Introduction

First off, this article is going to be a bit long, and I apologize in advance if it wanders a bit. However, this is an issue that there has been a lot of hysterics about, and also a lot of voodoo and fear-mongering in both the media and around water coolers. I’ve tried to write this article not towards the usual kinds of people who read my website (that is, techno-dweebs like myself) but more to a general audience. A lot of the things I discuss do get technical, but hopefully I’m doing an adequate job of explaining things in a clear and concise fashion.

I use a small amount of computer security and geek jargon. Where appropriate, I have added links to those bits to places like the Jargon File and Wikipedia.

Mostly, I appreciate your feedback and comments. If you are a newcomer to my site, you can leave comments after the article by logging in from a variety of services.. or, feel free to create an account here and comment.

Before I begin, I need to point out that nothing in here should be taken as legal advice, and I Am Not A Lawyer. This article is coming strictly from a stance of a layman, who has some knowledge of computer security and related fields, using information culled from the websites of VISA and Mastercard themselves. It is not the end-all of this issue, although I’ve tried to be thorough for people to get a general idea and make their own decision.

I tend to use the terms “credit card” and “debit card” somewhat interchangeably in this document. I understand the difference, but for purposes of this discussion (and largely because I know other geeks love to be pedantic and will give me flak over this) they are used to mean “a plastic card used for financial transactions at point-of-sale typically bearing the VISA and Mastercard logo.” I’m not talking about ATM cards (except “check cards” that are used as VISA and Mastercards), and while most of the high-level technical details also apply to American Express and Discover/NOVUS cards there are significant differences there that I don’t go in to. And don’t get me started on “contactless” cards and department store charge cards.

Oh, and for the record: I don’t print *SEE ID* on my debit or credit cards. In fact, one of my debit cards has been unsigned for two years and nobody has noticed.

So, let’s dive right in to this divisive issue that is driving our nation apart, shall we?

The Weak Point of Credit Cards: It Isn’t At Point-of-Sale.

Let’s have a frank discussion about your typical credit/debit card from a logistics and security standpoint. So, you have this piece of plastic you carry, which has a 16-digit number (plus some other information) on it that represents an account you hold with a bank (whether that account is a credit line, a checking account, or a debit account is irrelevant, really, to this discussion). Just looking at it from a simple personal security stance, it is pretty scary that the only thing keeping somebody from raping your life savings dry is those 16 little digits, plus an expiration date.

What’s even more amazing is that those 16 digits aren’t even completely random. First off, the first digit is always a “4” if it is a VISA and always a “5” if it is a MasterCard. Okay, so there’s only 15 random digits. Nope, actually, the next five digits of your VISA or MasterCard actually represent the issuing bank: as an example, all VISA Debit cards issued by a “major local Credit Union” here in Oregon begin with the numbers 4306-28. Okay, so the remaining ten numbers are random right? Nope, guess again. Actually, only the next 8 numbers are random: the remaining two digits are a checksum that is derived from the entire card number.

In reality it is only eight digits between a random crook who knows you have a debit account with a Credit Union in Oregon, and you having an empty checking account. Oh, and remember how the last two is a checksum? That means those eight digits have to fit a mathematical formula, which means it is easy to do some simple spreadsheet logic to get all potentially valid credit card numbers issued by this nameless Credit Union.

Guess what? You have actually just seen the process by which a significant percentage of the organized credit card fraud actually happened about ten years ago. Not by skimming legitimate card numbers off of transactions (although that happened as well, and is the process by which most fraud happens today) but by simply playing a mathematical lottery. Organized crime figured that out early on, and when the Internet was new and online merchants sprung up, they pretty much started brute-forcing small dollar amount transactions against poorly secured merchants, and when the $1 transaction was approved, they knew they had a valid card with at least some sort of credit balance available. The only thing that really thwarted this was the fairly recent development of online merchants requiring ZIP Codes to complete transactions: this provided an additional factor, and has reduced the success of this attack vector considerably.

