Shostack + Friends Blog Archive

 

Code Name: Miranda

I admit it, probably ten or more years ago I actually signed up for a supermarket affinity card. Of course, I promptly lost it during the great migration to the suburbs, and for a good while I would simply claim to have left it at home and the cashier would cheerfully use a “store card”, which gives me the discount and deprives the store of 99% of the value they try to obtain via that discount. It was perfect.
Well, they got wise to that, and now require a phone number, which the POS system uses to determine if you’re an affinity cardholder. Well, after trying about five home (and office) phone numbers, my wife figured out the one we used to get the card way back when. So, when I just have to have that dollar off a 6-pack of Sierra Nevada, all systems are go. Still, I felt a little conflicted — after all, these folks still have my personal info and buying history. I don’t want to add to their dossier, right?
Well, imagine my joy when, as I was making a cash purchase of some rather sensitive items (granola, yogurt, hummus — the healthy stuff which probably alerts Admiral Poindexter’s Bayesian classifier to my fifth-column status), and typed in the old phone number and got the discount, the cashier said “Have a nice day, Mr. Miranda”. Now, “Miranda” is not a weird midwestern mispronunciation of “Walsh”, so this got my attention. It seems like my old phone number is now the property of another cardholder, and now all my purchases are reflected as his. Nice.

7 comments on "Code Name: Miranda"

  • Adam says:

    They require a card, and a phone number? If you leave the card at home, what happens if you just make up a phone number? I’ve long been at 773 404 2827 [http://chicago.cubs.mlb.com/NASApp/mlb/chc/ballpark/index.jsp].

  • Chris Walsh says:

    The idea is that they look up the loyalty card info with the phone number as a key. Apparently, there are far fewer cards than numbers, so selecting a random (valid) phone number is not likely to succeed.

  • Adam says:

    hmmmm…..That seems a fixable bug. Can you sign up for cards online? 🙂

  • Chris Adams says:

    I’ve yet to find a place which doesn’t take my employer’s main number – with 1200 people the odds are high that someone else has already registered it.

  • Anon says:

    Also, if you have a few minutes to spare, try 555-1212 in whatever local area code the store’s in. If it fails, sign up for a bogus card using that phone number.
    Cypherpunks write code.

  • Simson Garfinkel says:

    Come hear what happened to Admiral Poindexter’s Project…
    Workshop on Data Surveillance and Privacy Protection
    Saturday, June 3, 2006
    Harvard University
    INVITATION
    On June 3, 2006 Harvard University’s Center for Research on Computation and Society will hold a day-long workshop on Data Surveillance and Privacy Protection.
    Data Surveillance is quickly moving from the world of research to the world of practice. While the media is preoccupied with NSA wiretaps and the accidental release of names and social security numbers, information is increasingly being collected, correlated and data-mined for use by law enforcement, counter-terrorism, and commercial marketers.
    Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could be employed in any but the most restricted settings. Likewise, there has been little discussion of methods and technologies for conducting data surveillance while respecting privacy and preserving civil liberties.
    The Center for Research on Computation and Society (CRCS) is a new research center with a mission to develop a clear understanding of issues of technology and public policy where technology actually makes a difference, and to pursue innovative computer science and technology research informed by that understanding.
    Keynote speaker:
    Robert Popp, PhD, is currently an Executive Vice President of Aptima, Inc., and formerly a senior executive within the Defense Department, serving in the Office of the Secretary of Defense and Defense Advanced Research Projects Agency (DARPA), where he was Deputy of the Information Awareness Office and Total Information Awareness (TIA) program.
    Other featured speakers include:
    John Bliss, JD, Privacy Strategist, IBM Entity Analytic Solutions
    Philippe Golle, PhD, Palo Alto Research Center.
    Kenneth Mandl, MD, M.P.H., Director, Center for Biopreparedness, Boston’s Children’s Hospital
    Jeff Ubois, Internet Archive
    Rebecca Wright, PhD, Associate Professor, Stevens Institute of Technology
    James Bamford, author, Body of Secrets
    REGISTRATION and INFORMATION
    The workshop is free but you must register to attend.
    For more information on the workshop and to register, please visit:
    http://crcs.deas.harvard.edu/workshop/2006/

  • Ryan Singel says:

    Round these parts, the nice lady working the checkout counter suggested that I use the local pizza place’s number, which is very simple to remember, something like 585-5858.
    Together we’ve racked up quite the benefit level on wine purchase.

Comments are closed.