Internet Outlook with Richard Wiggins | 46

"Please Swipe Card"

Please Swipe My Credit Card

While strolling from booth to booth I spied one artist selling hand-colored photographs of beach scenes. What was odd was that a credit card machine was busy humming and printing a Visa receipt. That wouldn't be unusual except, as we said, the artists' booths had no power or phone lines. I stared at the setup, and noticed the tell-tale word "Motorola" on it. Hmmm, cell phone credit card authorization?

I asked the artist what the scoop was. She said that her credit card carrier had urged her to move to this setup to lower their rejection rate and consequently lower her merchant fee. These days it's pretty rare for a business in a fixed storefront not to use authorization machines. Consequently, merchants who don't do onlne authorization probably find themselves selling to more people whose cards turn out to be over the limit, canceled, or perhaps even stolen.

The artist told me her merchant fee dropped from 3% to 1.8% thanks to this cellular authorization scheme. The bad news for her was that she had to pay cell phone roaming charges of 99 cents per minute. If the authorization line was busy, she might spend $3 authorizing a $50 sale, wiping out her savings and a chunk of her profit as well.

So what does this have to do with the Internet? Think for a minute about the security implications here. Those cell phone calls are going out over open air. The credit card terminal appeared to be a standard one, simply wired into an adapter on a Motorola cell phone. The credit card terminal thus probably behaved the same way as it would over the wired phone network, with an integral modem connecting at probably 1200 bps using standard modem tones.

What's the problem? I'm willing to bet that that terminal wasn't encrypting customer credit card data as it went out over the air. We know that cell phone fraud is rampant today. Thieves carry scanning devices that can pick up a cell phone's identification signature; the thief programs that ID into another cell phone, and suddenly your cell phone is making drug deal calls to Central America.

So if thieves can steal data about cell phones over the air, why couldn't a thief steal credit card numbers carried over cell phone calls? Yes, it's illegal to sell scanners that can pick up cell phone calls, and it's illegal to transmit a recorded cell phone conversation (presumably even the warbles of a modem). Ask Newt Gingrich if he feels his cell calls are thus rendered impervious to snooping.

A quick net search reveals that several companies sell portable point-of-sale authorization terminals. Some work over the cellular network, some straight via radio. The art fair market must be bigger than one might think. In scanning the spec sheets for such terminals, I didn't happen to notice any bragging points about encryption or protecting the consumer's privacy. See for instance one vendor's cellular phone credit card terminal.