May 6, 2007 from 1 – 9PM, $75, includes catered dinner.
details at westsideworkshop.com
May 6, 2007 from 1 – 9PM, $75, includes catered dinner.
details at westsideworkshop.com
Mythbusters spent 3 days experimenting with ways to break into a high security thumbprint lock. They did it in ten minutes using both a photocopy of a fingerprint, and a more complicated method of using a cast fingerprint lifted off of a CD.
For the few customers who do work with equipment that’s secured with biometrics, it is something to consider. If someone with less than honest motives was working at a car dealership that had access to your thumbprint, they would also have your employer’s name and information.
Update: some interesting links via an old boingboing post:
Gummi bears defeat Fingerprint Sensors
Some dealerships say that thieves are deterred when thumbprints are taken. But since they don’t tell you about about this policy until the last minute, customers must make a very awkward choice: put your thumbprint in a box and feel like a criminal being booked, or say no thank you, and walk out the door knowing they believe you to be a thief, deterred by their clever tactic?
I believe their faith in this is misguided. When you can pick out any glass bottle out of someone’s trash and create a false prosthetic print from it with superglue fumes, how does that protect anyone? If it becomes necessary to use someone else’s thumbprint to steal a car, that’s exactly what thieves will do.
Imagine if every dealer uses this technique. It won’t stop the thieves. They’ll just get more creative.
What if your print was stolen and used to acquire a car? It could work like this: the print is run through the DMV database. Your name comes up – a perfect match, but you’ve never even set foot in that dealership. How can you ever hope to prove your innocence? Better hope you had a good alibi.
A forged thumbprint can be a damning indictment, far worse than a badly forged signature.
You know the drill. Research every feature, pick your color, then, it’s negotiations for purchase price and for trade-in. Everything is done and agreed-apon, and excited, you are ready to hand over the check and collect your new car.
You are handed a slip of paper and told to mark your right thumbprint in a box. The paper says clearly that it’s a request, for your protection, and to prevent your identity theft.
When you politely decline, the dealership refuses to sell you the car.
This is precisely what happened to me today when I tried to purchase a new X3 at the South Bay BMW dealer in Torrance, California.
Let me restate: In order to buy a car, with cash, you must authorize the release of your official DMV-recorded thumbprint to the dealership. This is not a law, this is a “dealership policy.” More on that in a minute.
Taken completely by surprise by all this, my husband and I asked many questions about this process. We were told that the data would remain on file at the dealership for seven years. That this policy is in place to protect us. That there are many bad, bad people in the world, who commit fraud, and that by recording everybody’s fingerprints, they would be deterred from committing fraud.
We were unsatisfied with the answers, and we explained that we were not comfortable with this arbitrary demand for biometric data and if this was required, we would not buy the car.
The resident fat cat was phoned, taking our call from his vacation spot in Hawaii. He replied that the collection and storage of biometric data is his policy.
He would not make any exceptions. The sales staff was clearly paralyzed here – they’d spent time making this sale happen too.
“He pays our salary, and that’s his rule,” they said.
“Well, customers pay his salary, and if he keeps treating them like criminals, I can’t imagine he’ll be able to afford many more trips to Hawaii,” I replied.
I might as well have been talking to the carpet.
According to the staff, this is the process at all dealerships owned by the Hitchcock Automotive Resources Company. They’ve had this program in place for over three months, and only other one person has refused to go through with the sale. The implication was clear; policy had singlehandedly stopped a bad guy, right in his tracks.
One criminal, over three months. Hundreds of people hassled. Clearly the deterrent is working. Right?
We walked out of the dealership, but not before learning that none of my personal data which was copied and recorded would be returned to me or destroyed.
It’s going to be kept on file for 7 years. Policy, you see. It goes in the same file where they keep the fingerprints.
So now I’ve lost copies of my driver’s license, credit report (which was also run without my knowledge), and marriage certificate (a copy of which was required in order to process the sale under my new name).
When I looked all this up online, I found… nothing. How is this possible? This is the Internet. Hundreds of people find my website each week from looking for photographs of owl vomit. But somehow this bizarre infraction of personal privacy has gone totally undocumented.
Looking a little bit deeper, I came across SB 504, a bill introduced to the California Senate by San Jose-based Senator Elaine Alquist, on February 18 2005. It was created as an act “to add Section 11713.15 to the Vehicle Code, relating to dealers.”
In one of its earliest incarnations, SB 504 stated:
No dealer issued a license pursuant to this article shall sell
a vehicle without first obtaining the right thumbprint of the
purchaser and a photocopy of his or her valid form of identification.
The bill was ultimately chartered into law, but not before everything related to car dealers was edited out. I’m no legislator, and I won’t pretend to understand this process, but in fact the final chartered version seems not to have anything to do with car dealers at all.
I resent the implication that I am somehow a less worthy customer, a potential criminal due to my refusal to provide my fingerprints to a private, non-government entity. But what I resent even more is that a private business has been somehow “entreated” to enact a bill that failed to make it through the California legislature in the first place. The bill failed, so who is pressuring these dealers to enact it, regardless of the law?
I asked the dealership if I could keep a copy of the fingerprint form. Here’s the text:
“As you are aware, there is a national problem of identity theft. Southern California formed a multi-jursidictional law enforcement group, the Taskforce for Regional Autotheft Protection (“TRAP”).
Car dealers (especially luxury car dealers) are one of the prime targets for identity and auto theft. For your protection from identity fraud, we are now requesting all of our clients who purchase or lease a vehicle, to provide a thumb print, along with a copy of their current Driver’s License.
