Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blu-ray Update Sent To User Via Credit Card Records

Posted by CmdrTaco on from the allright-that's-just-plain-scary dept.

wmoyes writes "Back in September I ran into a Best Buy store to buy a Samsung BD-P2550 Blu-ray player. I didn't give the clerk my name, telephone number, or address, just my debit card. The player has sat happily in my living room without ever being networked or registered. Today I was shocked to find a package waiting for me at home from Best Buy — inside was a firmware update CD for the player. I used to think Windows Update was scary, but Samsung's update service tracked me to my house using the mag stripe from my bank card. Has this happened to any other Blu-ray owners?" Or is there a simpler explanation?

31 of 526 comments (clear)

  1. Customer information sharing by Ethanol-fueled · · Score: 5, Informative
    From the sound of this, Samsung or Best buy are not to blame as much as your credit card issuer is for sharing your information. Choice quote:

    First, the facts: The Chase policy, which is similar to those of many other credit card companies, states: "You may tell us not to share information about you with non-financial companies outside of our family of companies. Even if you do tell us not to share, we may do so as required or permitted by law..."

    According to the Wikipedia article, the credit card number, expiration date, and PIN verification info. I've seen tweekers do it with stolen cards. Magstripe readers are available for 50 bucks online.

    1. Re:Customer information sharing by wmoyes · · Score: 4, Informative

      My guess is that they (Best Buy) cross referenced the name they read from my credit card to one of the bulk mail lists they purchased for marketing purposes. The letter was addressed to me 'or current resident' and inside was information about how my player with this new firmware update could download Netflix movies. The update CD itself was for my specific model (BD-P2550).

      The other possibility is that they cross-referenced my in store purchase via the card number to a previous on-line purchase from their web store (which would have included a shipping address). In either case, the mag stripe of my card (in an otherwise anonymous transaction) was used to make the connection, and four months later a package with a firmware update arrives at my house.

    2. Re:Customer information sharing by secretcurse · · Score: 3, Informative

      the mag stripe of my card (in an otherwise anonymous transaction)

      That's probably the dumbest thing I've read all day. If you want an anonymous transaction, don't use a card.

      --
      I'm using all of my mod points to mod ancient memes down. Please join me.
    3. Re:Customer information sharing by chongo2002 · · Score: 2, Informative

      You are apparently not a real /. member, you have a g/f.

    4. Re:Customer information sharing by peragrin · · Score: 2, Informative

      Bestbuy doesn't ask for your address during returns/exchanges at least they didn't for me yesterday.

      Of course I avoid membership cards like the plagued that they are

      --
      i thought once I was found, but it was only a dream.
    5. Re:Customer information sharing by pdabbadabba · · Score: 4, Informative

      "Those marks mean they never had a physical signature attached to a document, and thus it's wholly unenforceable."

      Totally wrong. The validity of those signatures have been upheld countless times in court. Generally, an electronic signature pad is backed by a surprisingly sophisticated system for tracking when you signed, how you signed, and what you signed, generally storing screenshots of each step of the process including the agreement for each unique signature.

      Does it prove conclusively that you signed the document that they say you signed? No. but, then again, neither does your signature on a paper contract (Think about it. Do you sign every page or just the last one? ). The signature is good unless you dispute that you made it in court (and just not being sure if that is the document you signed doesn't cut it. You are expected to have a reasonable belief that it isn't).

      --
      caritj.org
    6. Re:Customer information sharing by Fizzog · · Score: 5, Informative

      "they would have to get that info from the card issuer"

      No, not really.

      I worked for a telephone services company some years ago and developed their customer information system. We would only get one of two possible pieces of information from a transaction: the telephone number they called a 1-900 number from, or the Credit card number they used if they called a 1-800 number.

      We wanted to get the customer information so we could send them related advertising.

      There are vendors out there that will supply all available subscriber information for a telephone number, and others that will provide all available information given a Credit Card number.

      Telephone numbers are not super reliable as they can be re-used, but for 5 cents we would (about 60% of the time) get a result which would give us the subscriber name and address. For 20 cents we would get about a 90% match. We sent all phone numbers to the 5 cent vendor and for those that didn't get a result we would send them to the 20 cent vendor.

      Credit Card numbers are quite reliable and for 1 dollar we would get *all* of the information on the card holder. This included name, address, age, spouse's name and age, children's names and ages, your income, and various demographic information for your neighbourhood.

