ads are going to be targeted based on the identity of the credit cardholder (or, rather, the history of purchases that have been made on that credit card). If you punch in a request for the nearest restaurant, the list that it displays for you is going to be prioritized based on which restaurants paid extra to be listed there. >At the minimum, will the maker of these pumps get the customer information >in order to track usage? Dude, where have you been? Credit card companies ALREADY track every purchase you make, and sell that information to the highest bidder. Ever go to the grocery store and have their coupon machine spit out a coupon for a product very similar to something you just bought? For example, you buy a 2-liter bottle of Pepsi, and the printer spits out a coupon for Coke (or, more likely, the house-brand equivalent)? Google is simply proposing to extend this technology to gas pumps, using the maps as a "hook" to get you to pay attention to the screen. And what is their privacy policy, if they have one? >Until more information is available regarding data collection and >information exchange, one should plan on only purchasing gas using cash at >any gas station equipped with these pumps. That's true at ANY pump, even if it doesn't have a Google Maps screen. One should also plan on only purchasing groceries with cash, and NEVER use one of those "loyalty" cards. Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> > Ever go to the grocery store and have their coupon machine spit out a > coupon for a product very similar to something you just bought? For > example, you buy a 2-liter bottle of Pepsi, and the printer spits out > a coupon for Coke (or, more likely, the house-brand equivalent)? That link doesn't go beyond the cash register. The same thing happens when paying cash without a savers card. >> Ever go to the grocery store and have their coupon machine spit out a >> coupon for a product very similar to something you just bought? For >> example, you buy a 2-liter bottle of Pepsi, and the printer spits out >> a coupon for Coke (or, more likely, the house-brand equivalent)? > >That link doesn't go beyond the cash register. It does if you pay with a credit card or use the store's loyalty/discount card. In those cases, every purchase you make is tracked, even if you don't get a coupon, and the coupons you DO get may be based on your entire purchase history, not just the items you are buying today. Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >>> Ever go to the grocery store and have their coupon machine spit out a >>> coupon for a product very similar to something you just bought? For [quoted text clipped - 8 lines] > may be based on your entire purchase history, not just the items you > are buying today. It's been many many years since I shopped for more than a couple items at big chain grocery store. I would just get my couple items and pay cash. Never had a savers card. Well just give me more reason to keep shopping at the independent grocers... though I usually pay cash there too. >It's been many many years since I shopped for more than a couple items at >big chain grocery store. I would just get my couple items and pay cash. >Never had a savers card. Well just give me more reason to keep shopping >at the independent grocers. They still have those in Chicago? Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >>It's been many many years since I shopped for more than a couple items at >>big chain grocery store. I would just get my couple items and pay cash. >>Never had a savers card. Well just give me more reason to keep shopping >>at the independent grocers. > > They still have those in Chicago? I dunno about chicago proper but there two different ones I split my business between. I know of 4 more on top of that. > On Thu, 08 Nov 2007 09:53:08 -0600, tetraethylleadREMOVET...@yahoo.com > [quoted text clipped - 9 lines] > It does if you pay with a credit card or use the store's > loyalty/discount card. All transactions are sent to, and tracked by, the store's inventory software. > In those cases, every purchase you make is > tracked, even if you don't get a coupon, and the coupons you DO get > may be based on your entire purchase history, not just the items you > are buying today. Oh f.ck! You mean Kroger might issue me a coupon?! HolyJesusHolyJesus... what to do, what to do... Better make a rush for the bunker and chinstrap my tinfoil hat on real tight, before the neighbors bust in and lock me out. Yeah, Dog forbid Kroger knows I bought those 1.5lbs. of apples, or VISA knows I bought those 18g of fuel. Just think of the implications! The next time I pull up to a pump Shell may suspect, no KNOW... I'm planning to buy some gas! ----- - gpsman >> It does if you pay with a credit card or use the store's >> loyalty/discount card. > >All transactions are sent to, and tracked by, the store's inventory >software. No way! You mean to tell me you're a retail POS system expert, as well as a driving expert? Tell me, how does an inventory system tracking customer purchases not violate PCI standards, o' master of nothing?? Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en On Fri, 09 Nov 2007 21:04:29 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>> It does if you pay with a credit card or use the store's >>> loyalty/discount card. [quoted text clipped - 4 lines] >No way! You mean to tell me you're a retail POS system expert, as well >as a driving expert? Look, this stuff is common knowledge. Even an imbecile knows that grocery stores have been mining data ever since the first laser scanner cash registers were installed in the 1980s. Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >On Fri, 09 Nov 2007 21:04:29 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 12 lines] >grocery stores have been mining data ever since the first laser >scanner cash registers were installed in the 1980s. Yup, and that's going to have to change if they want to continue to be able to utilize credit/debit cards as payment methods. :-) Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en On Nov 9, 9:04 pm, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: > >> It does if you pay with a credit card or use the store's > >> loyalty/discount card. [quoted text clipped - 5 lines] > as a driving expert? Tell me, how does an inventory system tracking > customer purchases not violate PCI standards, o' master of nothing?? <spit take> Way! You tell me which PCI standard prohibits a store from tracking their sales and inventory, then I'll tell you about "accountants"... (sound- it-out)...<chortle> ----- - gpsman >On Nov 9, 9:04 pm, "Murderous Speeding Drunken Distracted Driver >(Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: [quoted text clipped - 13 lines] >sales and inventory, then I'll tell you about "accountants"... (sound- >it-out)...<chortle> Oops. Your implication was that they could track that based on credit card numbers. My apologizes for not reiterating that in my statement. Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en >>That link doesn't go beyond the cash register. > [quoted text clipped - 3 lines] >may be based on your entire purchase history, not just the items you >are buying today. PCI compliance would preclude tracking by credit card; only the loyalty card or some other "opt-in" mechanism could be used for purchase tracking. Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en On Fri, 09 Nov 2007 21:14:43 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>>That link doesn't go beyond the cash register. >> [quoted text clipped - 5 lines] > >PCI compliance would preclude tracking by credit card What is "PCI," and how would it prevent the grocery stores from doing what credit card companies already do, i.e. sell your purchase history to the highest bidder? >only the >loyalty card or some other "opt-in" mechanism could be used for >purchase tracking. You'll forgive me for being skeptical, but unless there is some sort of strong privacy law (like HIPAA for medical information) then there's no way in hell any company that's capable of gathering such data is not going to mine the hell out of it, aggregate it, and sell it to anyone willing to pay. Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >On Fri, 09 Nov 2007 21:14:43 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 13 lines] >what credit card companies already do, i.e. sell your purchase history >to the highest bidder? PCI stands for Payment Card Industry, and is used to refer to a specification dictating how data on the 2nd track of a customer's credit card (CC number, name, address, et al) can be captured, stored, and utilized from the Point Of Sale to the enterprise. While initially there wasn't very strong standards regarding utilization and storage of said information, this has become increasingly more strict. Indeed, I feel certain that one of the motivating factors behind the sudden growth in customer loyalty cards and gift cards is because PCI prevents the utilization of said data from credit cards, so these "opt in" mechanisms allow retailers to still, at least partially, track purchases. I would assume that the reason the credit card companies can resell or otherwise utilize the track 2 data is because it was their information to begin with. >>only the >>loyalty card or some other "opt-in" mechanism could be used for [quoted text clipped - 5 lines] >data is not going to mine the hell out of it, aggregate it, and sell >it to anyone willing to pay. The credit card companies want the systems that interact with theirs to be PCI complaint, as it does define security much the way HIPAA does for medical information. While I don't think it's mandatory YET, it probably won't be long. The credit card companies seem to be wanting to distance themselves from the stench that arises when some half-a.s development team doesn't properly secure their systems. Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en On Fri, 09 Nov 2007 22:48:21 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>What is "PCI," and how would it prevent the grocery stores from doing >>what credit card companies already do, i.e. sell your purchase history [quoted text clipped - 4 lines] >credit card (CC number, name, address, et al) can be captured, stored, >and utilized from the Point Of Sale to the enterprise. Thanks for the explanation. Sounds encouraging, but then again Visa and MasterCard also have merchant agreements that are violated all the time, and Visa/MC don't seem to enforce their own rules very vigorously. In fact, it was just such a violation that allowed hackers to steal all those credit card numbers and other customer data frmo TJ Maxx: http://www.msnbc.msn.com/id/8294175/ Credit card companies "just sort of wait for them to have a breach," she said. "There's just a lot of vagaries in how it's enforced." In fact, she said, several similar breaches have happened before and the public wasn't told. The breach occurred after CardSystems inappropriately held onto card data for "research purposes" rather than deleting it. Forty million accounts were exposed, and records pertaining to at least 200,000 are known to have been stolen, primarily MasterCard and Visa cards. Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >On Fri, 09 Nov 2007 22:48:21 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 10 lines] > >Thanks for the explanation. No problem. I learned about it 9 months ago when I helped to bring about 600 sites to PCI compliance. It was very interesting to observe the architectural changes around the entire system (which had data capturing/mining as one of it's design goals) in order to obtain that compliance. Interestingly enough, before the upgrade, I had indirect access to thousands, if not hundreds of thousands, of credit card transaction details. Now I can't touch them. That is the only data acquired from the field that I can't get to. Though anecdotal and totally unrelated, I performed a minor upgrade to the credit card processing systems at about 450 sites yesterday. :-) >Sounds encouraging, but then again Visa and MasterCard also have >merchant agreements that are violated all the time, and Visa/MC don't [quoted text clipped - 3 lines] > >http://www.msnbc.msn.com/id/8294175/ But the data wasn't stolen from TJ Maxx; it was stolen from CardSystems. The only part the retailer had in this was their selection of clearing houses. >Credit card companies "just sort of wait for them to have a breach," >she said. "There's just a lot of vagaries in how it's enforced." In [quoted text clipped - 5 lines] >accounts were exposed, and records pertaining to at least 200,000 are >known to have been stolen, primarily MasterCard and Visa cards. For this, CardSystems should be sued into oblivion. For the life of me, I can see no reason a clearing house would retain information of this nature for "research purposes," as clearing houses really should be nothing more than aggragation/forwarding services for their clients. As far as I'm aware, the clearing house used by my employer has not had any publisized security breaches. Given the way my employer operates, I'm certain that if there were any known security breaches with our clearing house, we would have found another one. :-) As luck would have it, today I overheard our network admin discussing his need to reboot one of our routers, which was problematic as it is the one our credit card transaction data is routed through. He told me that he monitored it for a 30 minutes before it *finally* dropped down to below 20 active transactions, at which time he bounced it. The most active transactions he witnessed at any given time was 70. FWIW, unless there is a problem on the network, our average processing time for a credit card is about 5 seconds. I don't know about TJ Maxx's scale, but I do know that it would be impractical for my employer to track items sold to individual customers. We have *way* too many customers and transactions to make it a realistic endeavor; instead our data mining is restricted to temporal and geographical distrubution of products sold, and all we care about is how many customers, not who they were. I realize that not all businesses operate in this manner, but I thought it might be helpful to shed some light from an "insider" that there is at least one company that doesn't retain credit card data, much less utilize it in any manner that might be found offensive to some. Indeed, with my employer, the only difference paying with a credit card verses paying with cash makes is the cash accountability for the cashier, how the income is collected, and where the numbers go on the "payment type" report. :-) Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en On Sat, 10 Nov 2007 00:16:59 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>Thanks for the explanation. > [quoted text clipped - 6 lines] >transaction details. Now I can't touch them. That is the only data >acquired from the field that I can't get to. So without violating any NDAs, what data CAN you access? And how do you (or the PCI) verify compliance? Specifically, how do you insure that some sneaky programmer for some grocery store chain doesn't slip in a back door to siphon off that oh-so-valuable track 2 data and stash it someplace that you don't know about? >Though anecdotal and totally unrelated, I performed a minor upgrade to >the credit card processing systems at about 450 sites yesterday. :-) And it went off without a hitch? AT&T should hire you to upgrade the software in their phone switches. :) >>Sounds encouraging, but then again Visa and MasterCard also have >>merchant agreements that are violated all the time, and Visa/MC don't [quoted text clipped - 7 lines] >CardSystems. The only part the retailer had in this was their >selection of clearing houses. OK, but the fact remains that SOMEONE wasn't following the rules and was keeping data around longer than they were supposed to, exposing that data to risk. >>The breach occurred after CardSystems inappropriately held onto card >>data for "research purposes" rather than deleting it. Forty million [quoted text clipped - 9 lines] >employer operates, I'm certain that if there were any known security >breaches with our clearing house, we would have found another one. :-) That's all well and good, but it's still very reactionary: let's wait until they have a breach, and if then we'll dump them and find another clearing house. Are there any steps being taken to PREVENT such incidents for occurring in the first place? >I don't know about TJ Maxx's scale, but I do know that it would be >impractical for my employer to track items sold to individual >customers. We have *way* too many customers and transactions to make >it a realistic endeavor It's a daunting task, but disk space is getting cheaper every day, as is computing power in general. One local grocery store chain uses a "club" card and tracks how much we spend on wine and pet supplies. The idea is when we spend a certain amount in that category we get a coupon for a discount towards our next purchase in that category. No doubt they simply keep a running total of the amount spent in each category as opposed to tracking each and every purchase; similar data reduction techniques are undoubtedly employed on every purchase we make, and that information is used to target us with other marketing. For example, they might have a "baby" category. Every time you buy diapers, baby wipes, and other baby paraphernalia, they might maintain a count of the number of items purchased and the total dollar amount spent. From that, they might estimate how many children you have and their ages (as a totally contrived example, if you were buying diapers in 1990, they might be sending you ads for college loans now because they know you have a kid who is about to graduate from high school). OBTW, how do pay-at-the-pump credit card terminals get access to your ZIP code? Here in SoCal, when you want to pay for gasoline at the pump using a credit card, they ask you to punch in the billing ZIP code for your credit card. Presumably if you punch in the wrong ZIP code your purchase will be denied. Isn't that a violation of the PCI rules? I know this is way off-topic, but it's also fascinating to me. :) Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >On Sat, 10 Nov 2007 00:16:59 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 16 lines] >in a back door to siphon off that oh-so-valuable track 2 data and >stash it someplace that you don't know about? Basically you can't access any data on the card. Part of compliance is that the data be encrypted as it's scanned, and that it remain encrypted until it reaches the clearing house. Pretty much we get a transaction ID and a pass/fail code from the clearing house as a result of our submission, which is what we're allowed to store. :-) Remaining compliant involves regular audits. Prevention of security breaches sneaky by programmers, however, is a different issue than what can be done by retailers with track 2 data. In that regard, it would depend on how well the POS vender had done to secure the flow of information from the point of scan to the point it's submitted to the clearing house, as well as how secure the underlying transport mechanisms are. Other concerns are SOX, so there's more of an incentive to do business with publicly traded companies. Even if I wanted to find a point to attempt to access the data, I'd be raising some flags with the security group. :-) >>Though anecdotal and totally unrelated, I performed a minor upgrade to >>the credit card processing systems at about 450 sites yesterday. :-) > >And it went off without a hitch? AT&T should hire you to upgrade the >software in their phone switches. :) Worst failure rate to date is about 30 out of 520 upgrades, and it was for a dicey project I really didn't feel like I was ready for, due to it's complexity and the high risk involved. Fortunately none of those fails took the respective sites down (and we're comfortable leaving those 30 failed until I can get time to go back and fix 'em, as I've got too much other work to do.) Other than that, I hit 100% on my installs/upgrades. The failure rate of the installed/upgraded components is a different issue altogether, although mostly successful there as well. I have had 1 100% failure in that arena. :-/ >>>Sounds encouraging, but then again Visa and MasterCard also have >>>merchant agreements that are violated all the time, and Visa/MC don't [quoted text clipped - 11 lines] >was keeping data around longer than they were supposed to, exposing >that data to risk. Agreed. But this discussion, I thought, was centered around what retailers can track with credit card data. The only information regarding a purchase that is submitted to a clearing house is the purchase amount, not the items and types purchased. While there was a loss of personal information, no purchasing information was associated with that, other than merchant id's and transactional reference numbers/amounts. >>>The breach occurred after CardSystems inappropriately held onto card >>>data for "research purposes" rather than deleting it. Forty million [quoted text clipped - 14 lines] >clearing house. Are there any steps being taken to PREVENT such >incidents for occurring in the first place? I got the impression from the article that the clearing houses are still the weakest points in the chain, and I agree with you about the reactionary stance. Given that, all we can do is to select a partner with a good track record, and do our best to make sure our side is buttoned up tight. >>I don't know about TJ Maxx's scale, but I do know that it would be >>impractical for my employer to track items sold to individual [quoted text clipped - 3 lines] >It's a daunting task, but disk space is getting cheaper every day, as >is computing power in general. True, and from the point of sale to the data mart, we're beefing up our infrastructure and bringing our systems into much tighter integration with each other. I get dragged across an interesting and diverse array of projects, as I usually get assigned the stuff no one knows how to do. :-/ >One local grocery store chain uses a "club" card and tracks how much >we spend on wine and pet supplies. The idea is when we spend a certain [quoted text clipped - 4 lines] >employed on every purchase we make, and that information is used to >target us with other marketing. But a club card is not a payment card, or if it is, it's one that you've opted in for, like a gift card. At the point of purchase or application for such a card, you're giving the retailer permission to use this information for tracking purposes. The consumer is not giving permission to track purchases based on credit card numbers, which is why PCI compliance is an issue. As PCI came up, the retailers and what not started implementing gift/club cards to be able to remain complaint, as well as to continue their data mining operations. >For example, they might have a "baby" category. Every time you buy >diapers, baby wipes, and other baby paraphernalia, they might maintain [quoted text clipped - 3 lines] >in 1990, they might be sending you ads for college loans now because >they know you have a kid who is about to graduate from high school). We track our sales in a similar manner, although again, we don't care about who, only how many, customers purchased a certain item or from a certain group. The piece we have in place actually allows those "monitoring" the data to make some definitions which are automagically pushed to the sites (and this is controllable based on region or site if necessary), at which time it drives a data mining process at the site level for preparation of the information to be sent back for the data mart back at home. Other more complicated information tracking request will involve a member of my team. My first two "evaluatory" projects were in this line, and when I successfully completed them, I was offered a position. After being handed my offer, I thought to myself: "They want to pay me this much to do THIS? Sign me up!" as it was relatively easy work. Unfortunately I haven't had any such simple projects as information extraction since I accepted. :-) >OBTW, how do pay-at-the-pump credit card terminals get access to your >ZIP code? Here in SoCal, when you want to pay for gasoline at the pump >using a credit card, they ask you to punch in the billing ZIP code for >your credit card. Presumably if you punch in the wrong ZIP code your >purchase will be denied. Isn't that a violation of the PCI rules? I believe you have that in the Bay area, as well as some stores in Florida. Using the zip code from the track 2 data for verification isn't a violation if the information is not stored after the transaction is complete. Using the zip code is a decent idea, (IMO) as it's a step in the authorization process that can be initiated without opening a connection to the clearing house. >I know this is way off-topic, but it's also fascinating to me. :) I've found it to be an interesting, and sometimes frustrating, learning experience. :-) Signature"Speeders And Drunk Drivers Are MURDERERS" brags of it's