David Canton is a business lawyer and trade-mark agent with a practice focusing on technology issues and technology companies.



Contact Me

March 10, 2006

New debit card PIN fraud concern

Tags: , , — David Canton @ 8:15 am

Digg points to an MSNBC article that says there has been a rash of debit card fraud in the US. Debit cards have been relatively secure, as they are not useful without the PIN code. Thieves have resorted to things like modifying card readers, and cameras to capture pins.

This report is disturbing as it suggests the fraudsters have obtained pins in bulk, and that the probable source is retailer records. Most assumed that when one inputs their pin it is transmitted to the bank for verification, but is not stored anywhere but the bank.

Turns out some retailer systems do store the pin!! The retailers may not even know that happens.

I don’t know if this happens at Canadian retailers or not.

This is a practice that must be stopped immediately.

In addition to being a security risk, it is probably a violation of the PIPEDA privacy legislation, as sensitive personal information is being stored that is not necessary to have, and without knowledge or consent.

Read the MSNBC article

January 31, 2006

Credit card privacy breach inaction / apathy

Tags: , , — David Canton @ 8:33 am

Techdirt has a story where an individual received 34 credit cards belonging to others with his new card. The individual claims he had a great deal of difficulty getting anyone at Amex to deal with the issue. He was told at one time just to cut them up.

This illustrates 2 issues.

First – as we have seen many times before, a prompt and proper response to any alleged privacy breach is crucial. Every person in every business that has customer contact must be trained to spot privacy issues, and immediately bring them to the attention of the business’s privacy officer.

Second – what should be the proper response when something like credit cards or documents with personal information is sent to the wrong person? Is telling them to cut them up or shred them sufficient? Or should they request they be returned? At least if they are returned, the business will know exactly what was sent.

In either case, how would the business ever know if the material was actually destroyed, or that copies were not made?

Read the Techdirt post

May 24, 2005

Don’t print full card numbers on receipts

Tags: , , , — David Canton @ 7:20 am

DAVID CANTON – For the London Free Press – May 21, 2005

Read this on Canoe

If they fall into the wrong hands, your debit or credit card numbers can be used to run up charges at your expense.

Businesses should not print debit or credit card numbers on receipts or other documents. Printing them increases the chances of misuse of credit and debit card numbers and is a violation of privacy obligations.

Some people go to the trouble of searching through garbage to steal copies of credit card receipts or other documents. If these records fall into the wrong hands, criminals can control accounts and assume your identity.

(more…)

« Newer Posts

Switch to our mobile site