      Given that big box stores likely get thousands of 'Card only' purchases a day I am sure they also have similar agreements with vendors, or contract with 3rd parties to do it for them.

    7. Re:Customer information sharing by Compulawyer · · Score: 2, Informative
      Two points:
      1. Sorry, but your legal conclusions about attaching signatures and enforceability are incorrect; and
      2. You can always do what I do - ask to sign on paper. Those capture pads have paper backups in case the pad malfunctions so the retailer does not have to close a lane. Target, WalMart, and many other retailers do not even blink when I ask to sign on paper. They cheerfully print out a signature copy just like on the olden days of 2006. If anyone ever claims to have an electronic signature for me, I have mountains of proof that it is a forgery because my practice is not to provide electronic signatures.
      --

      Laws affecting technology will always be bad until enough techies become lawyers.

    8. Re:Customer information sharing by die444die · · Score: 2, Informative

      I don't know exactly how the retailer gets this information, but CC alone is enough for them to get your address. This happened to me recently. I went to a local "dollar store" for the first time recently and purchased a Coca-cola with my credit card. About a week or two later I received an ad from the store addressed to me (not Current Resident). The only way they could have gotten my address was from the credit card company.

      --
      die444die
    9. Re:Customer information sharing by Myopic · · Score: 4, Informative

      Yes! Same here. And that site is

      www.optoutprescreen.com

      I share everyone's frustration that you have to opt out of a process by which another entity can expose you to the risk of identify theft, but I can personally attest that this site is effective. I have even moved a few times since I signed up, and still remain opted-out.

    10. Re:Customer information sharing by salesgeek · · Score: 3, Informative

      No wonder credit card companies are so eager to do chargebacks and eat the loss on fraud...

      Actually, the seller gets hit with the chargeback. Hence the back in chargeback. The CC companies have no skin in the game. The people that eat it on fraud are the people that are selling. CC fraud is VERY bad.

      --
      -- $G
    11. Re:Customer information sharing by SmoothTom · · Score: 2, Informative

      I have taken lately to showing my US Passport Card when asked for picture ID...

      Not only does it not have my address or signature on it, I suspect that getting information about me from the US Department of State is a damn site more difficult than getting it from most other sources.

      So far no one who has requested ID has objected to the passport card, which is almost a disappointment - I sometimes relish a good fight. :o)

      (The US Passport card is better screened and more difficult to get than a common driver's license or state ID card, and is issued by the federal government. If someone doesn't want to accept that as official government issued picture ID, I WILL be right there in their face.)

      --
      Tomas

    12. Re:Customer information sharing by DentInYourHead · · Score: 2, Informative

      Perhaps it varies by card issuer (bank, not Visa/Mastercard/etc) but I think it depends. I used to work in CC disputes/fraud for a very large bank. Sometimes the transactions were charged back, sometimes they weren't. Fraud usually got written off and eaten. Disputes were charged back to the merchants; if the merchant represented the charge we'd sometimes eat the charge depending on the case. And then there were the end of month times where we hadn't used up all of our "write off" budget, so we'd do a mass write off for all charge disputes under a certain dollar threshold just to meet that budget limit. Otherwise our write off budget would be lowered next month (bad if you have a lot of legitimate write offs)

    13. Re:Customer information sharing by scatters · · Score: 2, Informative

      I believe that this applies to single cash transactions of > $10k, or multiple smaller transaction that equal or exceed 10k over a specified period of time. Also, only the following companies are required to report these transaction:

        - banks
        - securities companies
        - money services companies
        - casinos
        - gem/precious metal dealers
        - insurance companies

      Notably, car dealers are not on this list...

      See the federal Bank Secrecy Act - http://www.fincen.gov/

      --
      A One that isn't cold, is scarcely a One at all.
    14. Re:Customer information sharing by jonbryce · · Score: 2, Informative

      In Europe the limit is €15,000, and car dealers are on the list.

    15. Re:Customer information sharing by flawedgeek · · Score: 2, Informative

      As a Best Buy employee, allow me to share some insight: Whenever you purchase something there, the transaction is stored in the computer system and linked to your CC # and name. We regularly look back years in the past to get receipts for people so they have proof of warranty/etc. This is strange, however, as I've never heard of us mailing out firmware updates...

