Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blu-ray Update Sent To User Via Credit Card Records

Posted by CmdrTaco on from the allright-that's-just-plain-scary dept.

wmoyes writes "Back in September I ran into a Best Buy store to buy a Samsung BD-P2550 Blu-ray player. I didn't give the clerk my name, telephone number, or address, just my debit card. The player has sat happily in my living room without ever being networked or registered. Today I was shocked to find a package waiting for me at home from Best Buy — inside was a firmware update CD for the player. I used to think Windows Update was scary, but Samsung's update service tracked me to my house using the mag stripe from my bank card. Has this happened to any other Blu-ray owners?" Or is there a simpler explanation?

9 of 526 comments (clear)

  1. Customer information sharing by Ethanol-fueled · · Score: 5, Informative
    From the sound of this, Samsung or Best buy are not to blame as much as your credit card issuer is for sharing your information. Choice quote:

    First, the facts: The Chase policy, which is similar to those of many other credit card companies, states: "You may tell us not to share information about you with non-financial companies outside of our family of companies. Even if you do tell us not to share, we may do so as required or permitted by law..."

    According to the Wikipedia article, the credit card number, expiration date, and PIN verification info. I've seen tweekers do it with stolen cards. Magstripe readers are available for 50 bucks online.

    1. Re:Customer information sharing by wmoyes · · Score: 4, Informative

      My guess is that they (Best Buy) cross referenced the name they read from my credit card to one of the bulk mail lists they purchased for marketing purposes. The letter was addressed to me 'or current resident' and inside was information about how my player with this new firmware update could download Netflix movies. The update CD itself was for my specific model (BD-P2550).

      The other possibility is that they cross-referenced my in store purchase via the card number to a previous on-line purchase from their web store (which would have included a shipping address). In either case, the mag stripe of my card (in an otherwise anonymous transaction) was used to make the connection, and four months later a package with a firmware update arrives at my house.

    2. Re:Customer information sharing by pdabbadabba · · Score: 4, Informative

      "Those marks mean they never had a physical signature attached to a document, and thus it's wholly unenforceable."

      Totally wrong. The validity of those signatures have been upheld countless times in court. Generally, an electronic signature pad is backed by a surprisingly sophisticated system for tracking when you signed, how you signed, and what you signed, generally storing screenshots of each step of the process including the agreement for each unique signature.

      Does it prove conclusively that you signed the document that they say you signed? No. but, then again, neither does your signature on a paper contract (Think about it. Do you sign every page or just the last one? ). The signature is good unless you dispute that you made it in court (and just not being sure if that is the document you signed doesn't cut it. You are expected to have a reasonable belief that it isn't).

      --
      caritj.org
    3. Re:Customer information sharing by Fizzog · · Score: 5, Informative

      "they would have to get that info from the card issuer"

      No, not really.

      I worked for a telephone services company some years ago and developed their customer information system. We would only get one of two possible pieces of information from a transaction: the telephone number they called a 1-900 number from, or the Credit card number they used if they called a 1-800 number.

      We wanted to get the customer information so we could send them related advertising.

      There are vendors out there that will supply all available subscriber information for a telephone number, and others that will provide all available information given a Credit Card number.

      Telephone numbers are not super reliable as they can be re-used, but for 5 cents we would (about 60% of the time) get a result which would give us the subscriber name and address. For 20 cents we would get about a 90% match. We sent all phone numbers to the 5 cent vendor and for those that didn't get a result we would send them to the 20 cent vendor.

      Credit Card numbers are quite reliable and for 1 dollar we would get *all* of the information on the card holder. This included name, address, age, spouse's name and age, children's names and ages, your income, and various demographic information for your neighbourhood.

      Given that big box stores likely get thousands of 'Card only' purchases a day I am sure they also have similar agreements with vendors, or contract with 3rd parties to do it for them.

    4. Re:Customer information sharing by Myopic · · Score: 4, Informative

      Yes! Same here. And that site is

      www.optoutprescreen.com

      I share everyone's frustration that you have to opt out of a process by which another entity can expose you to the risk of identify theft, but I can personally attest that this site is effective. I have even moved a few times since I signed up, and still remain opted-out.

  2. And what is wrong with this? by $1uck · · Score: 4, Informative

    You purchase an item on Credit you're entering into an agreement to pay for something they are going to want to know your billing address so that they can verify payment. If you're that concerned about your privacy you need to not enter into such agreements and pay for everything with cash (which protects both sides). As a side note isn't this potentially a good thing that they sent you an update? You can decide not to use it if you fear its updating drm as opposed to improving the product.

  3. Re:Don't panic. by houghi · · Score: 5, Informative

    of course Best Buy has access to your home address, via your credit card.

    This would not be the case in Belgium. In fact it is even illegal to do it that way. If I give only my credit card details, all they will have is the following information:
    Last 4 numbers of the credit card (We are not allowed to keep the credit card number anywhere)
    The name of the credit card holder and the expiration date.
    From the transaction itself the time, amount, item and card. (e.g. visa)
    Some extra information related to the payment itself an the communication concerning the payment.

    No link there with the users address. So unless we link it elsewhere with the address, we would have no idea what that would be. Calling the company will result in nothing but wasted time for both as they are not allowed by law to tell us the address.

    --
    Don't fight for your country, if your country does not fight for you.
  4. Check you card for any bill BB wants $30 to do thi by Joe+The+Dragon · · Score: 4, Informative

    Check you card for any bill BB wants $30 to do this.

    http://consumerist.com/5122504/watch-out-for-firmware-shenanigans-at-best-buy

  5. Re:Cash by RJFerret · · Score: 5, Informative

    Except it's not cheaper, what you interpret as cash back is actually compensation for providing your personal information and you having paid extra for the "convenience".

    It's sharing a percentage of the charge the vendor has to pay for processing a credit card, ever wonder why some places (commonly gas stations) have different prices for cash/credit? Prices overall could be a few percent cheaper if nobody used credit cards and that "cash back" could be accruing interest in YOUR bank account instead of theirs!

    I'll take the 2% in my savings account rather than the 1% you get back after a month (interest free) any day (and Discover doesn't give it back anymore until you've accrued a big chunk).

    Also, I use credit cards for business expenses, and the transactions take longer than cash (which I use for all personal expenses). Ironically, it used to be you'd look for the line where people were paying cash as it was faster, and now the credit card payment systems have gotten more convoluted and time consuming than when we signed paper slips, never mind waiting for a slow network day or waiting for the clerk to explain which buttons to press to each person in line. (Although I love self checkouts, then there's nobody there to explain to people how to process their plastic.)

    Credit cards have their place (paper trail, online ordering), but they do enable others to profit from you and your information (while you pay them for the privilege).

    (And yes, of course pay them off completely every month, anything else and you should use cash simply to not spend beyond what you have!)

    PS: Ever wonder why credit companies can afford such lavish advertising, promotions, sponsorships, cash back programs, technical infrastructure all while being subject to so much fraud and theft? It's because they profit so much from each of "your" transactions. Sure you can minimize the extra costs to you, but they have perfected their revenue stream and made it appear inexpensive/painless.