Are Signature Pads Dangerous to Privacy?

WildHunter asks: "While making a foray into a local retailer today I paid using a credit card and was asked to sign a paper receipt on top of a digital pad. Being cautious I asked what it was for and I was assured that it was 'fully secure and safe to use'. Being a typical paranoid Slashdotter I offered to sign off of the pad but refused to sign on the pad. Was I over reacting or can someone back up my paranoia with some facts?" Think about it, some deceitful vendor has one of these, sells you something, gets your signature, and can then ring up loads of charges on your card using a digital copy of said signature over, and over, and over... you get the idea. Do the current crop of signature pads prevent against this and other similar kind of deceit?

I doubt there's more of an opportunity

[leviramsey]

...than the physical signatures.

Think about it. All the retailer gets is a digital copy of your signature. Now, they could conceivably sign your name to contracts with them and such. But in order to actually sign your name, the person with the copy of your signature would have to actually write it out with a pen. Now, even the most braindead clerk would get suspicious if you had to use a stencil to sign the credit card receipt.

Yes, they could learn your signature from digitial printout, and if they're adept enough at forging, could do it that way. But they could do exactly the smae thing with old fashioned receipts (making copies of the receipt if necessary).

In addition the credit card companies do maintain large anti-fraud departments to investigate this sort of thing (as under US law, you'd only be liable for up to $50 of the purchases the retailer would make without your actual signature; it he buys a brand new rig from AlienWare with your signature, several grand will be eaten by AlienWare (which doesn't help their relationship with the CC) or it gets eaten by the CC. Either way, they see a pattern of people who have transactions disallowed, all of whom made purchases at the same store, and the retailer gets in big trouble.

There are more important risks with CC's.

Spoof 'em.

[inkfox]

Those units are just like the old Koala Pads. It's a grid array of wires, which make contact when they touch. This means they can only accurately detect one position at once.

I don't trust them because I don't know if they're recording a bitmap or vector/spline data. The former is okay, but the latter, if intercepted, can be used to make an infinite number of unique-looking but valid signatures. So, I usually make swirls with a fingernail while I sign, making a valid paper signature and a cloud of noise on the screen, since the pad can't tell which of four moving coordinates is the real active one when two different points are pressed at once.

I've only ever had one merchant actually look at the screen and ask me to sign again. (He thought it was the unit's fault.) The rest seem to believe that the pad is checking my signature, not just recording it.

Usual paranoia

[blankmange]

Yeah - I don't like giving out my credit card info to questionable people behind the register either, but what are you going to do? Start using cash in all of your transactions?

Digital signatures can be used by less-than-ethical sods just like your credit card number by the same people. Make sure your credit card company has fraud protection and be done with it....

This is similar to the people who will willing give their credit card to a person behind the counter but refuse to shop online because 'it isn't secure enough'..... Get over the paranoia and get on with your life... it is too damn short to take up your time with menial crap like this....

some experience with this

[vsync64]

Until recently, I used to work at Office Depot. During this time, the store switched over to electronic signature pads. To their credit, they did tell us how to bypass this procedure and allow the occasional paranoid customer (with suitable rolling of eyes) to sign on paper. Unlike Best Buy, from what I've heard.

I was one of those paranoid customers whenever I bought something from the store, and I disliked having to allow customers to use the pads, for several reasons:

You can guess a lot by how someone signs their card, and having the card in hand allows you to verify the pattern of hand movements for the signature, as well as check expiration date, holograms, etc. With the self-swiper, the customer retains the card at all times. Sure, you can watch the hand movements and compare to the signature if you get a glance at it, but regardless, most people put their card away quickly and furtively, triggering mental red flags, and then get pissy if you ask "Sir, may I see the card and a photo ID please?". So you lose either way.

Secondly, the company would have a perfect digital record of the signature. Note that I said "company", not "store". While it's true that signatures could easily be forged from paper receipts, having a single giant database of signatures presents a much more tempting target, and a much greater reward should it be compromised. Keep in mind that Office Depot is the same company that has all their "locked-down" in-store kiosks brag about the need to enable unsigned ActiveX controls, so I'm not the most confident in their data security.

This annoys me as a customer of other stores, too. "See ID" means nothing if the retailer never gets a chance to see it written on my card.

The world of credit cards is rife with fraud and incompetence anyway. Gas stations and convenience stores are the worst. (I was recently in a gas station where the clerk told me, "Well, your signature matches, so I won't ask for your ID." Gee, thanks, lady.) And they're as obsolete as cheques -- we won't be remotely secure until we have smart chips in every card and deprecate all legacy swipers -- but I'm not sure if being secure in my identity can make me feel more secure overall. There are good reasons to keep the anonymity of cash around.

Note that I wanted to use em dashes (— HTML character entity) in my penultimate sentence, but I guess Taco has decided to disallow the ampersand escape and further muddy the waters of HTML. Way to go, guy. Is it too complicated to equate   with the space character in your joke of a "lameness filter", instead of restricting those of us with US keyboards to ASCII-7? I notice you've already made an exception for &.