Security Ignorance and Fraud

Richard has been talking about security scams over at Gendal World. There certainly seems to be a lot of empirical evidence that security principles aren’t well understood by the general public.

For example: My credit card expired recently. On receiving the new one, I forgot to sign it, and put it in my wallet with the back blank (yeah, I know). I’ve since been able to use it twice unsigned:

Of course, it is dumb for me to walk around with an unsigned card in my wallet. However, it’s also dumb for these retailers to accept it. You could argue that it’s a low risk for them - I look respectable, I have other ID with my photo and signature, and these are low amounts involved. Whether they are breaking their contract with the bank by accepting it, though, I don’t know - I suspect it would frowned upon, at least - and they are probably liable for any fraud.

I was tempted to leave the card unsigned and see how much longer I could get away with it. If I wasn’t putting myself at risk, I’d do it, but I’m paranoid about losing things, so I haven’t. But it’s curious to see just how easy it is to get away with some things.


Bruce Schneier has also been discussing user education on security recently:
Well, I think that trumps my story. Accepting it unsigned is one thing, but accepting that two signatures match when they've just been written in plain view is clearly pure stupidity. Where was this? Are you willing to dob in the guilty party? :)
I had my card unsigned for ages. I have been asked to sign the card in front of a cashier, and then they checked that my signatures matched (both done in front of her!) Really, the whole signature thing is useless for security. Your card should really have a photo of you on the back like they do in Europe, and only chip and pin should be accepted (well, it is the shop's risk i suppose, so they can accept a signature if they want)