Carte Blanche: A Social Experiment

| No Comments | No TrackBacks
creditcard_434pics.jpgA few months ago, I purchased a fun toy: a MSR606 Magstripe writer. As 'tech' goes, it doesn't rank very high: it simply reads and writes magnetic cards of the sort that the typical US credit card/debit card/hotel room key use. I purchased it to explore a potential vulnerability in a sales kiosk that, fortunately, proved to be unexploitable.

The amusement has come from using my own duplicated credit and debit cards.  My wallet currently has a few of these blank, white cards that contain the data from my own credit cards.  I have been using them constantly over the last two months.

The depressing part of this is that I've gotten quite good at using them.  I make it a point to use one in every transaction that requires handing the card over to a human being.  I sometimes get quizzical looks: "What is this?" "A credit card." "Uh..." "It's a Mastercard, the Carte Blanche," I reply, "Just swipe it and it will work."

Some of the stores that I've used the card in include Best Buy, Barnes and Noble, Denny's, the Hilton chain of hotels, Enterprise car rentals, and a few dozen local restaurants to the Indianapolis area.  It's rather surprising that noone questions me.  At least not very deeply.  Nobody has asked for my ID, for example (well, the hotels and car rental agencies have asked for ID, though not surrounding the use of the card), or for any other proof that either the card is legitimate or that I am authorized to use it.  I just hand them the card. Occasionally I offer some explanation that it's a 'high security credit card' (high security because nobody can take a picture of the front and get my credit card number, an excuse that I made up on-the-fly recently while at a restaurant).

creditcard_carteblanche.JPG(Above: my "Mastercard Carte Blanche")

I'd like to think that Mastercard, VISA, and the other credit card providers tell their clients not to accepts cards that lack basic security features such as the hologram, CVV code, and signature, but people are so surprised at the all-white card that perhaps they forget.

The purpose of this disclosure is to remind companies to pay a little attention.  Credit cards are ridiculously insecure devices.  My own primary credit card is stolen roughly once per year.  It pains me that we are stuck using magnetic stripes here in the US, but let's make the most of what we're given: let's check the card's basic security features while we're processing transactions, and let's err on the side of disbelief when taking credit cards from strangers.

The problem is really one of incentive: clerks are typically paid a flat hourly wage.  It doesn't matter to the clerk if there are credit card chargebacks (the only way to ding a company for accepting stolen cards).  They get paid either way, so why make a fuss?  A fuss might lead to an unhappy customer, and unhappy customers can lead to the unfortunate end for a clerk job.

Because the normal security economics break down in this case, and because (pardon the paraphse) we must be the change that we expect to see in the security world, I have decided to hand out cash awards to any clerk that refuses to accept my white cards.  I figure this both ups the ante for me as a social engineer, and hopefully spreads a little awareness about a very old, and very easily solved problem.

No TrackBacks

TrackBack URL:

Leave a comment

About this Entry

This page contains a single entry by giminy published on October 6, 2013 11:23 PM.

Whose FDA Is It, Anyway? was the previous entry in this blog.

Cryptography Breakdown is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.