Credit Card Takeaway

Called into my local Chinese takeaway tonight in person rather than phoning. The nice lady patiently waited while I chose three items, then informed me that my £12.80 sale was short of the £15 minimum for debit card transactions. I appealed this extremely politely, referencing the fact that Which? has recently conducted an investigation which revealed that the true cost of DD transactions was around 20p. She said OK and called her boss – offsite – for authorisation. A rapid convo in Mandarin was heard then she got off the phone and smiled, saying the boss said OK. OK? Great!!

So, she proceeded to ask me “Long card number on the front” “expiry date” “security code” “house number and postcode” and “name as on the card”. Dutifully these details were then written down on a little notepad. Yep, a notepad. Then she rang her boss – offsite – but you know that already – and gave him the details (in Mandarin). All my details. She then handed back to me the note.

I had some questions. “What do you do if the customer is not here?” She showed me the rest of the pad, pages and pages of other customer’s details. Gold.

“What do you do with them?” to answer that she demonstrated – by ripping off a page, screwing it up in her hand, and then gesturing a throwing away. “So you just put them in the bin?” “Yes – I tear them up”

I should add that whilst she took my order (on another sheet of paper) out to the kitchen, she left the counter unattended. I quickly jumped up over the high counter to see if it was possible for me to grab the Credit Card details notebook – yep – it was there within reach.”How do you protect those customer details from theft?” “I do” she said. I  replied “But while you were away in the kitchen, I had the opportunity to steal that pad!” She got it……..

She was so nice, and understanding, and gave otherwise good service, that I felt I had to offer help in return. So I’ve passed on my details to give to her boss, so we can meet and get some advice happening about how to protect his business from potential fraud, and to review his Data Protection policies.

I took away with me the top three pages of the notebook – mine and the next two so that impressions couldn’t be made of my personally identifying information (PII). I also made the resolution to ask for an authorisation number each and every time I give my details over the phone – I assumed that she had a machine onsite but it was elsewhere – with the boss. Hmm. I’m not actually sure if that’s actually proper. It’s certainly not good practice.

When you call a business and they ask for card details over the phone, what do you do?


Passwords and botnets

Image by rob _pym on Flickr

It appears that a large botnet of about 90,000 home computers is trying to break into WordPress sites (hat-tip to @TheMacFixer) using a brute force attack. This news instantly made me login to WordPress and review my password security. My existing password was 12 characters, non dictionary, numbers and letters and symbols, uppercase and lower case. So yes, quite secure.

Selecting the new password function I found that a 50 character password generated by 1Password is acceptable to WordPress. So I saved that.

This isn’t it of course, but it looks like rhe6sham0sara3jypi1rhu2purt9thop3xupe2duki6li2rhim

Do your worst, botnets.

Getting your Facebook a little more private in these open “Graph” days to come


No doubt you’ve heard of how Facebook privacy settings can prove the undoing of your privacy when potential employers see your embarrassing posts and photos. Well, the new “Graph” search function that’s soon to be implemented will open up these possibilities even more – unless you know how to adjust your settings to protect not only you, but your friends as well.

Dear M&S why oh why do you need so much PII to log me in?

I needed to phone my credit card provider today. The telephone login procedure to their overseas call centre raised alarm bells for me. Too much PII. So I’ve emailed them as follows:-

I just had to call CS as website was not allowing logins. I am concerned about the amount of PII that I had to give your operator to login.
I was asked for:-
My CCN (obviously needed)
Firstline of my address
my postcode
and my password.

This imo is excessive. You *do*not* need all this information to identify me when I call you. All your operator needs is my CCN and my password. Otherwise why set a password?!?
I would be more than happy to discuss this at length with your IT / security / infosec department. Please get them to call me Peter 077** *** *** many thanks for your help. I look forward to hearing from you. <email ends>

How much Personally Identifying Information do you give away when you call your bank or credit card company? Too much? The right amount?