In message <[EMAIL PROTECTED]>, John Levine writes: >>Why does the clerk at Blockbuster want to see your driver's license? >>Because his management has been told, by their bank, that if they do >>not attempt to verify the identity of credit card users they will >>risk their business relationship with the bank. > >It's been my impression that the way you're supposed to verify the ID >of a credit card user is by checking the signature. I've heard of >banks telling businesses not to demand separate ID. On the other >hand, I can easily believe that Blockbuster came up with the ID idea >all by themselves.
I very rarely rent from Blockbuster, so I may have the details wrong; I can state for sure how things work at the local video store I usually patronize. When I signed up with them, I supplied a credit card number; they retained that for contingency charges if I fail to return a video. (Odd -- my local library doesn't do that. But I digress.) In return, they handed me an account-linked credential -- exactly the sort of thing that is often advocated on this list. >From my perspective, the form factor of the credential wasn't ideal; it was one of those key ring-sized cards, and I soon lost it, probably during a wallet upgrade. No problem -- they're happy to fall back to the secondary authentication system, to whit my drivers' license. I show that to get access to the account, independent of how I actually pay for the rental. In other words, they are not using my license to authenticate my credit card. (I would add that the feeds are low enought that I almost always pay in cash; I have no idea if they even have the ability to use the stored credit card for rental fees if I don't present the card separately. Hmm -- the account is old enough that the expiration date on my credit card has long since expired. They've never asked me for an update. Maybe they're using a reputation system?) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]