Blu-ray Update Sent To User Via Credit Card Records 526
wmoyes writes "Back in September I ran into a Best Buy store to buy a Samsung BD-P2550 Blu-ray player. I didn't give the clerk my name, telephone number, or address, just my debit card. The player has sat happily in my living room without ever being networked or registered. Today I was shocked to find a package waiting for me at home from Best Buy — inside was a firmware update CD for the player. I used to think Windows Update was scary, but Samsung's update service tracked me to my house using the mag stripe from my bank card. Has this happened to any other Blu-ray owners?" Or is there a simpler explanation?
You've been pirated (Score:5, Interesting)
That is great news
if someone ever use your credit card number,
YOU receive the driver upgrade.
then you know something wrong happened
Don't panic. (Score:5, Interesting)
The 'update' DVD came from Best Buy, not the manufacturer- of course Best Buy has access to your home address, via your credit card. Samsung probably just shipped a bunch of discs to Best Buy, asking them to mail them out to owners of the player. No big conspiracy or identity theft going on, so relax.
Re:Cash (Score:5, Interesting)
That might not be as sure-fire as you think...
http://newsmine.org/content.php?ol=security/police-militarization/bestbuy-shopper-arrested-for-two-dollar-bills.txt [newsmine.org]
So... (Score:5, Interesting)
Once people get used to this, what keeps naughty people from sending out legitimate looking upgrade disks that scramble your player or install software that lets them use your network connected player as a spam server? Urgh, basically virus laden spam for snail mail.
Re:Cash (Score:1, Interesting)
You should switch to Liberty Dollar's (http://www.libertydollar.org/) to show your contempt for the government as well.
I have a supply of those, but stores don't accept them. Thats why I use federal reserve notes. My savings "account", however, is gold coins.
Re:Cash (Score:5, Interesting)
What a sad, sad story. Check out Woz's site for more $2 idiocracy.
http://www.woz.org/letters/general/78.html [woz.org]
Re:Cash (Score:3, Interesting)
Samsung p1500 (Score:1, Interesting)
I had a similiar incident with Circuit City (Score:5, Interesting)
A few years ago there was an interesting device being sold that acted as an email dumb terminal. The device was sold sans any real license but the expectation by the vendor was that you would sign up for their service since otherwise the hardware was "useless". Except that folks figured out how to hack it and turn it into a remote terminal for various OS. I was interested....
I trotted down to my local Circuit City only to find that many others were also interested and that they were sold out. No worries, they let me go ahead and buy one and would let me know when stock arrived so that I could pick it up.
Meanwhile the company figured out what was going on and began trying to stop efforts to repurpose their hardware - unsuccessfully. I got a letter in the mail from the company a few weeks after I had made my purchase at CircuitCity. The letter was informing me that they had decided to change the license terms on their hardware - after my purchase, that signing up for their service was "mandatory", and that if I did not do so within X number of days or receiving my device they would CHARGE MY CREDIT CARD.
Now, I had never contacted this company, I had no intentions of ever dealing with them or of buying their service, and I had not shared my contact information with them. CircuitCity however HAD shared my name and home address with them and if the letter was to be believed was also willing to share my credit card account information to facilitate a charge! I trotted back down to the CircuitCity, canceled my order, and demanded an explanation - naturally they had NO clue.
I was beyond angry to say the least and fired off a letter to CircuitCity HQ. Their response was that no way did they share my CC information with this 3rd party but they said nothing about having shared my HOME ADDRESS! I let them know that I would never shop in their stores again and have told this story more times than I can count - it's been YEARS and I have held true to my promise not to give them a cent. Seeing them go under warms my heart - the jerks. The sad thing is that I nearly made this purchase with cash, I wish I had!
As a side note, the CircuitCity I went into was one I'd never visited as it was closer to work and not my home. When I gave them my phone number they had my complete address on file! Turns out that my girlfriend's daughter had shopped there about 3 years prior and made a single purchase. They STILL had our address on file tied to that phone number when I made my purchase. So yeah, these companies do cough up data and they also hold onto it a REALLY long time - thank you TJMax!
Blatant and common PCI violation, actually (Score:3, Interesting)
Numerous companies either breach the policies or work around them.
Tthere was a big flap last year when the parent company of Winners and Home Sense was found to have been capturing all their customer's credit card numbers, which are supposed to be passed directly the the banks' clearing house without ever being seen by the retailer. See http://www.cbc.ca/money/story/2007/01/18/winnersbreach.html [www.cbc.ca]
Yes, they got stolen (;-))
--dave
Re:Customer information sharing (Score:5, Interesting)
I bought a Kawasaki 24 volt drill/driver at Sams club 2 years ago. (TOTAL garbage, but thats another thread)
My GF used her sams club card for the member verify, and I used my cc for the purchase.
About 4 months ago I got a post card, addressed to me, saying that it has been recalled for fire hazard reasons. I never filled out a warranty card or anything.
Had the used the member card, it would have been sent to my gf, at her place.