homosexuallity: the guys at the bath-house stopped laughing at my 3 inch weenie. : http://groups-beta.google.com/group/rec.autos.driving/msg/168e8e621dd649fb?hl=en "Speeders And Drunk Drivers Are MURDERERS" brags of it's ability to operate a vehicle: I must be doing something right to go 3 1/2 years without a fatal crash. : http://groups.google.com/group/misc.transport.road/msg/a376114ee8a61824?hl=en On Sat, 10 Nov 2007 16:37:11 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>So without violating any NDAs, what data CAN you access? And how do >>you (or the PCI) verify compliance? Specifically, how do you insure [quoted text clipped - 5 lines] >that the data be encrypted as it's scanned, and that it remain >encrypted until it reaches the clearing house. "Um, look, fellas, we don't trust you to keep your hands off this data, so we want you to *encrypt* it before you send it to us. Oh, and even though you're doing the encryption and you have the encryption keys, please don't ever decrypt that data and do anything naughty with it, OK? And whatever you do, DO NOT let any hackers gain access to those encryption keys like they did at TJ Maxx! That would be very VERY bad!!" ROFLMAO!!!!! Look, I'm no security expert, but doesn't it make more sense to encrypt the data on the mag stripe itself, i.e. instead of storing the track 2 data in cleartext and counting on the POS terminal to encrypt it, just store the ALREADY ENCRYPTED data onto the mag stripe in the first place before sending the card out to the coinsumer? In a POS situation, the card reader reads a bunch of already-encrypted bytes off the mag stripe, transmits them to the clearing house, and gets a yea/nay, just like before, but there is no opportunity at any point in the chain (prior to the clearing house) for anyone to snag a cleartext copy of the data. Then again, what do I know? :) >Remaining compliant involves regular audits. Would such an audit detect the fact that I re-flashed the credit card reader with hacked fiormware so that it stashes the unencrypted track 2 data away somewhere before encrypting it and sending it off to the clearing house? :) >Prevention of security breaches sneaky by programmers, however, is a >different issue than what can be done by retailers with track 2 data. >In that regard, it would depend on how well the POS vender had done to >secure the flow of information from the point of scan to the point >it's submitted to the clearing house, as well as how secure the >underlying transport mechanisms are. It may also depend on how much $$$ the retailer pays the vendor to install certain "back doors." Call my cynical, but I can easily see companies like Wal*Mart or Best Buy doing something like that. With so much money to be made from the mining and sale of personal information, there's too big an incentive to believe that nobody is at least trying to do this kind of stuff. >>OK, but the fact remains that SOMEONE wasn't following the rules and >>was keeping data around longer than they were supposed to, exposing >>that data to risk. > >Agreed. But this discussion, I thought, was centered around what >retailers can track with credit card data. Nothing wrong with a little topic drift here and there. :) >I get dragged across an interesting and >diverse array of projects, as I usually get assigned the stuff no one >knows how to do. :-/ That's why you get the big bucks. :) >>One local grocery store chain uses a "club" card and tracks how much >>we spend on wine and pet supplies. The idea is when we spend a certain [quoted text clipped - 7 lines] >But a club card is not a payment card, or if it is, it's one that >you've opted in for, like a gift card. Yes, I am aware of that. And all the cards I have came with forms that were never filled out - back in the store's data center, there should be a purchase history associated with the card, but no personally identifiable information. OTOH, if they somehow manage to associate the ID number on my club card with my real name and address, then they have increased the value of that data immensely. Now they can sell it to direct marketers, insurance companies, prospective employers, whoever. I'm encouraged to hear that it's no longer quite so easy for them to do so. :) >Other more complicated information tracking request will involve a >member of my team. My first two "evaluatory" projects were in this [quoted text clipped - 3 lines] >work. Unfortunately I haven't had any such simple projects as >information extraction since I accepted. :-) LOL!! See how tricky they are? :) >>OBTW, how do pay-at-the-pump credit card terminals get access to your >>ZIP code? Here in SoCal, when you want to pay for gasoline at the pump [quoted text clipped - 10 lines] >the authorization process that can be initiated without opening a >connection to the clearing house. UGH. If the ZIP code is stored on the card itself in cleartext, then any thief with a card reader from eBay can easily determine what the ZIP code is on any stolen credit card. Who comes up with these cockamamie schemes? :) Signature"I no longer find MTR and RAD a useful medium" Carl Rogers, 9 September 2007 Message-ID: <t01Fi.49620$Um6.14486@newssvr12.news.prodigy.net> >On Sat, 10 Nov 2007 16:37:11 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 19 lines] > >ROFLMAO!!!!! With the system(s) we have in place, we have an encryption key, but do not have a decryption key. In the extremely rare cases where we need to access the data to validate a transaction, we have to go to the POS vendor to get the data decrypted. We did not have to go through such procedures prior to reaching compliance with PCI. >Look, I'm no security expert, but doesn't it make more sense to >encrypt the data on the mag stripe itself, i.e. instead of storing the [quoted text clipped - 8 lines] > >Then again, what do I know? :) That is an interesting proposal, although it would require a pretty significant change to implement. And I'm not uncertain that the information on track #2 isn't already encrypted, just with a well known decryption key. Credit cards unfortunately are not smart cards that can be field updated such as the decoder cards for the satellite tv systems. Although with credit cards having to be reissued on a regular basis due to expiration dates, such a change could be scheduled in. >>Remaining compliant involves regular audits. > >Would such an audit detect the fact that I re-flashed the credit card >reader with hacked fiormware so that it stashes the unencrypted track >2 data away somewhere before encrypting it and sending it off to the >clearing house? :) Depends on how well the audit was conducted, and how well of a job is done by the "rogue" programmer. :-) >>Prevention of security breaches sneaky by programmers, however, is a >>different issue than what can be done by retailers with track 2 data. [quoted text clipped - 9 lines] >information, there's too big an incentive to believe that nobody is at >least trying to do this kind of stuff. Store branded credit cards *probably* include some provision for allowing the retailer to track purchases within their corporation. Furthermore, I do not believe there is any thing to prevent a retailer from hashing the track 2 data, and tracking purchases in that manner, but that's tracking based off of purchases tendered with a card, not purchases made by an individual customer. >>>OK, but the fact remains that SOMEONE wasn't following the rules and >>>was keeping data around longer than they were supposed to, exposing [quoted text clipped - 4 lines] > >Nothing wrong with a little topic drift here and there. :) LMAO. Welcome to Usenet. :-) >>I get dragged across an interesting and >>diverse array of projects, as I usually get assigned the stuff no one >>knows how to do. :-/ > >That's why you get the big bucks. :) That's a bit of an overstatement, although I am not displeased with my pay rate or rate of pay rate increases. :-) But my reason for being there is I believe these people need help, and I believe I can provide it for them. I could probably bump my pay by a reasonable margin by going to work for the Innotech a couple of blocks down the street, but I've FINALLY gotten this group of coworkers acclimated to my quirkiness. :-) >>But a club card is not a payment card, or if it is, it's one that >>you've opted in for, like a gift card. [quoted text clipped - 3 lines] >be a purchase