Be Credit Card Careful: Tips from a Hacker

Check please

Check please

Today we are pleased to present a contribution from famed phone phreak Lucky, aka Jered Morgan, co-founder of SuchCalls, of which we have previously written. One of his specialties is privacy protection relating to credit card use. This is an edited version of two of his posts which have appeared on Facebook in the 2600 magazine group, as well as a vintage, but still relevant, post on his personal blog at

The Horror Story:


And here’s why you need to do this right now:

Today at Walmart I found someone’s FirstBank debit card and Identification Card (not a driver’s license). I can deduce from this that this is someone who does not have a wallet and does not drive. In the hands of an ID thief these 2 things would be invaluable. First, his debit card was not signed, so I could have easily signed it myself and then do a transaction where I would not know the PIN. I could then have demanded the merchant compare signature on the card vs that on the receipt, which would match since I just signed his card. Second, because he’s carrying both cards and probably providing both to merchants since his card is not signed, he is “leaking” his billing address and zip, as it was on his ID Card. If he signed the debit card, he would not need to show ID and would retain privacy of address.

I returned both to his bank branch night deposit box with the above helpful tips.

The Situation:

As some of my YouTube channel subscribers already know, I refuse to show my Photo ID when a merchant requests to see it when I pay using a MasterCard credit card.  MasterCard rules prohibit merchants from refusing “to complete a Transaction solely because a Cardholder…refuses to provide additional identification.”  MasterCard also encourages Cardholders to report Merchant Violations on their website. 

These rules are not arbitrary, they are in place for a reason.  It isn’t just because credit cards are supposed to be convenient for the Cardholder, though that is part of it.  The reason is that requiring Photo ID simply does NOT prevent card fraud, period.  MasterCard guarantees payment to the merchant when a valid, signed MasterCard is presented, and an authorization is approved.  If the Merchant follows the rules, they will not eat a chargeback due to customer complaint or fraud. If the Merchant does not follow the rules, and it is proved that they did not follow the rules, they will lose the chargeback.  Thus, while a Merchant may have good intentions for requesting ID, it actually may hit their bottom line as they are violating the rules in their merchant agreement. If there is fraud or a chargeback and the Merchant uses the defense that they checked an ID instead of complying with the rules, they will lose that money.

The Reasons:

Here are the reasons why asking for/requiring a Photo ID is not a good idea for Merchants:

First: It does NOT prevent fraud.  Today, most card present fraud is NOT from a physically stolen actual card.  Today, credit card numbers and information are skimmed, stolen from payment processors, or  stolen from hacked websites. Fraudsters then manufacture fake credit cards in their own names that match their own ID, or manufacture cards with the name of the cardholder along with a fake ID to match, or they encode the stolen credit cards on their own real credit cards, which their ID will naturally match.

Secondly, the embossed name on the card does not always match ID the cardholder may be using. Examples include prepaid or gift credit cards, or a person who has recently changed their name and may be waiting for a updated ID or new credit card.

Thirdly, showing your photo ID with a credit card can actually expose you, the cardholder, to fraud. Some unscrupulous employees have violated credit card rules by asking for photo ID, not to ‘protect the cardholder’ or prevent fraud, but to actually video record the credit card information and the photo ID information to obtain the billing address for the card so they can then use the card information online to make fraudulent purchases themselves.

The Solution:

So what’s the solution, if not asking for Photo ID?

The solution is a simple one: FOLLOW THE RULES.  Here are some simple steps Merchants can use to prevent fraud.

First of all, all credit cards are invalid unless signed. There is a reason this appears on the card.  If the card is not signed, it is not valid, period. This is the only instance in which a merchant can demand ID, and s/he can then require the cardholder to sign the card before processing the transaction. If a valid, signed card is presented, the merchant should compare the signature on the card to that on the receipt, if they do not reasonably match, you can place a code 10 call.

One of the most common card fraud situations is re-encoded stolen credit card information on a valid credit card.  You can prevent this really easily. Most terminals will display the last 4 digits of the card or the whole card number when the card is swiped, so all you have to do is compare the displayed numbers to the embossed numbers or the card number on the card.  If they don’t match, don’t process the transaction.

The second type is fake manufactured cards.  Credit cards have a number of security features that fake cards often do not have, so check the physical card to ensure it is a valid, not spoofed card.  Be vigilant about suspicious behavior, if someone comes in and wants to purchase an expensive flat screen tv, asks no questions about it and demands to purchase it now and seems nervous, and you suspect it is a fraudulent card, you can place a code 10 call.  Taking these steps will minimize fraud for merchants, and facilitate commerce from valid Cardholders.

If you don’t like the rules, don’t accept or use credit cards. Simple!





Jered Morgan, aka Lucky, is a 31 year old phone phreak and privacy advocate who likes to keep things simple.


Featured image by Robert S. Donovan on Flickr. Portrait of Lucky/Jered Morgan via Twitter.

Categories: Banks, Credit Cards, Crime, Fraud, Hackers, Lucky, Money, Phreakers, Privacy, Rights, Scams, Security

Well, tell us what you think!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: