Woolies was using bargain basement payment security?

The excellent Datonomy blog has pointed out an article in the Daily Mail about the dumping of customer receipts as the stores closed down. But something feels wrong about this data loss story.

The article explains how during the final throes of Woolworths’ administration, a store in Loughton, Essex, was found to have dumped 58 receipts in a skip, where these “clearly state the type of bank card used, its expiry date, and the signature of the account holder”. The article goes on to decry the full horrors of identity theft awaiting the individuals affected by the loss, and to explain how the details on the receipts can be used to create cloned cards. Finally, it closes by saying that the ICO has launched an investigation.

The article does, of course, include the usual omissions and irrelevances, dipped in fear and loathing, that explain why I don’t touch the Daily Mail: ‘It is a growing menace, and everyone in the UK is at risk unless their personal and confidential information is destroyed.’ Oh, the horror.

But hang on a minute – what was the store doing taking signatures instead of PIN numbers? If a retailer takes a signature in place of a PIN, then the entire financial liability for the transaction falls on the retailer instead of the card provider. Let’s assume that in its final throes the retailer didn’t really care about the consequences, so a staff member was happily accepting signatures instead of PINs (because if that was a group-wide policy to accept signatures then it might explain a lot about why Woolies failed). The receipts would have been retained in the event of a dispute, but were dumped because there was nobody left to care, and nothing left to lose.

What could have happened if the dumpster diver was less philanthropic, and sold on the receipts instead of unselfishly handing them to the Mail? Well there’s no question that the card numbers could have been used for fraudulent CNP transactions (Daily Mail please take note: this is NOT the same as identity theft). The victims would discover their cards loaded with unauthorised transactions, complained about them, and had their monies refunded. Where necessary, a replacement card with a new number would be issued to prevent further fraud. Inconvenient, yes; menace, no. This is what Chip and PIN was all about, transferring liabilities in a cryptographically provable manner so that individuals, retailers and banks all know where they stand. Credit cards might still be a very old-fashioned payment mechanism, but to their credit the card providers have already dealt with these most obvious problems.

If the idea of receipts being dumped worries you, then all you have to do is keep an eye on your account and challenge any suspicious transactions when they occur. Don’t use a guessable PIN (eg one based on a date of birth or a simple sequence). Don’t use a signature when you could use a PIN. And don’t place too much faith in articles in certain UK newspapers that exaggerate and mislead to make you believe that the full horror of identity theft lurks around every turn.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I worked for Woolies. They would only take signatures if the PINpad failed (rare) or if a non-Chip and PIN card was used i.e. most store cards. It was impossible to over-ride Chip and PIN as the transaction would simply be declined by the authorising bank. The CVV2 would not have been printed on the receipt and so no CNP fraud could take place.
Your right about Chip & PIN shifting liability - it does shift the liability for fraud "on to the the card holder." Guess the first question you're asked if your Card is Nicked and Used with Your PIN before you report the loss? Do you think your card issuers will beleive you when you tell them you've be careful with your PIN? This is why readers should be made aware that there is such a beast as a CHIP & SIGNATURE Card. Card issuers are very reluctant to tell Joe Public about them. You may not be aware but apart from cloning devices fitted to ATM's and PINs pinched, a more recent M.O. if for Chip & PIN entry devices in shops to he hacked. This means that cards are cloned, PINs recovered and the cloned cards used in ATM's at home and overseas. Why give crooks the opportunity to commit this type crime with your Credit Card - No PIN, ie. continue to sign means they can't hit ATM's. CHIP & SIGNATURE CREDIT CARDS reduces the risk to cardholders.
That's a good point about CVV2. In the absence of that code there is of course still a risk of the card number being used in poorly-regulated territories, but once again the card holder would have full redress in the event of a dispute. As for the second point, I'm not convinced. Chip and Sign is the same as a Chip and PIN, but the card declares the holder's preference to use a signature. This is aimed at visually impaired cardholders, and I very much doubt that any issuer would approve Chip and Sign for anyone else. I'd much rather have Chip and PIN - I know of a number of places on the web where my signature can be found, but I keep my PIN to myself, and am far happier about that than the poor security of a signature. Incidentally, I've written before about the importance of the consumer credit act, which provides far greater card holder protection for credit cards than is available under debit cards. I use my debit card in ATMs and only in ATMs, and never use it elsewhere - it's no less secure than a credit card, but if something goes wrong then a) you have greater redress with a credit rather than a debit card, and b) it's the credit card company's money that's gone missing, rather than the contents of your bank account.