Apple Store was similar (Score:3, Interesting)
Re:you know who your customers are (Score:5, Interesting)
I have a merchant credit card account for V,MC,D, you know the telephone swipe box that sits on the store counter.
It's pretty easy for the merchant, BestBuy whoever, to get your name and address from it.
And this is one of the reasons I always use cash. I do have a debit card, but it'll only get used in an emergency. Even then I'll probably claim I don't know the PIN so that I can sign instead. [wikimedia.org]
Samsung asked BestBuy to pass on the update to whoever purchased the SKU. It's a tremendous courtesy, actually.
Well, yes you could see it as a courtesy, but it won't be. A business never ever does anything unless it thinks it will be benefitting from the action. This includes charitable contributions - the cost there will be seen as buying good will, or some other BS.
There was probably some kind of contractual obligation to send out these disks, but why the keenness to make sure the user's players were up to date? I can't imagine that Bestbuy or Samsung want to add features to the players, as if the players are lacking the user might buy a new one instead. I am guessing that the update is DRM updates... something like the ability for the player to identify copied disks, or maybe blacklisted keys or something.
There is no privacy. Get over it.
Well, there are various laws in various countries that try and give people rights to privacy, but like all rights they have to be continually defended. It doesn't help that penises like you make statements like that.... you might not care about your privacy and are willing to give it away, but when you do that you are often giving away others' privacy too.
Re:Customer information sharing (Score:3, Interesting)
Or he *returned/exchanged* a product purchased on his credit card to the store in the past and they asked him to fill out one of the return forms with name and address. Now BB has tied his address to his credit card, so he's now populated in the database with full name and address.
When he purchased the Blu-ray player, it used his credit card to lookup his record and put the purchase down on his record, even though he didn't supply his personal info at that time.
Then, when it comes time to mail out updates, they just lookup all transcations with the player, pull the purchaser info...bang.
Re:Customer information sharing (Score:5, Interesting)
I've stopped shopping at stores that use my credit card as a way to get me on their mailing list.
On vacation, we bought some chocolates at Harry & David. When we got back, there was a catalog from them in our mail with my name (not "Resident") in the address. I haven't shopped there since.
Bought some exercise clothes from the local Nike factory outlet. A few days later I got a flier about an upcoming sale. I haven't shopped there since.
On a related note, I use a modified version of my signature whenever I sign one of those digital signature pads they have in Home Depot, Target, and other chain stores. It's my regular signature with two lines through the first letter of my name. I started doing this when my mom had used something similar while signing up for some kind of insurance or cell phone or something. She discovered that the printed copy of the agreement that she was given - complete with her signature on it - differed from the version which had been displayed to her on the screen before she signed it.
If my signature shows up on something and has those extra marks on it, I have at least a little better leverage to make the case that my signature was never attached to any physical agreement, and there's no way to prove that the terms with my signature were the same as the terms to which I agreed. Those marks mean they never had a physical signature attached to a document, and thus it's wholly unenforceable.
Honestly how they think they can accomplish anything with those pads, I don't get. It's akin to asking you to sign a blank sheet of paper that they can then staple to whatever agreement they want. And the courts would probably find it carries about as much weight as that should it ever become an issue.
Re:I had a similiar incident with Circuit City (Score:3, Interesting)
In case anyone's curious, it was the Netpliance i-Opener:
http://en.wikipedia.org/wiki/I-Opener [wikipedia.org]
A friend of mine bought two when they went under. He had grand plans to hack them, but life got in the way.
Re:Customer information sharing (Score:5, Interesting)
They send out piles of "you are pre approved!" nonsense and then pretty much hand out a card with precious little verification. My personal favorite was the story where the guy took one, tore it into little bits, then taped it all back together and filled it out with slightly screwy info to make it look as suspicious as possible...and then he got his card in the mail. I have personally seen them send out blank checks with your account information already on them. Now, of course the fine print of this "check" is that the check being cashed or used actually adds that to your account under some strange special offer loan thing. Oh yes..these fuckers are SO scared to get out of bed in the morning...
You can face the toughest regulations in the world, but if the enforcement end of it comes down to "Well, we didn't see anything" then the point is moot. I mean for christs sake these assholes default opt in on all the private data sharing programs and then send you a tinly little brochure with 3pt font explaining what to do to opt out. Then you call the stupid number and follow the prompts and they ask strange double negative questions to trick you into pushing the wrong answer to opt out.
Now...in all likelyhood you are probably right about how they got the info in question, however, that certainly doesn't eliminate the possibilty of sheisty CC company dealings making it happen.
Re:Customer information sharing (Score:3, Interesting)
My usual grocery store (Central Market) sends us monthly coupons, addressed to us, despite the fact that we've never given them anything more than a credit card. We live rather far from the store, and I know that they don't send them at random to our town; only regular customers get 'em.
I've also done the full opt-out privacy thing for every card I have as soon as I get it.
Thus, yeah, I assumed that when I used my credit card the vendor had access to my billing address. Either that was automatic, or they could request it and it fell under the "permitted" clause.