      --
      My other Sig is .40 caliber.
    16. Re:Customer information sharing by salesgeek · · Score: 2, Informative

      DentinYourHead - I own a processing company. Things have changed substantially in the past 3 years. It's mostly hitting the merchants now. I wish the banks were eating it, but most of it is going back to the merchants, and this is especially true of internet based transactions.

      --
      -- $G
  2. it's the credit report agencies by Anonymous Coward · · Score: 3, Informative

    This is not unusual. I have benefited from several class action suits where they have somehow tracked me down years after the fact, which is particularly impressive because as a student/young professional/grad student, I moved almost every year.

    What probably happens is they give the debit card number (which is unique and remains unique long after you cancel/close the account) to a credit reporting agency (e.g. Equifax), and the credit agency has a record of your most recent address, which they got when you changed your address at your bank or any of your other credit cards.

    1. Re:it's the credit report agencies by darkmeridian · · Score: 2, Informative

      Credit reporting agencies may have updated information on your whereabouts but the law restricts them to report only with your permission and only for legitimate purposes. The financial penalties are severe. Therefore, I doubt that BestBuy or Samsung walked around pulling the credit reports of hundreds or thousands of consumers without their permission just to send an update disk.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    2. Re:it's the credit report agencies by Anonymous Coward · · Score: 2, Informative

      Section 604(a)(3)(F)(i) of the Fair Credit Reporting Act:

      In general, any consumer reporting agency may furnish a consumer report under the following circumstances: To a person which it has reason to believe ... has a legitimate business need for the information in connection with a business transaction that is initiated by the consumer.

  3. Re:Cash by Jah-Wren+Ryel · · Score: 2, Informative

    Or this case, which might possibly result in a SCOTUS ruling requiring cops to use their brains before using their cuffs.

    --
    When information is power, privacy is freedom.
  4. Re:Personal Information and Tracking you down by LMacG · · Score: 3, Informative

    As they say on Wikipedia, "citation needed". I've bought a hundreds of things at BB, and even worked there for a spell when I was between real jobs; never once was I asked for my phone number during a purchase.

    --
    Slightly disreputable, albeit gregarious
  5. And what is wrong with this? by $1uck · · Score: 4, Informative

    You purchase an item on Credit you're entering into an agreement to pay for something they are going to want to know your billing address so that they can verify payment. If you're that concerned about your privacy you need to not enter into such agreements and pay for everything with cash (which protects both sides). As a side note isn't this potentially a good thing that they sent you an update? You can decide not to use it if you fear its updating drm as opposed to improving the product.

  6. Re:Don't panic. by houghi · · Score: 5, Informative

    of course Best Buy has access to your home address, via your credit card.

    This would not be the case in Belgium. In fact it is even illegal to do it that way. If I give only my credit card details, all they will have is the following information:
    Last 4 numbers of the credit card (We are not allowed to keep the credit card number anywhere)
    The name of the credit card holder and the expiration date.
    From the transaction itself the time, amount, item and card. (e.g. visa)
    Some extra information related to the payment itself an the communication concerning the payment.

    No link there with the users address. So unless we link it elsewhere with the address, we would have no idea what that would be. Calling the company will result in nothing but wasted time for both as they are not allowed by law to tell us the address.

    --
    Don't fight for your country, if your country does not fight for you.
  7. Re:Don't panic. by Anonymous Coward · · Score: 0, Informative

    Most retail stores put your information into their database when you make a purchase.

    The first time you purchase from a company you'll usually be asked your name, address, and phone number before making the purchase no matter how you're paying.

    Same thing with online orders as well.
    Even if you don't tell it to remember your information it's still in a record somewhere.

    I'm personally not too worried about it.

  8. Check you card for any bill BB wants $30 to do thi by Joe+The+Dragon · · Score: 4, Informative

    Check you card for any bill BB wants $30 to do this.

    http://consumerist.com/5122504/watch-out-for-firmware-shenanigans-at-best-buy

  9. Re:We know where you are. by dgatwood · · Score: 3, Informative

    Yes, you should. It is combining two complete clauses. If both clauses were short, it would be optional, but it is always correct to use a comma in this case.

    If you want to complain about something, complain about the comma splice in the last sentence. It should either be a period (followed by a capital letter) or a semicolon.

    --David the Grammarian

    P.S. Just to bring this back on topic, if you want to make it a lot harder for this to happen, use a prepaid credit card and pay with cash.