history associated with the card, but no personally >identifiable information. I did not realize they would issue a customer loyalty card with a blank form submitted. Next time I fill one of those out I'll have to omit some details. :-) >OTOH, if they somehow manage to associate the ID number on my club >card with my real name and address, then they have increased the value >of that data immensely. Now they can sell it to direct marketers, >insurance companies, prospective employers, whoever. I'm encouraged to >hear that it's no longer quite so easy for them to do so. :) Agreed; from what I can tell the entire act is to make things better for the consumer, as well as to minimize exposure for the retailers. As a consumer myself, I have some concerns regarding purchase tracking and other issues related to credit card information, I am pleased to see the steps the industry seems to be taking to address these concerns. >>Other more complicated information tracking request will involve a >>member of my team. My first two "evaluatory" projects were in this [quoted text clipped - 5 lines] > >LOL!! See how tricky they are? :) "Thanks for calling Innotech; can I help you?" That reminds me; I need to get my Red Swingline from ThinkGeek.com. >>Using the zip code from the track 2 data for verification isn't a >>violation if the information is not stored after the transaction is [quoted text clipped - 5 lines] >any thief with a card reader from eBay can easily determine what the >ZIP code is on any stolen credit card. Yup. But you have to remember people driving these processes aren't so forward thinking. For example, Sony was involved with Phillips in the design and specification of the Audio CD format. At the time, it wasn't a practical consideration for your average Joe Blow to possess a piece of equipment that could "create" an audio disc. Now that the technology exists, Sony is spending all kinds of $$$ to try to protect their IP in digital audio arena. As technologically driven as Sony is, they should have realized in the day that consumer driven electronics purchases would drive the price of disc burners to the point that they are almost given away like halloween candy. They waste tons of $$$ to come up with schemes that will prevent audio disc duplication, while at the same time trying to maintain backward compatibility with existing hardware. Same with credit cards; when that magnetic strip was designed, I don't think the industry put a whole lot of thought into technological advancement. Someone may have evaluated the risk at the time, and thought that "rogue card readers" were too far out to be an issue when they designed the scheme. >Who comes up with these cockamamie schemes? :) Short sighted engineers? :-) -- Great minds discuss ideas, average minds discuss events, small minds discuss people. - Admiral Hyman Rickover, U.S. Navy On Sun, 11 Nov 2007 13:42:10 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>On Sat, 10 Nov 2007 16:37:11 -0500, "Murderous Speeding Drunken >>Distracted Driver (Hector Goldstein)" [quoted text clipped - 22 lines] >With the system(s) we have in place, we have an encryption key, but do >not have a decryption key. I should certainly hope so. :) >>Look, I'm no security expert, but doesn't it make more sense to >>encrypt the data on the mag stripe itself, i.e. instead of storing the [quoted text clipped - 4 lines] >That is an interesting proposal, although it would require a pretty >significant change to implement. I don't care! I want my personal information SECURED, dammit!! :) >And I'm not uncertain that the information on track #2 isn't already >encrypted, just with a well known decryption key. Credit cards >unfortunately are not smart cards that can be field updated such as >the decoder cards for the satellite tv systems. Although with credit >cards having to be reissued on a regular basis due to expiration >dates, such a change could be scheduled in. Exactly. Every credit card gets physically replaced every couple of years anyway; just implement the new security on every new card that gets issued from this day on, and within a couple of years it will be ubiquitous. >>>Remaining compliant involves regular audits. >> [quoted text clipped - 5 lines] >Depends on how well the audit was conducted, and how well of a job is >done by the "rogue" programmer. :-) I'll take that as a "no." :) >Furthermore, I do not believe there is any thing to prevent a retailer >from hashing the track 2 data, and tracking purchases in that manner, >but that's tracking based off of purchases tendered with a card, not >purchases made by an individual customer. Right. They could just as easily track based on a hash of the CC number. Nothing personally identifiable in that. >I could probably bump my pay by a >reasonable margin by going to work for the Innotech a couple of blocks >down the street, but I've FINALLY gotten this group of coworkers >acclimated to my quirkiness. :-) You're a straight shooter with "Upper Management" written all over you. :) >>>But a club card is not a payment card, or if it is, it's one that >>>you've opted in for, like a gift card. [quoted text clipped - 7 lines] >blank form submitted. Next time I fill one of those out I'll have to >omit some details. :-) Time was they used to hand you the card and the form and say "oh, just fill that out at home and bring it back with you next time." I guess they didn't want to piss off all their other customers by making people stand there blocking the checkout lane while they filled out the forms. They might not do that anymore, however; I think they wised up a few years ago, and now demand that you fill out the form before they will give you the card. Of course, once in a while you'll get an understanding cashier who hates the way they abuse customers' privacy and will let you slide on the form. >>>Other more complicated information tracking request will involve a >>>member of my team. My first two "evaluatory" projects were in this [quoted text clipped - 7 lines] > >"Thanks for calling Innotech; can I help you?" "Corporate Accounts Payable Nina speaking... Just a moment..." >>UGH. If the ZIP code is stored on the card itself in cleartext, then >>any thief with a card reader from eBay can easily determine what the [quoted text clipped - 4 lines] >But you have to remember people driving these processes aren't so >forward thinking. How could I forget? >For example, Sony was involved with Phillips in the >design and specification of the Audio CD format. At the time, it [quoted text clipped - 8 lines] >at the same time trying to maintain backward compatibility with >existing hardware. And the rootkits they come up with just end up alienating customers and making them MORE likely to steal music. Brilliant. Signature"Carl sleeps in his own bed [with] his yappy stupid a.s dog I want to punt out the balcony and into the dumpster." - Erika Lozaga Message-ID: <1194318485.287974.126750@q3g2000prf.googlegroups.com> "I respect [Erika's] opinion though--not yours!" - Carl Rogers Message-ID: <1194332588.257951.197540@e34g2000pro.googlegroups.com> >On Sun, 11 Nov 2007 13:42:10 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 3 lines] >>>Distracted Driver (Hector Goldstein)" >>><drunk_and_distracted@the_wheel.com> wrote: <snip> >>>ROFLMAO!!!!! >> >>With the system(s) we have in place, we have an encryption key, but do >>not have a decryption key. > >I should certainly hope so. :) Would be counter productive otherwise, eh? >>>Look, I'm no security expert, but doesn't it make more sense to >>>encrypt the data on the mag stripe itself, i.e. instead of storing the [quoted text clipped - 6 lines] > >I don't care! I want my personal information SECURED, dammit!! :) As do I. :-) >>And I'm not uncertain that the information on track #2 isn't already >>encrypted, just with a well known decryption key. Credit cards [quoted text clipped - 7 lines] >gets issued from this day on, and within a couple of years it will be >ubiquitous. Except that not all card reading devices in existence are so easily upgraded. Indeed, in our recent push for PCI compliance, not all sites were able to make the transition as not all use the same POS system. Some were looking at a major $$$ outlay, sometimes having to replace their entire POS, to achieve that compliance. Some opted for non-compliance, which I believe means they have to pay higher