Woolies was using bargain basement payment security?

The excellent Datonomy blog has pointed out an article in the Daily Mail about the dumping of customer receipts as the stores closed down. But something feels wrong about this data loss story.

The article explains how during the final throes of Woolworths’ administration, a store in Loughton, Essex, was found to have dumped 58 receipts in a skip, where these “clearly state the type of bank card used, its expiry date, and the signature of the account holder”. The article goes on to decry the full horrors of identity theft awaiting the individuals affected by the loss, and to explain how the details on the receipts can be used to create cloned cards. Finally, it closes by saying that the ICO has launched an investigation.

The article does, of course, include the usual omissions and irrelevances, dipped in fear and loathing, that explain why I don’t touch the Daily Mail: ‘It is a growing menace, and everyone in the UK is at risk unless their personal and confidential information is destroyed.’ Oh, the horror.

But hang on a minute – what was the store doing taking signatures instead of PIN numbers? If a retailer takes a signature in place of a PIN, then the entire financial liability for the transaction falls on the retailer instead of the card provider. Let’s assume that in its final throes the retailer didn’t really care about the consequences, so a staff member was happily accepting signatures instead of PINs (because if that was a group-wide policy to accept signatures then it might explain a lot about why Woolies failed). The receipts would have been retained in the event of a dispute, but were dumped because there was nobody left to care, and nothing left to lose.

What could have happened if the dumpster diver was less philanthropic, and sold on the receipts instead of unselfishly handing them to the Mail? Well there’s no question that the card numbers could have been used for fraudulent CNP transactions (Daily Mail please take note: this is NOT the same as identity theft). The victims would discover their cards loaded with unauthorised transactions, complained about them, and had their monies refunded. Where necessary, a replacement card with a new number would be issued to prevent further fraud. Inconvenient, yes; menace, no. This is what Chip and PIN was all about, transferring liabilities in a cryptographically provable manner so that individuals, retailers and banks all know where they stand. Credit cards might still be a very old-fashioned payment mechanism, but to their credit the card providers have already dealt with these most obvious problems.

If the idea of receipts being dumped worries you, then all you have to do is keep an eye on your account and challenge any suspicious transactions when they occur. Don’t use a guessable PIN (eg one based on a date of birth or a simple sequence). Don’t use a signature when you could use a PIN. And don’t place too much faith in articles in certain UK newspapers that exaggerate and mislead to make you believe that the full horror of identity theft lurks around every turn.