When designing security systems, the folks who do this always search for the “weak spot” in whatever system they are designing and harden that spot. In a building, doors and windows are your “weak spots”, so if physical security is a concern you harden outside doors and windows. You install solidly built physical locks on solid metal doors. You add additional components to the door to ensure that the lock cannot be compromised. You install cameras to watch the door. You may even post a security guard at the door to personally verify the identity of everybody entering and leaving.

Once in the building, however, is your security job done? Heck, no. You wouldn’t want “just anybody” from gaining access to building systems like fire alarm control panels and the machinery rooms. So there are additional locks and security: however, in most buildings, these security systems are not as hardened as the front door… or are they? In a building with “poor security at the front door”, say a building that is designed for public access like a shopping mall, you might have intentionally poor security at the main entrance, but you certainly wouldn’t leave the electrical room unlocked so some toddler can wander in and feel the power of a 440-volt Primary feed. However, in a telephone company switching center, where the only people with access to the building are telephone engineers and technicians, the only reason why there’s a door on the electrical closet is fire codes.

The point is, the weak spot of your card isn’t at the retailer, it is the magic 16 digits on the front of the card itself.

How It Works: Consumer Banking 101

So, as we’ve seen, the weak point (traditionally) of credit cards is the fact that the actual card number is not very well hardened. The card issuers have figured out a “workaround” for the weaknesses in the numbering scheme, but we’ll get to that in a minute. For now, let’s turn our attention to the way a credit card transaction works.

When you present your credit card for payment, what transaction exactly is taking place? Essentially, you are giving a retail clerk (typically paid minimum wage) an account number in which to bill for the goods or services you are about to receive. The clerk then hands you back a slip with that number on it for you to sign, and by your signature you are agreeing to pay the credit card company according to your user agreement with them for the transaction.

Okay, now, let’s evaluate this transaction for what it isn’t, now that we’ve described what it is. First off, the form you are signing is not an agreement between you and the merchant, it is an agreement between you and the credit card issuer. As far as the merchant is legally concerned, the transaction was over the minute they accepted your credit card account number as payment: the agreement in front of you on the credit card slip is solely between you and VISA, Mastercard, or whoever the issuer is. The merchant at that point becomes an agent of the credit card processor and steps out of their role as the direct party to the sale.

This is an important difference between writing a check and using a credit card. When you write a check, you are directly engaging in a contract. You are directing your bank to “Pay [on|to] the order of” the merchant a dollar amount, pretty please with sugar and frosting on top, signed,me. As this is a contract, it is legal and proper for a merchant to request proof that you have the right to engage in such a contract, and under that “legal fiction” has the right to ask for identification to verify that you are entitled to sign a contract. Because of the long-standing status of a bank draft contract in English Common Law, there is a clearly defined legal contract being established between you and the merchant: your legal obligations to “make good” on that instrument only end when the bank the check is drawn on actually pays the check.

That’s not how a credit card works. Legally, you have no obligation to the merchant at all once the card is accepted as tender. The merchant and the credit card company have a relationship, and you and the credit card company have a relationship, and both of you are bound to the credit card company by the terms of your respective agreements with the credit card company. An interesting point to note is that the merchant is specifically prohibited from requiring anything more than the card bearing the VISA/Mastercard logo as a condition of acceptance in their Merchant Agreement. But, I’ll get to that point in a minute, back to “who’s responsible to whom.”

I’ll explain how this works in detail. Now, this situation is a bit more complicated than I’m making it out to be (because of things like FDIC insurance, “clearinghouses,” and the realities of the way “money” moves through the banking system), but fundamentally this is how it works in practice. Say you write a check for $100 to a local merchant, and the next day your bank becomes insolvent and closes its doors. That check will be returned to the merchant dishonored. At this point, the merchant has an automatic recourse against you, and simply needs to demand payment from you and follow the normal small-claims process with you as the defendant to collect.

Say, however, in that same circumstance you used a credit card issued by the same bank. While it may appear to you that the minute you swipe your credit card the transaction hits your account, the reality of the situation is it doesn’t work that way: that’s an illusion, and it is very possible for credit card transactions to take three or four days to actually be processed (those of you who regularly use “Check Cards” can see this phenomenon in action when you buy gas or go to a restaurant). The way it works is the merchant “captures” your card number, is given an authorization from his merchant bank, and does not receive the money for the transaction until the merchant “settles” his account with his merchant bank (which is normally at the end of the business day, but for many merchants can be on the next business day, or even at the end of the week). From the merchant’s perspective, the “Authorization number” he receives from the merchant bank is simply a promise to pay: not from you, but from his merchant bank.

