Subject: RISKS DIGEST 11.05 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 7 February 1991 Volume 11 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Enterprising Vending Machines (postal) (Jay Schmidgall, Matt Deatherage) Re: A risky gas pump [IF YOU CAN STAND IT!] (Donald Lehman, James Helman, Jonathan Clark, Paul S. Sawyer, Christopher Lott, Guy Sherr, Michael C. Tanner, Michael Van Norman, Barry Margolin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 11, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 7 Feb 91 12:37:24 CST From: "Jay Schmidgall" Subject: Re: Enterprising Vending Machines (Allan Meers, Risks 11.01) In RISKS DIGEST 11.03, mjackson.wbst147@xerox.com writes: > It seems the programmers did anticipate this problem (credit stuck > in the machine with no means of recovery). Well, I got to witness a incident quite similar here at my onsite stamp machine. A person had put in $5 and tried to buy a book of 20 stamps. Unfortunately, the price was now $5.80 because of the price per stamp increase and the machine flashed an message "Use exact change" (as an aside, not quite the response I would have expected, which would have been more like "Insert additional funds" or some such.) Also unfortunately, the person did not have an additional 80 with them -- apparently he had just grabbed a fiver to buy the stamps. Fortunately, someone he knew was around so he asked them if they had 80. Unfortunately they did not. When he got back to the machine, I suggested he just buy a book of the old 25 stamps, since it was posted that a purchase was required to get back change. In fact, it was also posted that a minimum $7 purchase was required to get back change -- this was a bit unclear as someone had just written it in red ink over the operating instructions, which were on a roughly 3x5 sticker in small type on the upper right corner of the machine. When he tried to get the stamps, the "Use exact change" message flashed again. He was pretty confused but, having read my RISKS this morning, I had an idea what was happening. I put in my money to get my stamps (exact change, BTW) and sure enough, his $5 credit was gone. I got my stamps, explained to him what I thought had happened and suggested he contact Vending Services to get his money back. I also fired a note off to the vending person myself, suggesting that this "feechur" be disabled if at all possible. No response as yet. Jay Schmidgall RSCS:shmdgljd@rchvmw3 shmdgljd@rchvmw3.iinus1.ibm.com ------------------------------ Date: Thu, 7 Feb 91 13:51:54 -0800 From: Subject: Re: Enterprising Vending Machines (RISKS-11.03) The hotbeds of American technology are not immune to this horrid machine. I went to the main post office right here in Cupertino, CA yesterday, having already read the article in Risks 11.01 (happy anniversary!) warning of this nasty machine. I *intended* to purchase stamps at the window, but made the mistake of arriving at 4:58 PM -- the service area was already locked, and only those already inside were being let out. So I went to the vending machine. Just for fun, I pressed the button for an item without any money in the machine, and the "SOLD OUT" light *did* illuminate. I didn't take this at face value, but I decided to risk that there was a roll of 29 cent stamps or two still in the machine. Problem: All I had were $20 bills. OK, I thought, even though this machine had a label on it clearly saying that it will not deliver more than $3.00 in change, I can put in 3 $20-bills and buy two rolls of 100 $0.29 stamps. Right? Wrong. It cheerfully accepted my first $20, but rejected the second one with "CAUTION: USE SMALLER BILLS." Apparently the machine knew that it's most expensive item was $29 and wouldn't let me insert $40! I had no smaller bills, and the helpful postal employee in the lobby had a vocabulary limited to the words "we're closed". Finally, after about 5 minutes of trying to figure a way out of this mess without having to purchase the entire machine, a postal supervisor came out and gave me two $10 bills for a $20, enabling me to finish and be on my way. (The supervisor, by the way, had only come out to investigate a report that the machine was not accepting coins, but gave change when he noticed that the problem I'd encountered had stopped approximately 8 other potentional income sources from taking their chances with this demonic mechanical contraption.) --Matt Deatherage, Apple Computer, Inc. [THIS SERIES OF HORROR TALES IS BROUGHT TO YOU IN THE PUBLIC INTEREST, ALTHOUGH PUBLIC DISINTEREST IS LIKELY TO ENSUE RAPIDLY. BEWARE. PGN] ------------------------------ Date: Wed, 6 Feb 91 21:20:14 EST From: dlehman@cyclonic.sw.stratus.com (Donald Lehman) Subject: Re: A risky gas pump I remember a setup, similar to what Mr. Grumbine describes, in Sacramento around 1985 or so. I wish we had something like that around here. I think this is a case where the benifits outweigh the risks. Unlike voting, buying gas is something I do relatively often and I want the process to be optimized. I consider the increased risks (relative to the risks already associated with credit card puchases) to be minimal. I respond: > What verification is there that the card that is authorized is really mine? None. But my other credit card purchases are not usually validated either. I think the fair credit acts protect you somewhat. > What happens