Why Blockbuster looks at your ID.

Anne & Lynn Wheeler lynn at garlic.com
Sun Jul 10 12:22:27 EDT 2005 

Perry E. Metzger wrote:
> Why does the clerk at Blockbuster want to see your driver's license?
> Because his management has been told, by their bank, that if they do
> not attempt to verify the identity of credit card users they will risk
> their business relationship with the bank. Credit card fraud is far
> too prevalent, DVDs are easily resold, and the bank wants to make sure
> that they won't get defrauded. Blockbuster also wants to minimize
> fraudulent use of credit cards (which they end up eating in some
> instances) and the loss of their property (which will never be
> returned by someone renting a video with a stolen credit card).

the issue is lost/stolen credit cards ... your name is embossed on the
plastic and recorded on the mastripe. this provides for the
point-of-sale to check for lost/stolen card by attempting the
identification process of matching the name on the card with the name on
something else.

this moves the card out of the relm of authentication into the relm of
identification. there was a number of threads (mostly prior to 9/11)
about EU privacy directives for making retail electronic transactions as
anonymous as cash. basically this involved removing your name from the
plastic embossing and magstripe ... so that the card was purely an
authentication "something you have" .... and didn't wander across the
line into identification. lost/stolen card risks then could be contained
by deactivating accounts when the owner reported the card lost/stolen

part of the issue has been the appearance of skimming/harvesting compromises
http://www.garlic.com/~lynn/subpubkey.html#harvest

where the crooks didn't actually have to physically steal the card, they
could electronically record the necessary information (w/o the owner's
knowledge) and then perform fraudulent transactions. The
skimming/harvesting compromises can involve tens of thousands of cards
... not just a single card at a time. Also, the fraud period instead of
being limited to possibly a few hrs (when the owner reports the missing
card), now could extend to a few weeks (since the owner doesn't notice
unitl they get around to examining the next statement). The
skimming/harvesting threat and vulnerability can magnify the fraud risk
by several orders of magnitude (compared to simple lost/stolen).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list