While this does push the limits of likelihood, let’s say that the merchant is a small one, who settles his batches based on “business days”, and your bank closes its doors unannounced to you at the close of business Friday. You have no way of knowing your bank is planning on going out of business, so at 4:58pm you pay $100 for your new toy, the merchant swipes your credit card, and you go home. On Monday morning, when the merchant settles his batch, they refuse to pay the merchant for your $100 transaction because the bank is now closed. Legally, what is your obligation to the merchant?

Zero. Provided you handed the merchant your card in “good faith” (which you did: you have no idea your bank was planning to close at end of business), you are not encumbered to make that merchant “whole” again. You aren’t, legally, the one that swindled the merchant: the bank was.

Now, what’s important here is that This Never Happens(tm). Banks generally don’t go out of business, and even if they did the chances of the credit card companies not paying the merchant is small. That’s why the system works as smoothly as it does for the consumer. Provided everybody comes to the table in good faith, and nobody’s pulling a “fast one”, the losses that result from this sort of fluke circumstance is just considered a cost of doing business by the credit card companies. Rarely are merchants ever left on the hook for this.. if they were, you can bet they’d start not taking credit cards in a hurry. Strange stuff happens all the time in the world of consumer finance. Typically, it almost always settles out in the end.

The point is, the merchant has no formal obligation to ensure that you are legally entitled to sign a contract. He’s not a party to the contract you are signing (the credit card slip in front of you), he is an agent of a party and as such must take directions from the person he is acting as an agent for. He has fulfilled his obligations to the merchant bank (processed your card through the POS terminal, called “capturing” the card), the last obligation being to simply obtain your signature. Even if that signature is fake, provided he can say with honesty that he verified the signature on the back of the card with the signature on his transaction slip, he will be paid.

The (Very) Fine Print

Here’s something those of you who write “SEE ID” on your credit card may not know. You, technically, broke your agreement with VISA and Mastercard when you did not sign your legal signature on the back of the card. It says right on the card: “NOT VALID UNLESS [sometimes UNTIL] SIGNED”. It doesn’t say “here’s a field for you to write whatever the hell you want”, it says in clear language that your obligation under the contract is to sign the card.

If, after reading the above paragraph, you did not immediately whip out all your cards and verify that you have actually signed them, you are not only in violation of your agreement with the credit card companies, from now on whenever you hand your card over you are operating “in bad faith”: you’ve not only read the contract, you’ve been specifically alerted to a condition you are violating, and you haven’t cured the violation.

Okay, so I’m just a schmuck with a website. Big deal, it’s not like what I say carries any weight. But, I strongly urge you to look not only at your card (where you will see the language), but read your actual agreement (you know, that thing they sent you printed on thin paper with a 4-point font you can barely read?). You may not only find everything I said two paragraphs up there is true, but after looking at one of my agreements it specifically had language stating.. wait, let me grab it..

“If the signature on the ‘AUTHORIZED SIGNATURE’ strip does not reasonably match the signature provided to the Bank on the master VISA/Mastercard Application Form, the Credit Card is not considered to be valid. This includes instructions to accepting merchants to verify identification (with words like “CHECK ID” or “SEE ID”) or other such non-signatures. Signatures are to be made using plain ink in contrasting colors to the background that should last the anticipated lifetime on the card and not “rub off” with normal wear. […] The only item the Customer is allowed to affix, inscribe, attach, write, or otherwise modify on the card is the ‘AUTHORIZED SIGNATURE’ strip on the back of the card with their full legal signature matching the name on the front of the card. Any other alterations to the card renders the card invalid and subject to confiscation by the Bank.”

That sounds pretty clear and unambiguous there. In fact, I’ll give them extra credit on this one: while most of the Cardholder Agreement I have is full of pretty complex legal mumbo-jumbo, these two sentences are clear and concise, and give a precise statement of what you’re supposed to do with that goofy white strip on the back. They even specifically instruct you to not write “SEE ID” on the card.