if the receipt disagrees with the amount pumped? Complain. Same as if the human attendant tried to overcharge you. I would assume that these stations have a human attendant or at least a telephone available. > How about if my number is not cleared from the pump's memory and I get > billed for the entire day's gas from that pump? This is a risk of any system. The same thing could happen with the computer at an attended pump. I'm not sure, but I believe that with modern systems the slips you sign are only looked at if there is a discrepancy. > How do I get that receipt if the machine is out of paper? Will is _always_ > know that it can't print _before_ I pump the gas? I assume these things would be similar to an ATM in telling you if it can't print receipts, but even if it doesn't, I don't consider it a big deal. It may mess up your records, but, except for expense accounts, I can't think of a reason I need to prove that I bought gas. What I would want is proof that I didn't buy something, but that is practically impossible. >Perhaps this gas pump is a harbinger of the 'Americard'. I hope not. There is a major distinction between the issue of 'Americard' and credit cards, and that is credit. As I understand it, the 'Americard' is like a debit card in that you don't need to 'agree' to the charges by paying a bill. Unless you blindly pay what the credit card company asks, you are protected to some extent. I've never had to go to arbitration or litigation over credit card items, so I don't know how powerful the companies may be, but you need to weigh the risks with the benefits. Don Lehman | Donald_Lehman@es.stratus.com Stratus Computer Inc. | Standard Disclaimers Apply Marlboro, Mass | I speak for myself... ------------------------------ Date: Wed, 6 Feb 91 21:39:45 -0800 From: jim@baroque.stanford.edu (James Helman) Subject: Re: A risky gas pump (RISKS-11.03) A similar system is in use in at least one Chevron station on the SF Peninsula (Belmont). The only difference is that a receipt is always printed, so no interaction beyond running the card through and pumping the gas is necessary. Initially, the station attendants were running all around checking things and said they were having problems. But now it has settled down and is one of the quicker places to get gasoline. Personally, I find the convenience to be worth the additional risk. The danger does not appear to be substantially higher than other electronically entered transactions, probably less since gasoline purchases are usually modest in amount and frequency. Perhaps, it's just another good reason to only carry cards from reputable and responsive banks, just in case of problems. Jim Helman, Department of Applied Physics, Stanford University, Durand 012 (jim@baroque.stanford.edu) (415) 723-9127 ------------------------------ Date: Thu, 7 Feb 91 09:54:29 EST From: jhc@ulysses.att.com (Jonathan Clark) Subject: re: risky gas pumps Completely unmanned petrol (gas) stations have been around in Europe for at least the last ten years. When I lived in Brussels I used to patronize them all the time, because: 1) They were open 24 hours a day, 7 days a week; and 2) They were significantly cheaper. They worked on a bank debit card system (like a money machine card), and so were just as (in)secure as those. I believe that there was a maximum amount of fuel that one was allowed to charge in one pass, this would occasionally lead to drivers of cars with large tanks (V12 Jaguars spring to mind) having to go through the ritual twice, in order to fill up completely. As far as I recall one *always* got a receipt. One of the risks they *reduced* was the possibility of driving away with the hose still attached to the car. When it's one's own money one is very careful about closing off the transaction properly... Perhaps some of our readers currently living in Europe would contribute some horror stories? Jonathan Clark jhc@ulysses.att.com, attmail!jonathan ------------------------------ Date: 7 Feb 91 10:20:08 EST (Thu) From: paul@unhtel.unh.edu (Paul S. Sawyer) Subject: Re: A risky gas pump (RISKS-11.03) > [Gas pumps which read credit cards directly] ... > >I did not try this 'convenience' out. Just in the time I was pumping gas >I came up with several _risky_ questions about the process: > What verification is there that the card that is authorized is really mine? > What happens if the receipt disagrees with the amount pumped? > How about if my number is not cleared from the pump's memory and I get > billed for the entire day's gas from that pump? > How do I get that receipt if the machine is out of paper? Will is _always_ > know that it can't print _before_ I pump the gas? > > There are quite a few that risks readers could come up with. This situation >does start to merge in to the 'Americard' type of risks as well. Perhaps >this gas pump is a harbinger of the 'Americard'. I hope not. > Bob Grumbine Mobil has been doing this for some time, and it usually seems to work [I only use my Mobil card on the turnpikes, since they like to charge their regular customers extra....] They also take debit cards, including some bank teller cards. The problem is, during the authorization phase, they go for something like $30-$35. Then, you get $5-$10 worth of gas, and the difference is not credited until later. [possibly end of day batching?] A local news item told of a woman