Blu-ray Update Sent To User Via Credit Card Records

wmoyes writes "Back in September I ran into a Best Buy store to buy a Samsung BD-P2550 Blu-ray player. I didn't give the clerk my name, telephone number, or address, just my debit card. The player has sat happily in my living room without ever being networked or registered. Today I was shocked to find a package waiting for me at home from Best Buy — inside was a firmware update CD for the player. I used to think Windows Update was scary, but Samsung's update service tracked me to my house using the mag stripe from my bank card. Has this happened to any other Blu-ray owners?" Or is there a simpler explanation?

Customer information sharing

[Ethanol-fueled]

From the sound of this, Samsung or Best buy are not to blame as much as your credit card issuer is for sharing your information. Choice quote:

First, the facts: The Chase policy, which is similar to those of many other credit card companies, states: "You may tell us not to share information about you with non-financial companies outside of our family of companies. Even if you do tell us not to share, we may do so as required or permitted by law..."

According to the Wikipedia article, the credit card number, expiration date, and PIN verification info. I've seen tweekers do it with stolen cards. Magstripe readers are available for 50 bucks online.

Re:Customer information sharing

[Shakrai]

Oxymoron.

That's not true. Congress does act. All the time. On really important stuff.

Re:Customer information sharing

[skuzzlebutt]

Yes, highly unlikely...the magstripe doesn't store that info, so they would have to get that info from the card issuer (not Visa or Mastercard, the issuing bank) recursively. The card acquirer isn't even privy to that info unless there is a chargeback case or something where the consumer needs to be contacted. Card-issuing banks are beholden to regulations that would make most industries not even want to get out of bed in the morning and turn on the cash register; and they are extremely careful with what they do with cardholder info (lest they lose their charter with Visa/MC and have to close shop).

Also, consider it from a business standpoint: even if you can get around the regulatory stuff, the CC issuer isn't going to pass that info along for free (they would have to have frame circuits or encrypted FTP channels or some secure way to send batches of data safely from the issuer to BB and then to Samsung--and no, it's not going over the same pipes that the authorization and capture are being passed through...that's going to be a totally different environment, likely through a third party processor; then there are operational expenses, etc...nobody does this stuff for free). How much is that data really worth to Samsung? BB has to be in that loop, because the cardhlder didn't by the device from Samsung; the issuer doesn't care that it's a Samsung device, they aren't a part of that transaction chain, so the data would have to go to BB directly. And is BB going to go through the expense to do that for just Samsung? If not, are enough companies going to want this to make it worthwhile? Again, strains credulity from a business standpoint.

And even if they did have some kind of affiliate info-sharing deal with BestBuy (which, again, is highly unlikely), they aren't going to go through he expense and trouble so that you can get firmware updates for your Blu Ray player.

Samsung got that info some other way, like a rewards card application or rebate submission that BB was able to link to an address via one of the many data aggregators out there.

All credit card industry stuff aside: yes, that is indeed scary as hell. I wouldn't be happy at all.

Re:Customer information sharing

[Fizzog]

"they would have to get that info from the card issuer"

No, not really.

I worked for a telephone services company some years ago and developed their customer information system. We would only get one of two possible pieces of information from a transaction: the telephone number they called a 1-900 number from, or the Credit card number they used if they called a 1-800 number.

We wanted to get the customer information so we could send them related advertising.

There are vendors out there that will supply all available subscriber information for a telephone number, and others that will provide all available information given a Credit Card number.

Telephone numbers are not super reliable as they can be re-used, but for 5 cents we would (about 60% of the time) get a result which would give us the subscriber name and address. For 20 cents we would get about a 90% match. We sent all phone numbers to the 5 cent vendor and for those that didn't get a result we would send them to the 20 cent vendor.

Credit Card numbers are quite reliable and for 1 dollar we would get *all* of the information on the card holder. This included name, address, age, spouse's name and age, children's names and ages, your income, and various demographic information for your neighbourhood.

