Lowe's "security" for credit card usage.

I have been wondering about this for awhile, but perhaps there is someone out here that works for Lowes, or can explain the logic behind this…

I check out at Lowes and use my credit card. For some inexplicable reason, they ask me for the last 4 digits of my credit card. What good does that do (besides annoy me, by making me pull my wallet back out to get my credit card again)?

This is the dumbest security measure of all time. If I’ve stolen a credit card, I would physically have to have it to use it. So, I can look at the card and put it back, just like someone would if they were the legitimate owner of the card. WTF?

A better thing to ask me is what my zip code is. At least with that, if I don’t know it, I am not going to able to wing it. Without knowing the billing address, I won’t be able to guess the zip unless I’m incredibly lucky, or know the person I stole the card from.
Not fool-proof by any stretch, but it’s better than the last four digits of the card.

Anyone know why Lowes asks for this info? (I’m not sure of any other store that asks for the cards digits)?

It is (or was) a pretty standard scam to alter the mag stripe of a legit card to have a different stolen account number on the mag stripe. Having the clerk check that the last 4 embossed numbers match the last 4 from the mag stripe pretty well defeats that scam.

It’s also is a way for the store to ensure the clerk actually handles & looks at the card. That way the clerk can detect things like plain white card stock cards, unsigned cards, known fake bank cards, etc. By demanding the clerk actualy key the numbers, they pretty well force the clerk to actually do this step, not just blow it off.

With any retail “security” procedure, rememember there are 3 actors: the customer, the clerk, and corporate management. As customer often you’re just watching a security transaction between the other two parties.

Ref the two recent threads about “no receipt? your purchase is free.” and “I hate receipt checkers at the exit.” Both of those procedures are about management trying to prevent theft by clerks, not theft by you.

They’re doing it wrong. They are supposed to ask for the card and enter the last four digits themselves to confirm that the numbers embossed on the card match the numbers that were read from the magnetic strip on the card. This protects against cards that have been reprogrammed with stolen numbers (so that the numbers embossed on the card don’t match what the magnetic strip says). Lowe’s obviously instituted this policy and then gave no training on it.

Not true. Both Lowes, HD, and Target clerks ASK THE CUSTOMER what the last 4 digits are. That accomplishes shit-all for security.

I cannot remember the last time a clerk TOUCHED or even asked to LOOK at my credit card. I could be swiping a strip of cardboard through their little scanner whatsis for all they know. All the asking for the last 4 digits accomplishes is to make sure the scam artist knows what their overlaid mag-number is, and rattle that sucker off. Hell, if they wanted to be really sneaky about it, have them dig the card out of their wallet, pretend to look at the last 4 digits, and THEN tell the cashier the fake numbers.

I’m sure it was intended to make it harder for scams, but the cashiers are circumventing it quite nicely in the interests of doing less work.

A few times, I’ve had the clerk ask to see my credit card. I think most recently at Best Buy. It’s annoying when I’m using one of the swipe-it-yourself machines, I’ve already swiped the card and put it back in my wallet. If you’re going to ask for the card, you might as well swipe it yourself.

The funniest part is where you do self checkout at Lowes and the MACHINE asks for your last four digits. Not even a person!

I’m actually glad I asked the question. I had no idea that it is a security measure that, if performed correctly, actually makes some sense. But like **Lasciel **and others, I can’t remember when anyone actually *asked *for my card. The last time someone did, it was at Christmas, and they looked for the signature match. Also a stupid security feature (if I stole it and signed it, my signature will look the same), but at least they made an effort.

Based on the theory of how this security measure is supposed to work, this is laughable! I’d like to see Lowes get sued from Visa for promoting theft.

Also, I just want to add my ignorance to the altering the strip in the first place. How on earth is that done? It must be easy, but damned if I know how to do it. Can I buy something legally to read my card’s magnetic strip? Aren’t the strips even the least bit encoded? How on earth do criminals figure out how to do this?

The stripes are not encoded or secret at all. Simplifying just a bit, the stripe contains the same name and account number as are embossed into the plastic. And it’s in plain text in plain old ASCII: “John A Smith 4001 1234 5678 9012”

Anyone can buy machines which read or write those stripes. After all, those same cards are used for hotel keys, company ID badges, and a jillion other uses. The layout of the data itself confirms to a publicly published standard. Otherwise, how would all the companies which make the equipemt or cash register software know how to process the data?

All this design dates from the 1960s when life was simpler. And it can’t be changed since there’s so much installed equipment which reads only the dumb old standard.

The push to RFID or other “smart-card” standards is partly a way to inject more hack-reistance into the cards. But since most fraud now is conducted online where the physical card isn’t even used, that effort is a bit of closing the barn door on a mostly-gone horse. Soon enough our credit "card"s will just be an app on our smartphone which talks to an app on the credit card terminal / cash register.

Wow. I had no idea it was this basic. I’m not sure why it never occurred to me, as you are quite right in that to encode the data would require a massive effort to make sure the other device could read it and interpret it correctly. Perhaps I thought that even a basic encoding would have been done at the beginning. Even if it was a public standard, it’s a layer of security that might keep a segment of thieves from considering this type of crime. Kind of like putting an unlocked club onto your steering wheel.

Or the employee in question ignored the training. I used to be a retail store trainer, and people often seemed to forget extremely simple things ten minutes after going through a training class and signing off on the procedure. Not just the low-wage clerks in Men’s Underwear either; some of our appliances commission salesfolk made respectable middle-class incomes but couldn’t be arsed to recall how to process credit cards to avoid chargebacks that would cost them their commission.

At my two closest Lowes the clerks always ask to handle the card. And then they read & key the last 4 themselves.

So for Lowes specifically, not all amployees at all stores do it wrong. So I bet the corporate policy is written correctly and the problem falls to lazy local store management and/or poor local training.

I do agree it’s funny when the self-checkout machine asks me to key my own numbers. Although that will still trap some small percentage of would-be crooks.

The drive behind chip & pin is to remove the need for staff to handle cards. Lots of card fraud is caused by employees “skimming” cards while pretending to swipe for a sale.

When I go shopping (in the UK) the staff never, ever need to handle my card except on the very rare occasions they need to enter the details manually.

Possibly more than a small percentage - I’d guess that a lot of hacked cards are sold/distributed to small-time thieves, who possibly don’t know the encoded number (or, if they were told it, are no more likely to remember it than the Lowe’s clerk is to remember the proper procedure for handling cards).