prices for their processing fees. I know there's an extremely strong incentive to get to PCI compliance, but I'm not aware of what the punitive measures are for those who fail to obtain the goal. >>>>Remaining compliant involves regular audits. >>> [quoted text clipped - 7 lines] > >I'll take that as a "no." :) "No" is an acceptable answer, as is "yes;" it depends on the circumstances. I would say that doing business with a small mom-and-pop shop or chain would put you at higher risk due to probability that there will be less monitoring systems involved, and that in such cases if there is monitoring going on, it's probably being done by the same people supporting the POS systems. Larger entities such as the one I'm employed by, if they are publicly traded, will have a large number of monitoring mechanisms in place. So while, in my case, I know exactly where I would put in "capturing software", and have the technical ability to deploy it without going through the normal distribution channels, I wouldn't do so because I would still be creating audit trails in other departments. By the same token, I couldn't "hand" deploy such software due to other monitoring systems in play. Smaller organizations where the IT staff is compressed into a small number of people probably won't have such oversight monitoring procedures in place. >>Furthermore, I do not believe there is any thing to prevent a retailer >>from hashing the track 2 data, and tracking purchases in that manner, [quoted text clipped - 3 lines] >Right. They could just as easily track based on a hash of the CC >number. Nothing personally identifiable in that. Which is, IMO, what should have been done all along. >>I could probably bump my pay by a >>reasonable margin by going to work for the Innotech a couple of blocks [quoted text clipped - 3 lines] >You're a straight shooter with "Upper Management" written all over >you. :) And here I thought my position was due to laziness and apathy. :-) Pretty much got my promotion into this position about two weeks after I developed the Office Space lead character's philosophy of "not missing work." :-) >>I did not realize they would issue a customer loyalty card with a >>blank form submitted. Next time I fill one of those out I'll have to [quoted text clipped - 9 lines] >understanding cashier who hates the way they abuse customers' privacy >and will let you slide on the form. Interesting; I haven't signed up for that many cards, as I hate filling out that information. Would prefer a check box on the form that allows them to capture my mailing information off the debit card as it's swiped, if I were interested in rewards points. :-) >>>UGH. If the ZIP code is stored on the card itself in cleartext, then >>>any thief with a card reader from eBay can easily determine what the [quoted text clipped - 6 lines] > >How could I forget? That kind of thing frustrates me to no end. One of the most gifted developers I ever worked with had one particular area where his lack of forward thinking always tripped him up, and caused him more work to "upgrade" to handle the failure. While having to handle the "upgrade", at least one job in production was halted until the upgrade was complete. A little more effort on his part would have solved that short sightedness. Although ironically, that short sightedness is common, as it's the same type of implementation of logic behind a great number of the security flaws in the Microsoft product lines. Shame on developers for relying on static allocations. :-) >>For example, Sony was involved with Phillips in the >>design and specification of the Audio CD format. At the time, it [quoted text clipped - 11 lines] >And the rootkits they come up with just end up alienating customers >and making them MORE likely to steal music. Brilliant. IAWTP (Point) Let's sue our customers. That's sure to make them want to buy more music! -- Great minds discuss ideas, average minds discuss events, small minds discuss people. - Admiral Hyman Rickover, U.S. Navy On Sun, 11 Nov 2007 18:58:44 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>On Sun, 11 Nov 2007 13:42:10 -0500, "Murderous Speeding Drunken >>Distracted Driver (Hector Goldstein)" [quoted text clipped - 13 lines] > >Would be counter productive otherwise, eh? Well, it wouldn't surprise me. The banking industry in general has cme up with some pretty insecure designs. Like this business about converting paper checks into EFT debits. There are no safeguards against a cashier keying in the wrong amount, or some sort of glitch causing the EFT debit to be issued against your account twice. Everything is completely biased in favor of the merchant - anything the merchant submits is assumed to be correct until the consumer proves otherwise. Sure, you can eventually straighten everything out, but that could take weeks; in the meantime, your other checks are bouncing because of the original mistake, causing a snowball effect of NSF fees and bounced checks. And all because the banking industry wanted to make things easier for itself. >>Exactly. Every credit card gets physically replaced every couple of >>years anyway; just implement the new security on every new card that [quoted text clipped - 3 lines] >Except that not all card reading devices in existence are so easily >upgraded. OK, so replace them. Just pass the costs along to the customers. :) >So while, in my case, I know exactly where I would put in "capturing >software", and have the technical ability to deploy it without going >through the normal distribution channels, I wouldn't do so because I >would still be creating audit trails in other departments. By the same >token, I couldn't "hand" deploy such software due to other monitoring >systems in play. So you're saying there is a monitoring system in place that would detect a rogue employee flashing a POS mag stripe reader with "special" firmware? How does that work? >>>Furthermore, I do not believe there is any thing to prevent a retailer >>>from hashing the track 2 data, and tracking purchases in that manner, [quoted text clipped - 5 lines] > >Which is, IMO, what should have been done all along. Less profitable that way. Can't sell the data to third parties without some means of tying it to a real name and address/phone number. >>You're a straight shooter with "Upper Management" written all over >>you. :) [quoted text clipped - 3 lines] >I developed the Office Space lead character's philosophy of "not >missing work." :-) Wow, you mean that strategy works IRL, and not just in the movies? I'm gonna have to give that a try... :) >Shame on developers for relying on static allocations. :-) Sometimes you have to. Using dynamic allocation in an embedded system, for example, is a BIG no-no. :) Signature"Carl sleeps in his own bed [with] his yappy stupid a.s dog I want to punt out the balcony and into the dumpster." - Erika Lozaga Message-ID: <1194318485.287974.126750@q3g2000prf.googlegroups.com> "I respect [Erika's] opinion though--not yours!" - Carl Rogers Message-ID: <1194332588.257951.197540@e34g2000pro.googlegroups.com> >On Sun, 11 Nov 2007 18:58:44 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 29 lines] >bouncing because of the original mistake, causing a snowball effect of >NSF fees and bounced checks. Trust me, as someone who works with POS systems that tender based on credit cards, I've seen some fairly interesting, eh, situations, arise. As a result, I make all of my purchases, except for gas because of the "pay at the pump" convenience, in cash. I certainly don't feel like signing into my bank's web site to check my transactions every day, which is about the only way you can catch and prevent overcharges due to insufficient funds from an errantly charged card. Also, make *darned* sure you've got everything ready to go at tender time, and pay attention to how the cashier handles your card. If you see 'em swipe it twice, or if you conclude the tendering, then initiate another transaction with the same card from the same institution, you might want to check your transaction history at some point in the future. Timing, handshaking with the clearing house, and incompetent/impatient cashiers can result in some very interesting unwanted transactions. >And all because the banking industry wanted to make things easier for >itself. As opposed to automatically generating refunds any time a customer calls up and claims