So, there you have the first point. Your bank likely has specifically instructed you not to do this.

Oh, and before I continue, both VISA and Mastercard BOTH tell you to not do this on their websites and other collateral.

How It Works part II: Merchant Economics 101

A couple of sections up, I stated that the agreement between the merchant and the credit card processor or merchant bank clearly states that provided they follow the rules laid out in the contract, they will be paid regardless of whether the transaction later turns out to be fraudulent or not. That’s very important. In fact, it is that very “hold harmless” clause that allows the whole thing to work so smoothly. For the vast majority of merchants, if they simply get a signature, look at the back of the card, verify the signatures match, and send the customer merrily on their way they will be paid, even if the “customer” later turns out to be wanted in five states for credit card fraud.

Credit card companies can do this because the credit card business is extremely profitable. The reason you pay an average of 15% interest on a consumer credit card is precisely because this “guaranteed acceptance” clause is part of the mechanism.

So, why does the merchant care if the transaction is valid? Well, aside from the desires of fighting crime and being decent citizens, merchants also pay credit card companies for the privilege of accepting branded cards. This is typically assessed as a percentage of the dollar transaction amount.

But, it’s not fixed. One merchant might be paying as little as 0.8% per transaction, another might be paying 3%, or maybe even as high as 5%. Why?

One of the things the merchant banks do when they sign up a new business to accept credit cards is do some basic risk assessment. They look at the type of business and the size, the location (a business in a small town with little financial crime will pay less than one in an urban center), and the general financial health of the business (and, if a sole proprietorship the owner’s personal credit). But they also factor in a few sliding scales as well to adjust for changes in the risk.

As an example, say your coffeehouse in North Portland has a sudden upsurge in business. It may actually hurt your settlement fees with your credit card processor, because it has changed your perceived risk. It may also trigger a visit from the account manager. If, say, the reason is a light rail line just opened up between your neighborhood and a high-crime area, it may be you now pay that slightly higher settlement fee, because your risk profile has changed. Or, if the reason why is that you’ve got some amazing new way of making coffee that has customers lining up down the street, you might get a lower percentage.

Playing the numbers like this is exactly where credit card companies make most of their actual revenue. You may think the 22.5% penalty fee you’re paying for missing a payment is the cash cow, but trust me on this one. They’d rather be charging the merchant a couple of tenths of a percent more per transaction. Lending you money costs them money: they have to buy the money from somebody. Taking it from the merchant as a processing fee doesn’t cost them anything.

One of the ways to get your settlement fees bumped into a higher bracket is if your business has a high instance of fraud, even if the fraud isn’t your fault. It may be your convenience store is two blocks away from a local crackhouse where the local gang is running a sophisticated credit card fraud scam, or it just may be the fact that you’re a convenience store in a bad neighborhood. Nope, don’t matter: you’ve had five bad charges in six months, your rate just went up to 2.5%.

This is where I get to pick on Wal-Mart for a minute, as they are the biggest violator of the “no ID required” rule on the planet. Do you think for a minute that the reason Wal-Mart is violating their merchant agreement and asking for your ID on every credit card transaction is for your safety? Come on. They don’t even screen the stuff they buy from China for lead.. you think they’re gonna verify your ID for YOUR safety? No, the reason they check ID is solely to keep their credit card settlement rates low. They don’t care about YOU getting defrauded, they only care about keeping their credit card settlement rates as low as they can. And, here’s another little clue for you. You think verifying ID actually reduces credit card fraud as a whole? It might, maybe. But that’s only if the credit card processors mandated it, which they aren’t, and they likely won’t.

Wal-Mart is just applying some basic economic physics. They don’t give a rat’s ass if Joe Criminal passes his stolen credit card to buy a TV, they just don’t want it passed at Wal-Mart so they don’t have to pay a higher settlement rate. 0.1% on the millions of credit card transactions Wal-Mart processes in aggregate in a single day is a huge amount of money.

Wal-Mart gets away with violating their merchant agreement because.. well, are you going to argue with Wal-Mart?