    Note: there are two short clauses in that last sentence. :-)

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  10. Bank, Credit Card Company, Merchant by Vandil+X · · Score: 2, Informative

    When you use a debit card, your using Visa or MasterCard's good name and network to check with your bank to see if your account has the appropriate funds for the transaction.

    If your bank account does have enough funds, Visa/MasterCard requests the transaction amount to be placed on hold on your account until such a time as when the funds can be actually transferred from your bank account to the merchant's account with a credit card merchant office (e.g. Nova). This transfer can happen instantly during business hours or can hold as pending until the next available business day if done during off hours or weekends.

    You sign/confirm to an agreement that the funds will still be there when the transaction electronically resolves itself. If you don't have the funds, Visa/Mastercard can come rape you. If the merchant sold you damaged goods and will not issue you a refund, you can use Visa/Mastercard's thugs to force their hand. If you didn't make the purchase (identity theft), your bank can use Visa/Mastercard's thugs to track things down, issue you a provincial credit, and other fun things.

    Anytime you pay for something electronically, your info will be made known to the merchant and Visa/Mastercard. How do you think Visa has that promo for debit cards allowing you to be the big mystery winner just for using your debit card to make purchases?

    --
    Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
  11. CC Info Cross Reference by sjbe · · Score: 3, Informative

    I've stopped shopping at stores that use my credit card as a way to get me on their mailing list. On vacation, we bought some chocolates at Harry & David. When we got back, there was a catalog from them in our mail with my name (not "Resident") in the address.

    I'm not saying you're wrong but you do realize it is far more likely that they got your name and address from a local mailing list vendor than from your credit card? Especially around the holidays. There are countless services available that can target promotional mailings for a fee. There are all sorts of public sources for this information including housing records. (seriously - buy a house and you will get spammed with more refinancing offers than you can imagine)
    I get Harry & David catalogs too (no I don't want them), with my name on them and I've never purchased anything from H&D. They also will send you catalogs if someone else buys you a gift from H&D.

    That's not to say they don't use credit card into. I never give a zip code, phone number or any other info when checking out because it can be cross referenced. I nearly called the cops on the guys at Jiffy Lube once because they drained the oil in my car and then insisted they needed my address to put oil back in. They do have a legal right to ask and can refuse service if I don't provide the information but then I have a legal right to shop elsewhere as well.

  12. Re:Cash by mattack2 · · Score: 2, Informative

    You're going to bother going to the ATM to get a couple of hundred dollars in cash?

    Instead of using a credit card, where the purchase is _cheaper_ (cash back, other rewards) than with cash. I pay off my credit cards every month, they're more convenient than cash, especially now that virtually all places I go to take them (e.g. restaurants).

  13. Re:Cash by RJFerret · · Score: 5, Informative

    Except it's not cheaper, what you interpret as cash back is actually compensation for providing your personal information and you having paid extra for the "convenience".

    It's sharing a percentage of the charge the vendor has to pay for processing a credit card, ever wonder why some places (commonly gas stations) have different prices for cash/credit? Prices overall could be a few percent cheaper if nobody used credit cards and that "cash back" could be accruing interest in YOUR bank account instead of theirs!

    I'll take the 2% in my savings account rather than the 1% you get back after a month (interest free) any day (and Discover doesn't give it back anymore until you've accrued a big chunk).

    Also, I use credit cards for business expenses, and the transactions take longer than cash (which I use for all personal expenses). Ironically, it used to be you'd look for the line where people were paying cash as it was faster, and now the credit card payment systems have gotten more convoluted and time consuming than when we signed paper slips, never mind waiting for a slow network day or waiting for the clerk to explain which buttons to press to each person in line. (Although I love self checkouts, then there's nobody there to explain to people how to process their plastic.)

    Credit cards have their place (paper trail, online ordering), but they do enable others to profit from you and your information (while you pay them for the privilege).

    (And yes, of course pay them off completely every month, anything else and you should use cash simply to not spend beyond what you have!)

    PS: Ever wonder why credit companies can afford such lavish advertising, promotions, sponsorships, cash back programs, technical infrastructure all while being subject to so much fraud and theft? It's because they profit so much from each of "your" transactions. Sure you can minimize the extra costs to you, but they have perfected their revenue stream and made it appear inexpensive/painless.