We have learned from law enforcement officials that the requirement of a thumb print is deterring criminals who engage in identity theft. Law enforcement officials also recommend that the dealer retrieve a DMV Driver License record to verify all information. This information will be kept confidential.
We appreciate your assistance in helping Southern California and South Bay with this very serious problem.
Customer’s Signature Date
By signin (sic) this form, I authorize (insert dealership name) to run a DMV Driver License record to verify all information.
Please place right thumb print in the square.
Witnessed by (signature) Print Name
According to Google, there’s no such thing as the “Taskforce for Regional Autotheft Protection“. At least, not that’s been indexed yet.
Digging around in some of the other California police sites only brings up a few flacky ten year old press releases:
But looking a little further, there’s finally some recent and useful information from the LAPD, which leads to the nonprofit group NICB which is, as far as I can tell, an insurance lobbying group. And did they mention they’re not-for-profit? Because they are. Totally not-for-profit. Their report on how auto theft fraud is orchestrated (PDF) is fascinating reading, especially since it doesn’t ever mention a single thing about this kind of fraud, the kind that can be prevented by recording a thumbprint.
The dealership claimed that the fingerprinting was for my protection. To make sure I’m really who I say I am, and haven’t just stolen someone’s social security number.
But I don’t get it. How does that work? No one’s checking to make sure the fingerprint I leave matches the one on file with the DMV. There’s no forensics expert on staff. And I don’t have data on this but I feel pretty certain that any car thief worth his salt probably already has more than one set of prints on file.
My point: If I had wanted to steal a car today, I could have simply popped my thumbprint down, and driven off with the car. I could do that twenty times at twenty different dealerships, if I were so inclined. This system protects nothing. It’s no deterrent.
And what about the legality of all this? Frankly, it doesn’t sound like such a great situation for the car dealerships. Who’s pushing this? Is it coming from the LAPD? Or is it from NICB, that friendly you know, “not for profit, nope-no-profit here” group? Is someone strong-arming the dealers? Is there some financial incentive, cheaper insurance rates maybe? Maybe the participating dealers are just being good homeland citizens.
Dollar Rent-A-Car tried fingerprinting their customers for a while. They gave up after realizing that it had no effect on fraud or theft. Simply, treating your customers like felons is bad for business.
That’s exactly why I will not purchase a car from South Bay BMW & Mini. There’s no legislation that I know of to regulate how this kind of data must be kept or stored.
And while they were nice enough to give me a copy of the thumbprint letter, nobody could provide me with a clear company privacy statement that outlines exactly how this data will be handled.
I already use my fingerprint to unlock my laptop computer. In five years I may be using it to unlock my front door, or access my medical records. Last month, my personal data was stolen during the big UCLA database break-in. So, if this thumbprint thing is really my last remaining way to prove my identity, well, pardon me for not trusting your sales force with it.
In this kind of situation, your only option is to vote with your feet (and your wallet). Calling around to a few other dealers, I felt like a criminal simply by ASKING whether they intended to fingerprint me as part of their sales process. At the very first dealer I called, the receptionist said “We don’t believe in treating our customers like criminals.”
So maybe there’s still hope.
So I’m taking a class (over at LA Academy of Figurative Art) in Van Nuys. The class starts at 7PM. but I live on the west side of Los Angeles. Because of that whole traffic problem, I need to leave early enough to beat rush hour, which leaves me with a few hours to fill.
There’s plenty of nice things to do in the valley, plenty of restaurants and coffeeshops (and uh, lots of car dealerships), and I was looking for interesting things to do in the area when Google led me to the Van Nuys High School Rules and Policy page.
I noticed a number of spelling mistakes and typographical errors, so I copied the text and ran it through MSWord’s spell check. Here’s some screencaptures of the 26 errors that Word found. It didn’t pick up correctly spelled but misused words, such as “a flouring academic community.”
I applaud Van Nuys for taking the initiative to get this website up and running, but the question remains: How can anyone expect students to succeed academically, or even take their administration seriously when the people running the place haven’t taken time to ensure that the school policies and rules are readable? Who wrote this?
The first sentence of the school’s plagiarism statement is identical to that of Brigham Young University:
Please understand that I don’t intend to make fun of the school or this situation, because it is evident throughout the page that intentions are in the right place. In Los Angeles, there are plenty of people for whom English is not a first language. And in any urban high school there are certainly bigger problems to solve besides some
typograpical typographical errors on a webpage.
But the point is this: that’s no excuse. If you can’t afford a spell checking program, hand it to your coworker. Even one editing pass will help root out these errors and will go a long way towards cleaning up your document.
If your school is public and underfunded, turn it into a classroom project. Now you are teaching English grammar, helping your school save money, and communicating the importance of doing a project well. You’re helping create a civic pride in your school, and showing your students how to project a positive and respectable image, and to do good work, even with a lack of resources.
That’s one of the most important lessons anyone can learn in life.
This nice thing came in my email today. Now there is a fraud alert on my social security number!
December 12, 2006
UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA’s current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing.
I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.
The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver’s license numbers or credit card or banking information.
Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.
In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information.
As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do.htm.
Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs:
Information also is available on a Web site we have established, http://www.identityalert.ucla.edu. The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082.
Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to release any personal information in response to inquiries of this nature.
We have a responsibility to safeguard personal information, an obligation that we take very seriously.
I deeply regret any concern or inconvenience this incident may cause you.
Databases are databases, and security is security, and sometimes these things get broken into, but still.
EIGHT HUNDRED THOUSAND PEOPLE? Who on GOD’S GREEN EARTH stores 800,000 social security numbers in ONE DATABASE?
UCLA hasn’t had any good PR these days, and this sort of thing is not going to help their image. What is going on?