CASTalk.com

David Brown wrote:
Del Cecchi wrote:


And about the wonders of those debit cards....
DECEMBER 14, 2005 (COMPUTERWORLD) - A victim of the recent Sam's Club
security breach suggests that fraudsters may have stolen credit card
information by using illegal "card-skimming" devices attached to the
pumps at the company's gas stations. The fraudulent activity may also
have been going on for a longer period than that suggested by the
wholesale giant, and it may affect thousands of people (see "Update:
Security breach at Sam's Club exposes credit card data").
Sam's Club, a division of Bentonville, Ark.-based Wal-Mart Stores
Inc. , said in a brief Dec. 2 statement that it was investigating a
security breach that had exposed the credit card data of an
unspecified number of customers who bought fuel at its gas stations
between Sept. 21 and Oct. 2. The company said it was alerted to the
problem by credit card issuers whose customers were complaining of
fraudulent charges on their statements.

Apart from saying that "electronic systems and databases used inside
its stores" were not involved, Sam's Club officials have refused to
disclose what happened. They have not returned repeated telephone
calls for comment.

The breach prompted the Alabama Credit Union (ACU) to block and
reissue debit cards to about 500 of its customers after it learned of
the problem last week. The ACU was alerted to the breach by Credit
Union National Association Inc. , according to Kayce Bell, chief
operating officer at the Tuscaloosa, Ala.-based credit union.

more at link
http://www.computerworld.com/securityto ... nid=107067


Looks like thousands and thousands of folks. And their pins too. I
hope that the contract with the issuer was nice and solid.


I don't know anything more about this case than what you've written
here, but this reads very much as "my dog ate my homework". Perhaps
I'm overly sceptical, but this sounds like Sam's Club had poor
security on their financial systems, and kept a list or database of
essential credit card data in one place (many companies do, placing
the convenience far above security or customers' privacy). This list
got stolen (either an inside job or an outside job). This has
happened to companies before - it's a public relations disaster.
Blaming advanced fraudsters with "card-skimming" devices turns it
around - suddenly Sam's Club is the victim, and customers and their
issuing banks are to blame for using cards open to such fraud.

I'm not saying card-skimming doesn't happen, or doing anything more
than speculating in this case. I just don't think it is a clear
example without a great deal more evidence.

I guess it depends if the claimed devices are hypothetical or if Sam's
has evidence they actually existed, eg one of the devices. It seems to
me that they would be foolish to float this story if they had no actual
evicence. People say a lot of things about Walmart Corp, but foolish
doesn't seem to be one of them.

Here in the U.S., merchants who did not accept credit card have gone out of
business.<shrug

Utter rubbish - neither side wants to spend the $$ but if worst comes to
the worst, a doctored/authentic cheque is light stuff. Color lasers?...
every single one has its serial # on every doc produced.

Ah yes - so because it's so easy, Wal-Mart et al. eat their share of the
6 billion USD in retail check fraud annually? And the banks their share of
the 600 million USD left at their door step, even after they have doctored
the rules to their utmost advantage? Pray tell.

Yeah and electonic filing/archiving was supposed to replace paper years
ago...

The reason this has happened has to do with how human perception works -
it's just easier to read a nice large piece of papers than a limited screen.
Money transactions are a different kettle of fish.

Your "plastic" is certainly *not* more secure - that's my experience and
everyone I know has had glitches with a credit card transaction at one
time. With that background, why would I want a risky transaction dipping
directly into my bank account? Sure you can contest it and maybe get
things put right but until you do, you're short by the amount in dispute.
Getting money back is a lot harder to do than contesting the transaction
before you settle.

Not hereabouts. For instance, if I allow one of the companies who get my
money regularly - even once annually - to do a direct debit, within six weeks
of the transaction all I need to do is go to my bank and ask it to cancel the
transaction, and I have my money back. Of course the other party will be
pretty pissed-off with that - such cancelment costs them around 15 Euros,
IIRC - and the business relationship will likely suffer pretty badly - but
hey, that's a measure of last resort that you'd untertake only if the rela-
tionship already is down the tubes.

In more than 25 years I haven't needed to do that once...but it's good to
know one can do that.

With that in mind I have to ask why credit cards never took off in Europe
as well as in the U.S.?

Because the alternatives that were available were considered "better" in some
sense of the world. There was a time when one needed a credit card mainly for
trips outside Europe (in particular, to the US) and as a deposit for car
rental.

I know that some countries had govt. regulations on personal debt at one
time or another but is that not a thing of the past now?

Certainly never a consideration in Germany.

... or was it because merchants did not want to pay the banks their
%age?

That for sure.

