Friday, May 9, 2008

On the security of credit card signature verification

I just rediscover this very entertaining post about a man's quest to have his signature verified when making a purchase.

So when does anybody look at the signature on the back of your card.
The short answer: Almost never.

Automated systems don't read it.
Humans never look at the paper receipt.
Most waiters only pick up the signed statement after you left the building.

And don't get me started on these "electronic signature" pads at grocery stores:



At first, I (quite naively) expected them to do a fancy AI signature comparison on the fly. That would be logical, since most of the time, the cashier does not even see what you wrote on her own screen.

After a lot of experimentation, I have reverse engineered the complex algorithms in these machines that decide on whether a signature is accepted or not.

It goes something like this:

10 DRAW(Blank_Rectangle, Buttons)
20 WAITFOR(Ok_Button_Pressed)
30 IF (NumPixelOnScreen < 20) THEN
BEEP
GOTO 10
40 ELSE
50 ACCEPT SIGNATURE
60 PROCESS(Transaction)

That's it. So a blank screen or a single dot wont be accepted. A straight line or any drawing that you can come up will.

Again, that's regardless of what is on the back of your card. Even if it says "SEE ID".

Side note: The whole idea behind "SEE ID" is that is would somehow be harder to fake a driver's license than a signature. If that is true, how come all those teenagers are using fake licenses to get alcohol?


So should you or should you not sign your real signature?


Let's run the scenarios:

When you sign your real signature:
- The shop has proof you made the purchase, can hold you liable.


When you don't sign your real signature:
- You gain time, since a quick swipe of the pen to draw a line goes a lot faster.
- The shop can never prove you made the purchase. If the purchase ever gets contested, their "image proof" will be laughed out of court.

I'll let you decide on this one...

1 comment:

Marcus said...

Frickin Hiliarious. From now on its similar signitures for me till someone indicates its not valid.

-Marcus