who could not get cash from an ATM to buy groceries because she had just used the card to get gas.... Paul S. Sawyer {uunet,attmail}!unhtel!paul paul@unhtel.unh.edu UNH CIS - - Telecommunications and Network Services VOX: +1 603 862 3262 Durham, New Hampshire 03824-3523 FAX: +1 603 862 2030 ------------------------------ Date: Thu, 7 Feb 91 08:49:33 -0500 From: cml@cs.UMD.EDU (Christopher Lott) Subject: Re: auto gas pumps I am responding to the article about gas pumps that take payment; the author encountered these on the Ohio Tpke. Maryland has these pumps, and I for one love them. Around here, you have to pay in advance for non-auto pumps, which in my case means walking in and handing the attendant my credit card and then leaving it with him/her for the 5-10 minutes it takes me to fill the truck tank (big tank!). I feel that the purely human risks of leaving my cc with some joker far outweigh the tech. risks of trusting the implementor of the pump to have done the right thing. Of course I could always use cash! ;-) chris... ------------------------------ Date: Thu, 7 Feb 91 15:34 GMT From: NSIL LCM <0004222127@mcimail.com> Subject: Re: A Risky Gas Pump (devil's advocate) [comments & disclaimers] I am not a lawyer, and I do not work at a bank. I am somewhat disheartened that people simply do not take time to read credit agreements and learn how to protect themselves. Credit, while not really a friend, can be something of a robber or "banker in your pocket." I have never appeared in a published article (and probably won't anytime soon). [begin response] It may come as a surprise to our international friends, but it should be noted that on perhaps the rarest of occasions, proper identification may be required to complete any transaction with a credit card. The laws governing commerce and use of demand consumer credit do not place a compulsion before the seller of any good or service to identify the holder of a credit card as the authorized user. I personally know of no place, other than a hotel or motel, where the seller is compelled to discover or validate your identity. Also, in some hotels, credit issuers agree in advance to a floor limit, which allows the innkeeper to authorize charges without calling for an authorization (used to be significant, but has probably decreased with automation). I know these limits exist because one of my cards was stolen and AFTER it was known to be stolen, it was presented and accepted for a room (the billing was, I believe, over $200). Secondly, on the point of agreement between the receipt and the delivery of any good or service purchased with credit cards, it should be pointed out that every consumer (in the United States) has the right to dispute any transaction appearing on his account within 60 days of that charge's first appearance (most grantors will afford some leeway in this). In fact, the grantor of credit risks the possibility that the authorized user will dispute valid charges and claim that the card was lost or stolen. Goodwill and plain honesty go a long way in the relationship. Thirdly, given the protection basically held above, receipt failures are not serious faults. The receipt for expendables like gasoline and food can be written by hand and used for proof of a transaction (naturally, there is some penalty for fraudulent receipts which should curb their creation), even to the point that it is valid for an audit of one's income tax returns. This question is answered also by the power of a dispute. Finally, the possibility that a single person might be charged with all the transactions at one gas pump over a given period is that also where a single person's bank account should become the target of an ATM gone silly. There is always that risk, but then there is always a limitation on spending as well. Banks impose a limit upon an account's daily withdrawls, and upon borrowing with a credit card. The real risks of pumping gas are more substantive than economics. Gasoline is a volatile high explosive. The average car with a full tank has at least the equivalent explosive potential of 140 sticks of dynamite. A sufficient discharge of static electricity anywhere on the fragile connection from pump to filler neck could loose an explosion of no mean displacement (not to mention during rush hour on a crowded city street). [end response] I wish I had something more substantial and helpful to say than "this is a good list, and I wish I had been reading it before." I don't have, and for that, I am committing the rest of my life to the pursuit of the Oxford English Dictionary, if she will have me. Yours truly, Guy Sherr, MCI, 12369 Sunrise Valley Drive, Reston, VA 22091 Dept 1076/637 ------------------------------ Date: Thu, 7 Feb 91 14:54:33 -0500 From: mtanner@gmuvax2.gmu.edu (Michael C. Tanner) Subject: Re: A risky gas pump Bob Grumbine , writes about gas pumps that take your credit card, and don't require signatures, etc. I've been using pumps like this for some time now. I know there are certain risks involved, but they are not that great. I accept them in exchange for the increased convenience. Some of the issues he raises are easy to address. If it doesn't print a receipt, you go inside and ask for one and after suitable checking they give it to you (that's how it works around here, anyway). If the amount is different, you go inside and talk about it. Etc. Having