The Flowing Candy Bees

I’m at the SPIE Electronic Imaging conference in San Jose, about to begin the second day of the Media Forensics and Security track. There have been some pretty cool papers, including one by Erik Kee and Hany Farid revealing a unique way to use the little image thumbnails in EXIF headers to trace an image to the camera that took it. It turns out that different camera models use slightly different parameters to scale/crop/adjust/compress the image, and by estimating those parameters you can often determine the brand of camera that took the image (you can also get this elsewhere in the EXIF header, but if someone tampers with that data the thumbnail provides a check.)

Anyway, I took a train from Oakland to San Jose, using my credit card, checked into my hotel with my credit card, and bought a cheapo umbrella, also with my credit card. On that third transaction the card was declined. Assuming that these purchases in California triggered some fraud alert, I called the card company to find that they couldn’t help me because all their computers were down. Ha ha, dammit.

The next day I reached them just before I registered for the conference, which I also wanted to put on the card. It turns out that my card was not blocked, it was cancelled. And not because of transactions from CA, but because of a massive leak of credit card information from “a major retailer.” They wouldn’t say who, but it was probably the parent company that owns TJ Maxx.

Of course, I am on the other side of the country and cannot wait for a replacement card to arrive in the mail. The operator explained that I could still use the card if I (a) called the 1-800 number just before I was about to hand the card to a cashier; (b) waited on hold; (c) provide my card number and privacy questions over the phone; (d) gave them the amount I was about to spend; and (e) let him hold the card open while the transaction goes through.

I was pretty ticked at first, especially as I am not in a good situation to have my card cancelled (with no notification, of course.) But then, from a security standpoint I would be happy if this sort of blanket inconvenience occurred every time a leak happened. We need people to feel the consequences of their data being abused, so that retailers feel at least some pressure not to leave all your transaction data from 4 years ago on a computer connected to the Internet.