Now that we’ve broken down the way it works, let’s talk about identity verification at point-of-sale with credit and debit cards bearing the VISA or Mastercard logo. Wow, that’s a long way of letting you know “here’s where I get to the fecking point.”

The Whole Point Of Signing Your Credit Card

Here’s the meat of the issue. You sign your credit card for two reasons: it certifies acceptance of the agreement between your issuing bank and yourself, and it provides an identity verification mechanism for the merchant.

Those of us who were born before Reaganomics remember traveling with our parents and them using something called a “traveler’s check”. This was a document, not unlike a regular ordinary check, that you could buy at your bank that was designed specifically for people who were on the road. It has largely been replaced by specialty credit card products on the high end (American Express, who not ironically was a big issuer of traveler’s checks too) and debit cards on the low end (including prepaid debit cards purchased in moderate dollar amounts).

A traveler’s check had the same “universal acceptance” principle of a modern credit card. It bore a place for two signatures. The first signature you signed before you left the bank in the presence of the teller (although this wasn’t always as strictly enforced as it was supposed to be). The second signature you signed a point-of-sale. The idea here being that if the signatures don’t match, it’s probably a fraud.

What slowly killed traveler’s checks wasn’t the wide availability of debit cards. My parents’ generation would still be using traveler’s checks for their travel if it had the wide acceptance they once had. What killed traveler’s checks was the advent of high-quality laser printing.

It used to be that the only way a traveler’s check issuer would not pay a check is if it was counterfeit. They’d pay if it was reported stolen, provided the signatures matched. They were also issued by major banking corporations, so they’d never be declined for insufficient funds. The average merchant could depend on being paid, even if the “customer” later turned out to be passing stolen checks.

High-quality laser printers changed that. While traveler’s checks often contained a lot of features to make direct counterfeiting impossible, there was nothing stopping somebody from making up a counterfeit document posing as a traveler’s check from another institution and passing it. Here’s how that scam worked.

The criminal has written down the numbers off the bottom of some American Express traveler’s checks. Now, every merchant knows what an “American Express” traveler’s check looks like. But, what if I create a “Bank of America” traveler’s check? I bet you wouldn’t know what one looked like. I can put American Express’ routing numbers on the counterfeit check, and pass it anywhere traveler’s checks are accepted, and there’s a pretty good chance I’ll get away with it too.

Guess what else high quality laser printing allows a crafty criminal to do?

What Every Illegal Immigrant Knows About Identity Fraud

Let me ask you an honest question. Say you are like me, and you live in Oregon. You may have lived in other states, say (again) like me places like California and Arizona. You may have had driver licenses in those states. You may be familiar with a few other driver licenses from a couple of other nearby states. In my case, I could probably describe a license from Washington, Montana, and maybe British Columbia. That’s.. six states who’s licenses I could identify and say “yep, that’s what a Washington license looks like” with some certainty.

Would I know what a driver license from Iowa looks like? Hell no.

Think fast. I just walked in to your store, and I’m about to make a $50 purchase with my credit card at a small electronics store. You ask for my ID, and I present you this:

Is this a real ID? How do you know? What tells you it is a real ID?

It isn’t. However, it’s pretty damn close to a REAL Iowa driver’s license. What is even scarier is the fact I whipped this out in about a half-hour using Photoshop and a legitimate Oregon license. I bet I would fool even a real cop if this was printed on plastic stock.. up until the point he ran IA DL # 41414 in the system and got no hits. In the ten seconds you, as a minimum wage employee (who has a long line of customers waiting to make purchases), have to decide if this is a legitimate ID you are likely going to decide it is. You have an automatic confirmation bias. I’m a fairly normal-looking “white” male, and while my driver’s license photo shows long hair and a sarcastic expression, I don’t look that out of the ordinary. I’m exactly who you expect to come in to your RadioShack on a lazy Saturday.

However, now that a few minutes has gone by, you can probably think of a few things immediately wrong with this ID, enough to make you suspicious. Why the “low” license number? A hazardous materials endorsement? Somebody in their late-30’s that’s only been licensed for a few years? Given five minutes, you’d probably also notice that the text on the right hand side (even in this intentionally crappy JPEG version) seems crisper, and a slightly different font, than the text on the left.