Given that big box stores likely get thousands of 'Card only' purchases a day I am sure they also have similar agreements with vendors, or contract with 3rd parties to do it for them.

Re:Customer information sharing

[stephanruby]

I have personally seen them send out blank checks with your account information already on them. Now, of course the fine print of this "check" is that the check being cashed or used actually adds that to your account under some strange special offer loan thing.

Actually, there is nothing special about checks, anyone can print them up as long as they have the right account and routing information (no special printer is necessary or anything). Quicken can print them. Excel can print them. Technically, you could write your own software for it too.

In France, when the banks started increasing their fees for getting your checks printed, there was an annoyed silent protest. We would fold the checks so that they couldn't go through the machines. We would write checks using plain notepad paper writing everything by hand (including the bank information and routing number, no bar code necessary). The merchants and the banks had to accept those checks. There was a law that said that as long as all the information was correct, it was valid as any other check. So the banks accepted the checks, thereby increasing their manual processing costs, and eventually they reduced the fees for printing checks (because having cheap printed checks was as much for *their* convenience as it was for ours). Now, I'm not saying an handwritten would work in the US, the Federal Reserve in the US probably has its own rules for clearing checks, but at least, if you open Quicken or any financial software, you should see how easy it is to print your own checks from your own bank.

If anything is a problem, it's actually those special anti-counterfeiting checks. Those give the consumer a false sense of security. And they're only as marginally useful as separating the checks that must be checked more thoroughly from the checks that "look" normal, so they're still useful and every little bit helps where it comes to security I assume -- but it's at the expense of keeping the average consumer in the dark.

Do you see the black car parked outside?

[GPLDAN]

The midget in the back seat of the Lincoln crawls in your basement window at night, and takes inventory of your firmware revisions on all your hardware.

He then runs to the forest to find out what updates you might need.

Don't talk to him, it sounds like he's talking backwards.

Don't panic.

[cliffiecee]

The 'update' DVD came from Best Buy, not the manufacturer- of course Best Buy has access to your home address, via your credit card. Samsung probably just shipped a bunch of discs to Best Buy, asking them to mail them out to owners of the player. No big conspiracy or identity theft going on, so relax.

Re:Don't panic.

[houghi]

of course Best Buy has access to your home address, via your credit card.

This would not be the case in Belgium. In fact it is even illegal to do it that way. If I give only my credit card details, all they will have is the following information:
Last 4 numbers of the credit card (We are not allowed to keep the credit card number anywhere)
The name of the credit card holder and the expiration date.
From the transaction itself the time, amount, item and card. (e.g. visa)
Some extra information related to the payment itself an the communication concerning the payment.

No link there with the users address. So unless we link it elsewhere with the address, we would have no idea what that would be. Calling the company will result in nothing but wasted time for both as they are not allowed by law to tell us the address.

Re:Cash

[AKAImBatman]

This is why I use federal reserve notes for everything I can.

That might not be as sure-fire as you think...

http://newsmine.org/content.php?ol=security/police-militarization/bestbuy-shopper-arrested-for-two-dollar-bills.txt

These updates are scary!

[Cathoderoytube]

A similar thing happened to me. I bought a blu-ray player, then one day I came home and found my house ransacked and my blu-ray player was gone. I'm still waiting for Samsung to send my blu-ray player back with the updates. I don't have any problems with these companies being vigilant about their update services. I just really wish they wouldn't spraypaint swastikas on my furniture.

I had a similiar incident with Circuit City

[BLKMGK]

A few years ago there was an interesting device being sold that acted as an email dumb terminal. The device was sold sans any real license but the expectation by the vendor was that you would sign up for their service since otherwise the hardware was "useless". Except that folks figured out how to hack it and turn it into a remote terminal for various OS. I was interested....

I trotted down to my local Circuit City only to find that many others were also interested and that they were sold out. No worries, they let me go ahead and buy one and would let me know when stock arrived so that I could pick it up.

