Today I made a fairly exciting trek to Best Buy to buy some printer ink.  I live on the edge!

While I was checking out and paying with my credit card, the cashier asked to see my ID.   I admit, I’ve shown it in the past, and it has always irritated me.  It doesn’t irritate me because it’s inconvenient to take my license out of my wallet, but rather, because it doesn’t do anything but put me at risk.

Merchant agreements (at least with Visa cards) basically say the merchants can’t demand to see any form of ID to verify the card holder if the card is signed (of course they can require it if you’re buying something that requires ID – like alcohol), but they can ask (and most people may assume that if they’re asking, they don’t have a choice).  The problem with asking for ID is that it exposes essentially any information on that ID – your name, address, height, weight, eye color, license number, date of birth, etc.    Now, we can argue the cashier (or anyone else within visual distance) couldn’t possibly remember any incriminating information, but that’s not the point.   Fundamentally, it exposes you to a greater risk of identity theft.

The clincher is this – I tried to explain in a friendly way why I was hesitant to show my ID, but the cashier was visibly aggravated and simply said, “I’m just trying to protect you.”  

I firmly believe that he believes this, but it’s just not the case.  In a credit card transaction, we have Visa, the bank who issued me the card, Best Buy (in this case), and me, all involved in this transaction.   In reality, he’s protecting Best Buy, not me.  Nothing wrong with that as an employee, but not at the expense of exposing my personal information.

On 2 occasions over the past 10 years, my credit card information has been compromised by someone – I never found out how because Visa won’t tell me, but they were pretty broad cases that happened to many people online so the presumption was an online retailer was compromised.    In any event, it was not really a problem – I signed a paper that said I didn’t make the charge, and the problem for me was gone.  It would be far worse if someone opened an account in my name or I was a victim of fully blown identity theft.   And the best way to avoid identity theft is to never expose your personal information.

In this case, if I were a criminal (craftily trying to forestall suspicion by buying printer ink for $30 instead of a $10k home theater) I would’ve refused to show ID and Best Buy would have to accept the sale anyway (if my signatures matched).   So all I’m doing is proving I’m me, and I already knew that. 

So what could the Best Buy cashier do?   Well, comparing signatures on the card is a pretty fool proof method --  nothing more is needed.  Next is applying common sense – I’m buying printer ink for $30.   Visa will automatically call me or block an ‘out of character’ transaction.    I used to work retail and the credit card machine would return a “Call” message instead of “Approved” in these cases.  If I fail the signature test, either call Visa or ask for an ID.

What happens if I was a criminal and was able to buy the ink?  Well, I’d notice this on my statement and refute the charge, at which time someone will be screwed – either Best Buy or the bank – I’m guessing it depends on what kind of evidence is produced and perhaps their agreements in place, I’m not sure.   

So if Best Buy or another merchant is so exposed, why accept Visa (or other) credit cards at all?   As I mentioned above, signatures are a pretty fool proof method.  But, the reason is getting more business.   Best Buy has the option to not accept Visa, but they have made the choice to accept the merchant agreement in doing so.   If Visa thought it was a problem, they’d change the agreement or put my picture on the card.

Should the cashier or any other merchant read this, my advice is to always be friendly – lose the chip on your shoulder if you have one.  I was politely trying to explain this and not give the guy a hard time (no one was in line behind me), so as long as I’m friendly, be open to the possibility I might know what I’m talking about.   In turn, it aggravated me that he was so aggravated.   I’ve been there myself, and I work with customers all the time today – fortunately the vast majority are great. 

Coincidentally, and to make this entry a little more apropos, while I was writing this I saw a Microsoft commercial for IE8 that talks about identity theft – check it out at http://ie8protects.com… it’s a “reality” style commercial where they set up a fake bank, and entice customers into a false sense of security – it was pretty funny actually, especially since I was writing this post!

How about you?  Do you care if merchants ask to see your ID?   If so, did this post change your mind?

The other day, I had the honor of sitting down and rambling endlessly with Michael Kimsal in this podcast.  It was a lot of fun, despite the overly loud announcement system in the background (“…table 3, your order is ready” type of thing).   Michael is one of those insanely smart kind of guys that has a really balanced view of technology and a lot of fun to talk to.   Michael publishes (among other things) jsmag, a must read for javascript developers.  Check it out!   Also, if you use coupon HITNEY on the site, you can get a free issue!  (Thanks Michael!)

I’m on a FAIL kick lately, and this one deserves a post.  I used to be a huge fan WinRAR, a file compression tool that was easy to use and supported a wide array of options like file spanning and encryption.