bought gas this way 50-75 times in the last 6 months, I have failed to receive a receipt once and had the pump fail to turn on once. Otherwise, no problems. Not a large sample, I know, and one bad experience is all it takes, but it looks pretty good. Another possible risk is that my number gets stuck in there somehow, and everybody's gas is charged to my card at that pump/station/throughout northern Virginia/USA for some period of time. But I don't think I'd have much trouble convincing anyone that I didn't really buy a million dollars worth of gas on Friday. I'm not convinced this is a real danger. The only real problem, I think, is that 2 or 3 extra charges per month could appear on my bill. Since I check carefully before I pay any bill, it's not likely this would get by me. If it happens once, I can probably get the charges removed. If it happens regularly it may be more of a problem. So the real risk is that I get overcharged $20-30 per month, get into a hassle with the company, and ultimately have a blot on my credit record. My total exposure is to maybe a $100 or so loss (I can cancel the card and pay it off after 4 or 5 months and have no credit problems). The way I look at it, I run this risk in simply having the card, whether I accept the credit pump, or have a person enter the same data into the same computer. So the way I look at it, I get greater convenience at little or no increased risk. A nice application of technology, I say. Michael C. Tanner, Assistant Professor, CS Dept, AI Center, George Mason Univ., Fairfax, VA 22030 tanner@gmuvax2.gmu.edu (703) 764-6487 ------------------------------ Date: Wed, 06 Feb 91 15:11 PST From: Michael Van Norman (2) Subject: Re: A risky gas pump (RISKS DIGEST 11.03) Here in Los Angeles, ARCO has had the same type of service for years. I have used it for years without any problem. Now in LA you can even get a hamburger at Carl's Jr. with your ATM card! > What verification is there that the card that is authorized is really mine? You enter your PIN after sliding your card through the reader. I believe that what the authorization entails is a check to see if you sufficient funds to make a purchase. > What happens if the receipt disagrees with the amount pumped? Complain to the cashier. > How about if my number is not cleared from the pump's memory and I get > billed for the entire day's gas from that pump? I have never had this happen (or have heard of it happening) but i have also wondered about it. > How do I get that receipt if the machine is out of paper? Will is _always_ > know that it can't print _before_ I pump the gas? Probably not :) Michael Van Norman, Library Administrative Computing, 11334 University Research Library, 405 Hilgard Avenue, Los Angeles, CA 90024-1575 (213)825-1206 ------------------------------ Date: Thu, 7 Feb 91 00:40:29 GMT From: barmar@think.UUCP (Barry Margolin) Subject: Re: A risky gas pump (from RISKS DIGEST 11.03) Your tone suggests that this is a new risk. The risks of these gas pumps are precisely the same as many other uses of credit cards. What makes the gas pumps any different from credit card telephones? The phones don't even *try* to print a receipt. And what about giving your credit card number over the phone to a mail order house? In general, the risk with all these is that most credit cards don't have a PIN, even though they're being used more and more for such automatic transfers. But even a PIN won't solve the "reuse" problems that you identified; to solve these, you generally need a challenge/response authentication system, probably involving a smartcard rather than a simple credit card. > What verification is there that the card that is authorized is really mine? None. However, if you dispute a charge, the bank will generally remove it. Your liability is only $50 for charges made on a stolen credit card, and I think you have no liability for purchases made after reporting the card lost or stolen. > What happens if the receipt disagrees with the amount pumped? I'd go to the attendant and get a refund of the excess charge. What happens if the pump claims to have delivered more gas than it actually has? How would you even know, so long as the claim was within a gallon of your expectation? This relates to a misc.invest discussion I recently participated in, regarding balancing one's checkbook; someone asked whether I really trust greedy banks to properly maintain my balance. I didn't reply, but I was thinking: if they wanted to screw me, they'd be much less likely to get caught if they skimmed from my interest payments rather than play games with my deposits and withdrawals, as I'm unlikely to verify their interest calculations. So I *must* trust them. > How about if my number is not cleared from the pump's memory and I get > billed for the entire day's gas from that pump? Complain and have the charge removed. I don't think any bank would give you a hard time if you were to dispute a charge for thousands of dollars of gas from an ordinary gas station. > How do I get that receipt if the machine is out of paper? Will is _always_ > know that it can't print _before_ I pump the gas? Who knows? I think my bank's ATM warns about not being able to print receipts. Barry Margolin, Thinking Machines Corp. {uunet,harvard}!think!barmar ------------------------------ End of RISKS-FORUM Digest 11.05 ************************