Meanwhile the company figured out what was going on and began trying to stop efforts to repurpose their hardware - unsuccessfully. I got a letter in the mail from the company a few weeks after I had made my purchase at CircuitCity. The letter was informing me that they had decided to change the license terms on their hardware - after my purchase, that signing up for their service was "mandatory", and that if I did not do so within X number of days or receiving my device they would CHARGE MY CREDIT CARD.

Now, I had never contacted this company, I had no intentions of ever dealing with them or of buying their service, and I had not shared my contact information with them. CircuitCity however HAD shared my name and home address with them and if the letter was to be believed was also willing to share my credit card account information to facilitate a charge! I trotted back down to the CircuitCity, canceled my order, and demanded an explanation - naturally they had NO clue.

I was beyond angry to say the least and fired off a letter to CircuitCity HQ. Their response was that no way did they share my CC information with this 3rd party but they said nothing about having shared my HOME ADDRESS! I let them know that I would never shop in their stores again and have told this story more times than I can count - it's been YEARS and I have held true to my promise not to give them a cent. Seeing them go under warms my heart - the jerks. The sad thing is that I nearly made this purchase with cash, I wish I had!

As a side note, the CircuitCity I went into was one I'd never visited as it was closer to work and not my home. When I gave them my phone number they had my complete address on file! Turns out that my girlfriend's daughter had shopped there about 3 years prior and made a single purchase. They STILL had our address on file tied to that phone number when I made my purchase. So yeah, these companies do cough up data and they also hold onto it a REALLY long time - thank you TJMax!

Re:Cash

[Rastl]

Did you forget that the Constitution is there to specifically state the rights granted to the federal government? So if it wasn't there they wouldn't have the right to coin money?

Banks and states printed their own money for a lot of years. There's nothing illegal about it unless you're trying to counterfeit existing currency.

Currency is just convenient bartering, if you look at it objectively. "This wooden token is worth three chickens" is perfectly valid currency if it is accepted to have value.

Back on topic.

I'm not surprised that vendors and manufacturers are digging into the credit/debit card records for purchase histories. They're desperate since no one fills out their marketing, err, warranty cards. They need some way to track a customer base for stockholder reports. Sales histories aren't enough any more. They want to find out how to sell you more of their crap.

I hope the OP filed an official complaint with the bank and his state. Privacy laws may be in effect here since there was no legal reason for them to mine that data.

Re:Cash

[RJFerret]

Except it's not cheaper, what you interpret as cash back is actually compensation for providing your personal information and you having paid extra for the "convenience".

It's sharing a percentage of the charge the vendor has to pay for processing a credit card, ever wonder why some places (commonly gas stations) have different prices for cash/credit? Prices overall could be a few percent cheaper if nobody used credit cards and that "cash back" could be accruing interest in YOUR bank account instead of theirs!

I'll take the 2% in my savings account rather than the 1% you get back after a month (interest free) any day (and Discover doesn't give it back anymore until you've accrued a big chunk).

Also, I use credit cards for business expenses, and the transactions take longer than cash (which I use for all personal expenses). Ironically, it used to be you'd look for the line where people were paying cash as it was faster, and now the credit card payment systems have gotten more convoluted and time consuming than when we signed paper slips, never mind waiting for a slow network day or waiting for the clerk to explain which buttons to press to each person in line. (Although I love self checkouts, then there's nobody there to explain to people how to process their plastic.)

Credit cards have their place (paper trail, online ordering), but they do enable others to profit from you and your information (while you pay them for the privilege).

(And yes, of course pay them off completely every month, anything else and you should use cash simply to not spend beyond what you have!)

PS: Ever wonder why credit companies can afford such lavish advertising, promotions, sponsorships, cash back programs, technical infrastructure all while being subject to so much fraud and theft? It's because they profit so much from each of "your" transactions. Sure you can minimize the extra costs to you, but they have perfected their revenue stream and made it appear inexpensive/painless.