Nothing really new here (Score:2, Interesting)
I used to work for a moderately sized ski resort in Vermont, when I was in high school back in the 80's. This was back when credit card impressions were made on multi-part carbon paper receipts. Customer got one copy, merchant got another.
At the end of the day on a busy weekend, there would be thousands of credit card swipes, and the receipts locked in a vault in the offices. Part of my job was doing data entry at night during downtime. I'd check out a box of credit card receipts and enter the last name (from the signature) and the phone number (written by the customer on the slip) into a terminal. That was sent to a company in Ohio in batches of 50-60 thousand names. They matched name with phone number and sent back full addresses for our marketing department.
In 1989.
So, it's not at all surprising that they were able to piece this info together, and like others have pointed out, it's very possible they're matching your info to past purchases, returns or warranty information.
It's not that hard to do - credit card companies make big money selling lists of customers. they probably got it from your card issuer.
Re:Customer information sharing (Score:3, Interesting)
Congress acts far too much. The country is safer and more productive when the clueless fat cats are not dictating conditions of life for people they would never deign to have at their dinner tables.
CD firmware updates to blu-ray? Vector for hack? (Score:1, Interesting)
So, if you can update the firmware using a CD rather than sending back to the vendor, does that mean you can load whatever firmware you like using the same method, providing you can crack the keys signing the update?
Re:Customer information sharing (Score:5, Interesting)
Actually, there is nothing special about checks, anyone can print them up as long as they have the right account and routing information (no special printer is necessary or anything). Quicken can print them. Excel can print them. Technically, you could write your own software for it too.
In France, when the banks started increasing their fees for getting your checks printed, there was an annoyed silent protest. We would fold the checks so that they couldn't go through the machines. We would write checks using plain notepad paper writing everything by hand (including the bank information and routing number, no bar code necessary). The merchants and the banks had to accept those checks. There was a law that said that as long as all the information was correct, it was valid as any other check. So the banks accepted the checks, thereby increasing their manual processing costs, and eventually they reduced the fees for printing checks (because having cheap printed checks was as much for *their* convenience as it was for ours). Now, I'm not saying an handwritten would work in the US, the Federal Reserve in the US probably has its own rules for clearing checks, but at least, if you open Quicken or any financial software, you should see how easy it is to print your own checks from your own bank.
If anything is a problem, it's actually those special anti-counterfeiting checks. Those give the consumer a false sense of security. And they're only as marginally useful as separating the checks that must be checked more thoroughly from the checks that "look" normal, so they're still useful and every little bit helps where it comes to security I assume -- but it's at the expense of keeping the average consumer in the dark.
Re:Customer information sharing (Score:4, Interesting)
I do this all the time, and I have never been refused. Usually the POS doesn't display the signature to the cashier for validation, just that you've entered something and clicked OK. I've actually stopped using credit cards as much as posible (only for web purchases, and big ticket items). For those companies that ask for a phone number,I don't argue with them. I just give them a fake number (usually a porn site etc). Bad data is more expensive than no data. If everyone would do this, it would reduce the incentive for companies to do this. I then stop shopping at these stores. I haven't bought anything from a Radio Shack in over a decade.
Re:Customer information sharing (Score:2, Interesting)
So where did BestBuy get his home address and stuff though?
How do you buy things in this modern age without telling the world everything about you? Cash is becoming more and more illegal with all these laws that permit government officials to seize it without warrant or even accusation. Are we actually at that stage where you cannot buy or sell anything without the mark of the beast?
Re:Customer information sharing (Score:5, Interesting)
No joke.
I'm routinely asked for a picture ID when I use my card. Strictly speaking, that's the store's prerogative. But per the merchant's agreement, they cannot require a picture ID to complete a credit card purchase. The cashiers aren't taught this, and even the managers either don't seem to know or care.
It's a minor thing, but at the movie theater, I tend to buy my tickets at the automatic kiosk (~$10) and then buy a drink (~$3). The automatic kiosk never asks for my ID, but they always ask for the lower-priced charge. And they give me hell if I've forgotten my ID.
Re:Customer information sharing (Score:3, Interesting)
Believe it or not, testimony plays a part in court as well. If you tell a judge it's not the contract you signed and they are trying to pull a fast one by defrauding the court, that's a pretty serious matter.
I think everyone's missing the point (Score:3, Interesting)
Re:Customer information sharing (Score:3, Interesting)
I assume you mean eCash. First, DigiCash drove themselves into the ground. They were too advanced for their time, trying to selling a screamingly modern product to an extremely conservative group of bankers. And their headstrong genius inventor was not brilliant enough to understand he needed an independent CEO to run his business. They went bankrupt in 1998.
More importantly, they probably never would have been allowed to succeed. eCash is simply "too perfect". It offers strong anonymity, and is extremely portable. (With an eidetic memory, you could literally carry a million dollars in your head.) It would be the perfect exchange media for drug traffickers, money launderers, terrorist organizations, and anyone else who usually attracts police interest.
Many (most?) successful investigations involve following the money trail in some fashion. eCash renders money totally invisible. No government would have endorsed it, and most would probably have outlawed it eventually.