there's an error on their balance? That might lead to a bank quickly becoming bankrupt. :-) >>>Exactly. Every credit card gets physically replaced every couple of >>>years anyway; just implement the new security on every new card that [quoted text clipped - 5 lines] > >OK, so replace them. Just pass the costs along to the customers. :) There are circumstances where that might not be a viable option. :-) >>So while, in my case, I know exactly where I would put in "capturing >>software", and have the technical ability to deploy it without going [quoted text clipped - 6 lines] >detect a rogue employee flashing a POS mag stripe reader with >"special" firmware? How does that work? Our POS systems are integrated with our digital video recording system. To gain access to the cashier's station where you would be able to apply the software, you need to enter the admin credentials (known only to a very small number of people in the company, and ironically enough, selected and implemented by me). Certain types of activity on the terminal cause an index mark to be placed into the video stream so that the restaurant's management, or our corporate security group, can review the video(s) at their convenience, looking for suspicious activity. Activities considered "risky" or "privileged" that occur on a given terminal also filter back to corporate security, so screwing with a terminal without cause isn't prudent. I'm sure security is tired of looking at my ugly mug when I go to the field, as I bounce from terminal to terminal, as well as the main server, always entering the equipment in "God" mode. :-) Also, I'm not certain that our MSRs or our bar code scanners are flashable, although the scanners are definitely reconfigurable. Ironically enough, both the MSR and the BCS devices hand their data off to the terminal as unencrypted key sequences as if entered from a keyboard. All keyboard input is accepted from the BCS until the cashier selects the payment method, at which time input switches to the MSR and it's associated daemon, which handles the encryption. Due to the way we manage our systems, (ie, as a direct result of my 450 unit upgrade) any changes to the file containing to the daemon will be obliterated and the original file replaced within very short order. Ironically enough, that 450 unit upgrade I did last week will have to be done again, as the vendor identified a problem in the piece that sends the encrypted data to the clearing house that processes our gift cards. The problem isn't anything related to security; moreover, they have a problem in that when their log file gets so large, the app tanks and has to be restarted. This vender seems to have similar problems with logs on other parts of the system, so me thinks they need to reconsider their logging object design. >>>Right. They could just as easily track based on a hash of the CC >>>number. Nothing personally identifiable in that. [quoted text clipped - 3 lines] >Less profitable that way. Can't sell the data to third parties without >some means of tying it to a real name and address/phone number. Agreed, but I'm not a proponent of one company selling personal information to another company. I am, however, a proponent of one company tracking their customer's purchases, if the customer opts in for that. I think this information is valuable to both the customer and the company. >>>You're a straight shooter with "Upper Management" written all over >>>you. :) [quoted text clipped - 5 lines] > >Wow, you mean that strategy works IRL, and not just in the movies? Oh man, I thought I was living the movie.... I busted my hump for my current employer for about a year and a half before I came to the conclusion it wasn't prudent for me to care more about the company than the higher ups did, so I basically switched from "maximum performance" to "minimum performance." Two weeks after this, I was given an evaluation position, which grew into an offer I accepted with an 80% pay boost. Ironically enough, because I carried so much weight, work wise, in my prior position, when I decided to do the absolute minimum, my department's performance stats took a major hit. The mid level manager of the department was fired, and the high level management for the department was "encouraged to leave." >I'm gonna have to give that a try... :) It's the first and only time I've tried it, and I must say I'm pleased, as well as extremely surprised, with the results. >>Shame on developers for relying on static allocations. :-) > >Sometimes you have to. Using dynamic allocation in an embedded system, >for example, is a BIG no-no. :) I understand that there are circumstances that require such, but I'm thinking socket level code on a Doze box ain't one of those times. :-) -- Great minds discuss ideas, average minds discuss events, small minds discuss people. - Admiral Hyman Rickover, U.S. Navy On Mon, 12 Nov 2007 21:39:18 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >Also, make *darned* sure you've got everything ready to go at tender >time, and pay attention to how the cashier handles your card. If you >see 'em swipe it twice, or if you conclude the tendering, then >initiate another transaction with the same card from the same >institution, you might want to check your transaction history at some >point in the future. Oh, man, I HATE that sh.t. Cashier: Sorry, sir, your card didn't take; I need to swipe it again. Me: It's not going to charge me twice, is it? Cashier: Oh, no, sir! The first one didn't go through. Me: Can you provide me with a receipt showing that the first transaction was cancelled? Cashier: I'm sorry, sir - I don't know of any way to do that. Me: UGH... >Timing, handshaking with the clearing house, and >incompetent/impatient cashiers can result in some very interesting >unwanted transactions. Yeah, that's what I'm afraid of. Thanks for confirming that I'm not just being paranoid(!!!) >>And all because the banking industry wanted to make things easier for >>itself. > >As opposed to automatically generating refunds any time a customer >calls up and claims there's an error on their balance? Well, if they can automatically assume that anything a merchant says is correct, then they can automatically assume that whatever I say is correct, as well. :) >That might lead to a bank quickly becoming bankrupt. :-) I would never lie or make a mistake! Or, if I do, then the merchant can just call and complain. <snicker> >Our POS systems are integrated with our digital video recording >system. To gain access to the cashier's station where you would be [quoted text clipped - 5 lines] >security group, can review the video(s) at their convenience, looking >for suspicious activity. So what if I remove power to the entire system (including the video system), open the card reader, and flash it using a JTAG? :) >Also, I'm not certain that our MSRs or our bar code scanners are >flashable, although the scanners are definitely reconfigurable. They have to be flashable. Otherwise, how could the factory program them initially? >Ironically enough, both the MSR and the BCS devices hand their data >off to the terminal as unencrypted key sequences as if entered from a >keyboard. Yep, I have one of those keyboards myself. When you swipe a CC through it, it spits out a bunch of characters exactly as if you had typed them on the keyboard. >I busted my hump for my current employer for about a year and a half >before I came to the conclusion it wasn't prudent for me to care more [quoted text clipped - 6 lines] >hit. The mid level manager of the department was fired, and the high >level management for the department was "encouraged to leave." LOL!! Lumberg obviously didn't know how to manage you. :) Signature"Carl sleeps in his own bed [with] his yappy stupid a.s dog I want to punt out the balcony and into the dumpster." - Erika Lozaga Message-ID: <1194318485.287974.126750@q3g2000prf.googlegroups.com> "I respect [Erika's] opinion though--not yours!" - Carl Rogers Message-ID: <1194332588.257951.197540@e34g2000pro.googlegroups.com> >On Mon, 12 Nov 2007 21:39:18 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 14 lines] > >Cashier: Oh, no, sir! The first one didn't go through. In my experience, *USUALLY* either the POS or the clearing house will prevent a double charge of the same amount to the same card; there are usually filters on both sides of the connection to prevent this from occurring. On extremely rare occasions, though, and it's combination of network latency combined with errant operation by the cashier, a double charge will sneak through. The cashier's impatience will be a driving factor, though. >Me: Can you provide me with a receipt showing that the first >transaction was cancelled? > >Cashier: I'm sorry, sir - I don't know of any way to do that. The systems I've worked with typically don't have any way of doing this, as the system considers the transaction aborted, and doesn't log it as part of the database. Although the aborted attempt would be logged, we don't integrate our logs with our transaction database. >Me: UGH... > [quoted text clipped - 4 lines] >Yeah, that's what I'm afraid of. Thanks for confirming that I'm not >just being paranoid(!!!) Again, it's an extremely small percentage of time that the conditions will be just right for this to happen, but it does happen. It is enough, however, to motivate me to make as many purchases as I can with cash. >>>And all because the banking industry wanted to make things easier for >>>itself. [quoted text clipped - 5 lines] >is correct, then they can automatically assume that whatever I say is >correct, as well. :) Yeah, but the merchant represents income. You represent, at least in this case, an expense. :-) >>That might lead to a bank quickly becoming bankrupt. :-) > >I would never lie or make a mistake! Or, if I do, then the merchant >can just call and complain. <snicker> LMAO. >>Our POS systems are integrated with our digital video recording >>system. To gain access to the cashier's station where you would be [quoted text clipped - 8 lines] >So what if I remove power to the entire system (including the video >system), open the card reader, and flash it using a JTAG? :) You might have something there. Give it a shot, and let me know how it works out. :-) >>Also, I'm not certain that our MSRs or our bar code scanners are >>flashable, although the scanners are definitely reconfigurable. > >They have to be flashable. Otherwise, how could the factory program >them initially? Read only vs. Write once/many technology? >>Ironically enough, both the MSR and the BCS devices hand their data >>off to the terminal as unencrypted key sequences as if entered from a [quoted text clipped - 3 lines] >it, it spits out a bunch of characters exactly as if you had typed >them on the keyboard. I might need to get one of those; I'm tired of cutting and pasting my CC info from a text document. :-) <snip> >LOL!! Lumberg obviously didn't know how to manage you. :) IMO, he didn't know how to manage anything. :-) -- Great minds discuss ideas, average minds discuss events, small minds discuss people. - Admiral Hyman Rickover, U.S. Navy On Tue, 13 Nov 2007 18:05:33 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>So what if I remove power to the entire system (including the video >>system), open the card reader, and flash it using a JTAG? :) > >You might have something there. Give it a shot, and let me know how it >works out. :-) No way - I'm strictly a white-hat hacker. Unless you want to hire me as a consultant to try and break your security, I won't be trying anything like that anytime soon. >>>Also, I'm not certain that our MSRs or our bar code scanners are >>>flashable, although the scanners are definitely reconfigurable. [quoted text clipped - 3 lines] > >Read only vs. Write once/many technology? I've never heard of a flash memory chip that was "write once." Must be REALLY tough to develop software when every time you want to make a code change you have to throw out the hardware and program a fresh device. :) Signature"Carl sleeps in his own bed [with] his yappy stupid a.s dog I want to punt out the balcony and into the dumpster." - Erika Lozaga Message-ID: <1194318485.287974.126750@q3g2000prf.googlegroups.com> "I respect [Erika's] opinion though--not yours!" - Carl Rogers Message-ID: <1194332588.257951.197540@e34g2000pro.googlegroups.com> >On Tue, 13 Nov 2007 18:05:33 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 9 lines] >as a consultant to try and break your security, I won't be trying >anything like that anytime soon. I understand well. >>>>Also, I'm not certain that our MSRs or our bar code scanners are >>>>flashable, although the scanners are definitely reconfigurable. [quoted text clipped - 8 lines] >code change you have to throw out the hardware and program a fresh >device. :) Who says the devices must contain flash memory? Besides, you should know that development and production systems are different. I'm reasonably sure those XBox/PlayStation developers aren't burning new ROMs for every iteration of the development cycle. :-) -- Great minds discuss ideas, average minds discuss events, small minds discuss people. - Admiral Hyman Rickover, U.S. Navy On Wed, 14 Nov 2007 18:52:21 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >>>>They have to be flashable. Otherwise, how could the factory program >>>>them initially? [quoted text clipped - 7 lines] > >Who says the devices must contain flash memory? Are you saying they don't? If I can get the cover off, I can also replace the EPROM chip. :) >Besides, you should know that development and production systems are >different. I'm reasonably sure those XBox/PlayStation developers >aren't burning new ROMs for every iteration of the development cycle. >:-) True enough, but there must be SOME provision for folks such as yourself to perform upgrades. :) Signature"Carl sleeps in his own bed [with] his yappy stupid a.s dog I want to punt out the balcony and into the dumpster." - Erika Lozaga Message-ID: <1194318485.287974.126750@q3g2000prf.googlegroups.com> "I respect [Erika's] opinion though--not yours!" - Carl Rogers Message-ID: <1194332588.257951.197540@e34g2000pro.googlegroups.com> >On Wed, 14 Nov 2007 18:52:21 -0500, "Murderous Speeding Drunken >Distracted Driver (Hector Goldstein)" [quoted text clipped - 13 lines] > >Are you saying they don't? Honestly, I don't know. The hardware was speced before I got there, and nothing I've done has had me need to work with the MSRs. The only think I am aware of with regard to our card readers is that there is a physical switch that must be in a given position prior to the physical installation. However, I can assume. :-) A MSR's functionality is rather limited, in much the same way a keyboard is. I don't see much of a reason to make a device flashable, particularly when the vender will pass the $$$ on to the customer. When you purchase in the volume we do, those $$$ add up. >If I can get the cover off, I can also replace the EPROM chip. :) Agreed, although it can become more difficult if the chips are encased in epoxy like they used to do the old Video Cipher ][ units. :-/ >>Besides, you should know that development and production systems are >>different. I'm reasonably sure those XBox/PlayStation developers [quoted text clipped - 3 lines] >True enough, but there must be SOME provision for folks such as >yourself to perform upgrades. :) Good point, and as of recently I've considered the possibility of picking up a card reader for personal purposes. Just not sure what good reprogramming it would do, although I'm considering flashing a handheld radio I've got to broadcast on the cellular bands. Some idiot in the vehicle chatting on the phone? Hit the scan button, and when you hear the noise, hold the transmit key down. :-) -- Great minds discuss ideas, average minds discuss events, small minds discuss people. - Admiral Hyman Rickover, U.S. Navy On Wed, 14 Nov 2007 23:41:44 -0500, "Murderous Speeding Drunken Distracted Driver (Hector Goldstein)" <drunk_and_distracted@the_wheel.com> wrote: >Good point, and as of recently I've considered the possibility of >picking up a card reader for personal purposes. Just not sure what >good reprogramming it would do, although I'm considering flashing a >handheld radio I've got to broadcast on the cellular bands. Some idiot >in the vehicle chatting on the phone? Hit the scan button, and when >you hear the noise, hold the transmit key down. :-) Um, that's illegal - even if you have a ham ticket. Signature"Carl sleeps in his own bed [with] his yappy stupid a.s dog I want to punt out the balcony and into the dumpster." - Erika Lozaga Message-ID: <1194318485.287974.126750@q3g2000prf.googlegroups.com& |
Enable EMail Alerts
Start New Thread
Reply to this Message