Is it possibly more difficult to get a credit card in Europe?

Probably easier, I'd say.

I'm sorry but you seem not to understand the nature of fraudulent
transactions - recipients tend not to hang around long enough for a return
of funds. I'm sorry but I find your bank's "policy" here beyond
credibility. How *do* they stop fraudulent transaction cancellations?:-)

Nice that you have that option but it is not universal and not even common
in other countries.

That's rubbish. I have lived in Europe and the lack/difficulty of credit
cards was a PITA and no the alternatives have not been around for that
long... and I still don't like the security... your claims notwithstanding.

As for "better" that can only be, IME, from the perspective of the banks.

If think if you look back far enough........

Where is it easier and easier than where? I know it's *not* easier than
the U.S. in France and the U.K. I have recent examples as proof.

So now you want to shift the focus of this sub-thread on large sum
transactions to retail fraud... nice try.

That's "looking" and yes it is easier to page through a multi-page doc in
your hand for certain things. I said filing & archiving.

As for money transactions, I can only figure you work for a bank - no way
am I going to submit to the insecurity of direct debit in its current
form.:-(

Fer chrissakes learn how to post to Usenet.

George Macdonald <fammacd=!SPAM^nothanks@tellurian.com> writes:
Here in the U.S., merchants who did not accept credit card have gone out of
business.<shrug

There's still several stores in Berkeley(*) that don't accept them... And one
that only recently started accepting them (with a cookbook as deciding
factor, strangely enough)

--
David Gay
dgay@acm.org
*: Somebody's now going to claim that Berkeley isn't really the US ;-)

So now you want to shift the focus of this sub-thread on large sum
transactions to retail fraud... nice try.

Sheesh. Try something other than rethorics, man.

That's "looking" and yes it is easier to page through a multi-page doc in
your hand for certain things. I said filing & archiving.

From 1 January next, there is a legal requirement that all documents related
to social security - health, old age and unemployment insurance - be archived
digitally. My health insurance has been electronically archiving all documents
I send them for years and then destroys the paper. I'm not sure whether my
bank still produces microfilm of those (relatively few) EFT transactions
submitted on the paper form, but quite likely they don't but do it electroni-
cally.

As for money transactions, I can only figure you work for a bank - no way
am I going to submit to the insecurity of direct debit in its current
form.:-(

I definitely don't work for a bank, as you could easily have convinced your-
self. As for the purported insecurity, you have just declared about 90% of
all non-cash money transactions in Germany, and probably all of Europe, as
insecure. Yeah, that's really convincing.

Fer chrissakes learn how to post to Usenet.

In what form do I not know how?

I'm sorry but you seem not to understand the nature of fraudulent
transactions - recipients tend not to hang around long enough for a return
of funds. I'm sorry but I find your bank's "policy" here beyond
credibility. How *do* they stop fraudulent transaction cancellations?:-)

They don't. As I said, it's the bank that gets defrauded, which of course
passes the losses back to its customers in some form - consider it a variant
of insurance. Be aware that at least in Germany, it's significantly more
difficult to just "disappear" into nowhere than in the US, so there is a
higher chance of getting at least something back from the defrauder.

As to credibility - the bank doesn't have a choice, it's a legal requirement,
full stop.

Nice that you have that option but it is not universal and not even common
in other countries.

You say that after people from at least three other European countries have
stated likewise, and one of them said that there's a good chance this going
to be an EU regulation?

That's rubbish. I have lived in Europe and the lack/difficulty of credit
cards was a PITA and no the alternatives have not been around for that
long... and I still don't like the security... your claims notwithstanding.

Difficulty of paying with credit cards, or difficulty of getting one? And
the alternatives have been around for at least thirty years.

As for "better" that can only be, IME, from the perspective of the banks.

No, it's better from the perspective of the customers, because they have
voted with their feet....ah, signatures for those alternatives.

If think if you look back far enough........

Long enough means before WW II!?

Where is it easier and easier than where? I know it's *not* easier than
the U.S. in France and the U.K. I have recent examples as proof.

Here - in Germany - all you need is regular income, the size of which will
determine your credit limit.

Direct debit is something that only a business can do, but it can be one
man businesses, and no substantial deposit needs to be made.

How can it work? It works. For some reason.

Everything is using either ATM cards/cash (shops) or electronic
funds transfers. There's also a form of "authorization to directly
debit" which allows you to get funds directly.

And at least in the Netherlands that's arranged a bit funny - you
authorize the person who debits, not the bank. Only when a dispute
arises, the debitor (?) has to show the signature.

Direct debit is something that only a business can do, but it can be one
man businesses, and no substantial deposit needs to be made.