But, let’s face it. A retail clerk isn’t going to spot these things. Even convenience store clerks who receive training on spotting fake ID for tobacco and liquor sales are so bad at it that many chains are requiring they scan the ID using a machine, which at least checks the birthdate information on the magstripe (a fake ID may have a black strip on the back, but the likelihood it actually contains any information is slim).

So, if a bored geek with 30 minutes and The Gimp can fashion a license that would pass the 15-second inspection, how hard do you think it would be for a professional criminal to get a “good enough” license?

Right now, somewhere in a bad neighborhood in Portland, an illegal immigrant is buying a counterfeit out-of-state driver’s license for $250. He’ll have a photo taken with a digital camera, printed out on a inexpensive color laser printer, and laminated onto identity card stock available at most office supply houses. The person selling it to him? Likely an identity theft forger, who probably has a great little side business pickpocketing credit cards.

Think it can’t happen?

It does. When I worked for RadioShack, I personally busted somebody who was trying to pass a stolen credit card using counterfeit identity documents. The lesson here isn’t that the person got caught because of the fake ID. The reality of the situation is the fake ID was noticed because the transaction smelled “funny.”

It Doesn’t Even Do What Retailers Think It Does

Let’s go back to the “reasons” we’re verifying ID, so I can make a point. Remember what I told you earlier about whether or not the merchant would be paid in a fraudulent transaction? The merchant will be paid if they can honestly say to the credit card processor “yes, we verified the signature on the back of the card with the signature on the sales draft.”

So, I have an Oregon driver’s license. Funny thing about Oregon licenses. Here’s what a real Oregon driver’s license looks like:

Notice something missing?

The signature. Oregon does not put the signature on the front of the license: it is on the back.

In all the years I’ve lived in Oregon, not once has any merchant who is (against his merchant agreement’s rules) verifying my state-issued ID actually looked at the back of the card. For that matter, they never even ask me to remove it from the clear plastic section of my wallet. They look at the photograph, look at the name, look at me, and hand me back my credit card and the receipt.

And, the even funnier thing about that? In my experience, the retailers who check ID never look at the back of the credit card either.

Do this as an experiment. I did, and the results were hysterical. Get a prepaid debit card, like from Green Dot Online. When you get the card, sign it “Daffy Duck”, “Wilt Chamberlain”, or whatever.. or, even better yet, sign it with your name, but in a completely different style from how you normally sign your name. Go make a $100 purchase at one of the stores that verifies ID. When it comes time to pay for the transaction, hand them your driver’s license and your credit card at the same time. There’s a good chance (in my experiment, it was around 70% successful) they’ll never look at the credit card strip, and just verify that the photo on the license matches the name, and the name matches the card.

At no point are the majority of merchants verifying the signatures to see if they match.

The whole point of the signature is that forging somebody’s signature requires patience and practice. As anybody who has studied handwriting analysis will tell you, the way we move our hands to make marks on paper is as much a function of who we are as it is what we’ve learned. Even a master forger never gets the signatures exactly right.. remember all those bunco squad episodes of Dragnet? It was always the signature that was the weak point.

The credit card companies know this. In fact, that’s exactly why they don’t care about verifying ID. They know that 90% of the time, the differences in the signature between the back of the card and the sales draft is a much better indication of fraud than verifying the picture on some piece of plastic matches the person in front of you.

Especially when the piece of plastic takes 30 minutes and tools purchased from any office supply store to forge.

How (Most) Fraud Is Actually Spotted

Earlier, I alluded to an incident that happened when I was an employee of the RadioShack Corporation. One sunny summer afternoon, I got a phone call from another store describing two African-American women who had just tried to pull something funny at another store involving a credit card. As I’m discussing this incident with my fellow employee at that other store, I ask for a description. The answer I get back is something along the lines of “trust me, you’ll know them if they walk into your store.”

Not more than 30 seconds later, two African-American women wearing the most outlandish clothes you could imagine started walking up to the store from the parking lot. I quietly and discreetly informed the other salesman to call the police.