I’m all for integrated ads – that is, ads that leverage the same font/color scheme of the site.  Now, both of these ads in the page below are for the same product, RegistryBooster 2009.  The ad in the top right is obviously an ad, but it’s pretty close to crossing the line.  What do I mean by crossing the line, and how integrated is too integrated?  Crossing the line is when there’s a strong likelihood users will accidentally or inadvertently click on a link, not realizing it’s an ad. 

The second arrow (the ad in the middle) crosses that line.  While it’s true that it’s marked as “advertisement,” it’s done in a clever enough way that attempts to trick the user to click on the link (let’s face it: we usually skim pages).  This is because the placement of the wording would make users feel that clicking “download now” is actually downloaded the intended WinRAR application.  Further, the green “run system scan” link implies I’ve clicked this link before, and consciously or unconsciously, we feel safer in clicking previously visited links.

So what do you think?  I’m not claiming this is the worst I’ve seen, but it’s enough that makes me question the integrity of both RARLabs and Uniblue (makers of RegistryBooster). 

Any takers as to what is going on here?   Little things like this can be so frustrating and yet funny at the same time. 

So quick background:  cancel wife’s old cell phone, decide to get a new pay-as-you go plan because she never/rarely uses it.  Most carriers have a plan that for $100, you can add a bunch of minutes that expire after a year, so, it works out to be about $8/mo.   I already have an AT&T account, so decide to go through them. 

I go through checkout, yadda yadda:

Um, where’s North Carolina?  It has my zip code already and prepopulated the city.   For that matter, where is New York??   Now, remember, I already have service here, there’s plenty of coverage, stores all around, etc., so I know there is service here.  Clear everything (including cache), start over, same issue.

Next I load the site in Firefox:

Ah!  There we are.  And New York is back, too!  As best as I can tell, I followed the same procedure for selecting the plan.  Maybe a rendering issue?  Let’s look at the source…

First up, what is with all the white space in the document?  This is in both browsers (I highlighted part of the document to show the blank spaces):

Next is the state selection in IE8.  Why the gap(s)?  And why is Minnesota selected??  (NOTE: I’m not suggesting the gaps pose a problem other than wasting bandwidth … but it does seem to indicate some kind of processing change … server side code would tend to be more predictable):

And now in Firefox:

Weird, huh?   Because of the white space and layout, it seems something is going on during server side rendering. 

UPDATE:  Seems like it’s fixed.  I tried several times in IE8, clearing the cache, with the same result.  Then, I tried Firefox with the IE8 User Agent, and it worked – but then when I went _back_ to IE8 it seems to be working.   So for now, I guess it will remain a mystery.  I’ll venture a guess that it had nothing to do with the user agent and rather something else, such as hitting a different server or server farm altogether, despite having cleared the cache as I went back and forth. 

Maybe it’s because I just returned from Vegas.  Maybe it’s because I used to live in Idaho.  Maybe it’s because I’m not part of the 20% who can’t locate the US on a world map, but geez, how do graphics like this get on air?   

I've noticed a disturbing trend lately and not quite sure if it's just me, or happening more in the industry.  Or, maybe it's because my credit card, for the 2nd time in less than 2 years, was compromised by someone (Visa won't tell me who -- and with today's BI, it's pretty easy to figure out I would image). 

So, I'm seeing a number of sites on the internet not using SSL when capturing PII.  Clearly, this is crucial for credit card transactions, but it's also important for PII.  Of course, SSL only encrypts the traffic between you and the domain, and ensures the domain is who it says it is -- what the host does with your data is out of your hands.  It's a little like going into the kitchen at a restaurant. :)

The other day I was lamenting with a colleague about my lame internet connection while we were playing around with the cool sharing features in Office Communicator.  (Bottom line was my connection chokes on camera and desktop sharing.)  The best I can do on my internet connection is, sadly, 512k upload:



The chart is fairly amusing on various levels but seeing that I'm out of luck in going beyond 512k, I decide to contact customer support to see if there's anything I can do.  Heck, even 768k upload would open a lot of opportunities.

But when I go to ask a question on the support page, I see this page:



No SSL?   No credit card information but surely enough PII to make me feel SSL should be required here.  Now, this scenario is a bit different since I'm a customer, so I did a traceroute to see where my data was going:



So, fortunately, as long as I'm sending the data from my house, it seems my data is reasonably secure as it's staying within Time Warner's domain and frankly, that's the best you can get from SSL. 

I didn't submit the data, but it made me realize how many sites I've run into that don't use SSL, or access points that are insecure.  I recently permanently borrowed Glen's HTC Touch Pro, and it has built in wifi.  I left it on and as I drove around, I was completely stunned at home many times the phone would ding that a new wireless network was available -- and most were insecure. 

So is this my imagination, or is security really this bad?