Credit Card Naïveté

I truly love the fact that the public is so much more aware these days about credit card fraud, ID theft, and security in general.  It really shows that the word is getting out there, and that will hopefully just keep growing.  However, the more people become aware of the problem, the more they want technology to solve the problem.  Essentially, people want to feel safe (can you blame them?), but technology is not always the answer.

Case in point: I recently found this article from the website of a news channel in Phoenix, AZ.  The author of the article was singing the praises of an area restaurant that is using wireless credit card readers at the tables.  The wait staff brings the reader to the table, you scan your card, add your tip (conveniently calculated for you), and you are done.  According to the article, many people are nervous about letting their cards out of their sight since they have experienced problems in the past.  And now this device makes them feel so much better since they have control over their card.

First off, I can understand the perception here.  And actually, it is not really a perception at all.  There is a very legitimate concern with your credit card not being in your control.  You have no idea what is going on when the waiter / waitress is off with your card.  This solves that issue.

But second, these people still are not educated enough to know that the reader can still be compromised.  Who is keeping the waiter from modifying the device to grab numbers as they are scanned?  And did I mention it is wireless?  Is there sufficient encryption?

Now, so this doesn't make too much of a stink in case the manager of that restaurant is reading my blog post, I have no idea about the security measures in place.  Maybe they are doing everything perfectly by checking the scanners, installing the highest level of encryption, and doing background checks on their employees.  I can only give them the benefit of the doubt on that.  But as a security guy, I am paranoid.  And there is no such thing as perfect security.  My point is that the customers are getting a warm fuzzy from this device simply becaused it has solved one issue of many in the game of credit card fraud. 

On the positive side, I believe Bruce Schneier once argued that just the perception of security is sometimes a good thing.  In this case, it allows the customers to be less anxious, and it is a decent security measure that most of the competitors obviously don't have.