From that moment, I knew that something funny was going on. Heck, even if I hadn’t gotten the phone call, I would have been suspicious of them anyway: my store was in a predominately working-class Hispanic neighborhood (North-Central Santa Ana, California). Our primary sales were calculators to kids attending the neighboring high school and community college, and the occasional homeowner hooking up a TV or some such. The whole time I was there I don’t think I sold one high-ticket item.

So, in walk these two African-American women, who immediately start oooh-ing and aaah-ing all the nice expensive stuff. They buy a pocket LCD TV, a high-end cordless phone with answering machine, This RadioShack store was lucky if it did $1,500 in one day, and here these women were about to rack up $1,500 in one ticket.

When it came time to settle the bill, I took the credit card and before even asking for ID marched right over to the phone and called in a “Code 10” authorization, which means to the credit card company “hey, I think this is a fraudulent transaction.” At that time, I was asked to obtain ID, and at that moment one of Santa Ana’s friendly neighborhood beat cops came strolling in.

At that moment, I looked at the ID and realized what a fake it was. But, I knew it was going to be fake before I even picked up the phone. I knew something funny was going on the minute they walked in the store.

Call it “racial profiling” or whatever, but the sheer fact that here are two African-American women wearing outlandish clothes in a overwhelmingly Hispanic neighborhood was enough of a trigger, combined with the extremely high value of the goods being purchased. 96% of my store’s customers spoke Spanish as their primary language, and probably made $1,500 a month, and suddenly here’s two people who obviously aren’t “from around here” racking up quite a tab.

This is exactly how credit card companies spot fraud. Unusual deviations in a customer’s typical spending habits and unusual deviations in a store’s normal traffic combine to give credit card processors a pretty clear picture of what is abnormal. It gets this specific: recently, my credit card company called me after three high-dollar purchases were made. The very discussion with the person on the phone indicated they suspected a $45 charge from an Internet merchant, not the two $150 transactions I had just done at a ham radio store. That distinction is important. I shop at the ham radio store irregularly, but when I do it’s a typically large dollar amount. A sub-$50 charge from an Internet merchant was aberrant, specifically because I don’t often use this particular card for Internet purchases.

All the identification in the world didn’t stop me from knowing the transaction was bogus. In reality, if the women had been Hispanic, and I hadn’t gotten the call, and they only purchased one moderate-value item (say, just the portable TV), it would have totally flown under my radar. And, even if I asked for ID, I would have been presented with a “good enough” ID, and probably not even really spotted it was fake.

Why Do You Even Care?

The last point I want to bring up is.. why do you even care? You are aware that you aren’t liable for anything more than $50 in fraudulent transactions.. and increasingly, credit card processors are even waiving that. The reality is that credit card companies work for you, and generally view you as the “customer” for purposes of the “customer is always right.” There are always exceptions, but customer retention is a major goal of credit card processors, and ultimately they really do want you to be happy. That’s why many higher-end cards offer things like automatic warranty coverage, loss and damage insurance, etc. on purchases made with their cards.

At the end of the day, it all comes down to the fact that credit card companies know where the limitations of the technology is. They know more than you do, they know more than most retailers do. They know that ultimately the best protection against casual fraud is a proper signature on the back of the card, compared to a signature signed in front of a clerk and compared. “SEE ID” thwarts that security… it is much easier to create a fake ID with any random signature than to learn to forge somebody elses.

Then, there’s the issue of identity theft to consider. You’ve just handed a valid credit card to a person you don’t know, and likely wouldn’t remember their face if you had to pick them out of a police lineup. Now, you’ve just handed them another identity document: your driver’s license, which contains your address and your DL number.

Think about that for a minute.

You have just given somebody everything they would need to open a bank account in your name. The only limitation is the limits of their memory: they’d have to remember a 16-digit card number, a four digit expiration, and an 8-10 digit driver’s license number. They could take those numbers, create a counterfeit credit card and driver’s license bearing your name (they could likely get your address from public records with that information), put their picture and their signature on it, and ..

Ballgame over.

Hey, somebody really crafty wouldn’t even need to remember the information. A small hidden camera could be capturing that information, and you wouldn’t know.

It’s even already happened. It hasn’t made big press, but it has happened.