Emailing receipts

Before starting, I usually avoid taking political stances outside of Italy, since that is the only country I can vote in. But I think it’s clear to most people over here that, despite posting vastly about first-world problems, I do not thrive of the current political climate overall. So while you hear me complaining about things that are petty, don’t assume I don’t have just as much worries that are actually relevant to society as a whole. I just don’t have solutions, and tend to stick to talking to what I know.

I’m visiting the US, maybe for the last time for a while, given the current news. It reminds me of Japan and China, in the sense that it’s a country that mixes extremely high-tech and vintage solutions in the same space. The country had to be brought kicking and screaming into the 20th century some years ago to start issuing chip cards but on the other hand, thanks to Square, and LevelUp and all kind of other similar mobile payment platforms, email receipts are becoming more and more common.

I find this is interesting. I wrote some time ago my preference for electronic bills but I did not go into details of simpler receipts. I have touched on the topic when talking about expenses but I did not go into precise details either. And I thought that maybe it’s time to write something, if nothing else because this way I can share what my opinion on them is.

For those who may have not been to the States, or at least not in California or Manhattan, here is the deal I’m talking about: when you pay with a given credit card with Square for the first time (but the same applies to other platforms), it asks you if you want to receive a receipt confirmation via email. I usually say yes, because I prefer that to paper (more on that later). Afterwards, any payment made with the same card also gets emailed. You can unsubscribe if you want, but the very important part is that you can’t refuse the receipt at payment time. Which is fun, because after going to a bibimbap restaurant near the office last week, while on business travel, and taking a picture of the printed out receipt for the expense report, I got an email with the full receipt, including tip, straight into my work inbox (I paid with the company card, and I explicitly make the two go to different email addresses). The restaurant didn’t even have to ask.

As it happens, Square and mobile payments are not the only ones doing that. Macy’s, a fairly big department store in North America, also allows you to register a card, although as far as I remember, it allows you to still opt to only get the paper receipt. This different in options is interesting, and it kind of make sense, in the context of what spending pattern you may have: if you’re going to Macy’s to buy a gift for your significant other, it makes sense that you may not want to send them a copy of the receipt of the gift. On the other hand, I would not share my email password with a SO — maybe that’s why I’m single. Apple Stores also connect a card with an email address, but I remember the email receipt is also opt-in, which is not terribly good.

Why do I think it is important that the service allows you to opt-in to receipts but not opt-out of a single transaction? It’s a very good safeguard against fraud. If a criminal were to skim your card and use it through one of those establishment that send you email receipts, they would definitely opt out of the email receipts, as to no alert you. This is not a theoretical by the way, as this happened to me earlier this month. My primary card got skimmed – I have a feeling this happened in December, at the MIT Coop store in Cambridge, MA but that’s not important now – and used, twice at one or two Apple Store in Manhattan, buying the same item for something above €800, during what, for me, was a Saturday evening. I honestly don’t remember if I used that card at an Apple Store before, but assuming I did and the receipts would not be opt-in, I would have known to call my card company right away, rather than having to wait for them to call me on Monday morning.

While real-time alerts is something that a few banks do provide, no bank in Ireland does that, to my knowledge, and even in Italy the banks doing that make you pay extra for the service, which is kind of ludicrous, particularly for credit cards where the money at stake is usually the banks’. And since accounting of foreign transactions sometimes can easily take days, while the receipts are nearly instantaneous by design, this is very helpful to protect customers. I wish more companies started doing that.

An aside here about Apple: by complete coincidence, a colleague of mine had a different kind of encounter with criminals who tried to buy Apple devices with his card the week before me. In this case, the criminals got access to the card information to use online, and set up a new Apple ID to buy something. In this case, he did have the card attached to his real Apple ID account, and made online purchases from them not long before, so when they tried that, the risk engine on Apple’s side triggered, and they contacted him to verify whether the order was genuine. So in this case neither Apple nor the bank lost money, as the transaction was cancelled lately. He still had to cancel the card, though.

But there is more. Most people will treat receipts, and even more so credit card slips, as trash and just throw it the first chance they have. For most people and in most cases this is perfectly okay, but sometimes it is not. Check out this lecture by James Mickens — who I had the pleasure to listen to in person at LISA 2015… unfortunately not to meet and greet because I came under shock during his talk, as exactly at that time the Bataclan attacks in Paris happened, and I was distraught trying to reach all my Parisian friends.

If you have watched the full video, you now know that the last four digits of a credit card number are powerful. If you like fantasy novels, such as the Dresden Files, you probably read that “true names have power” — well, as it happens, a credit card number has possibly more power, in the real world. And the last four digits of a credit card can be found on most credit card slips, together with a full or partial name, as written on the card. So while it’s probably okay to leave the credit card slip on the table, at a random restaurant in the middle of the desert, if you’re the only patron inside… it might not be quite the same if you’re a famous person, or a person a risk of harassment. And let’s be honest, everybody is at risk nowadays.

While it is true that credit card slips and receipts are often separate, particularly when using chip cards, as the POS terminal and the registry are usually completely separated, this is not always the case, and almost never the case for big stores, both in the United States and abroad. Square cash registries, as well as a number of other similar providers, that graduated from mobile-only payments to full blown one-stop-shop of payment processing, tend to print out a single slip of paper (if you have not registered for the email receipts). This at least reduces the chance that you would throw away the receipt right away, as you probably want to bring it home with you for warranty purposes.

And then there is the remaining problem: when you throw away paper receipts directly into the trash, dumpster diving makes it possible to find out a lot about your habits, and in particular it makes significantly easier to target you, just as an opportunity, with the previously-mentioned power of the last four digits of your card, and a name.

Now, it is true that we have two different security problems now: the payment processing companies can now connect a credit card number with an email address — but I would hope that PCI-DSS would stop them from actually storing the payment information in cleartext, I hope they only store a one-way hash of the credit card number, to connect to the email address. It still is tricky, because even with the hashed card numbers, a leak of that database would make the above attacks even easier: you can find out the email address, and from that easily the accounts, of a credit card owner, and take control way too easily.

There is also a risk that you’re opening up more details of your personal life to whoever has access to your email account — let’s say your employer, if you’re not properly siloing your email accounts. This is a real problem, but only made slightly worse by the usage of email receipts for in-store purchases. Indeed, most likely for stores like CVS, you can have a order history straight from the website, which most likely you can already access if you have access to the email account — which, by the way, it’s why you should ask for 2FA!. As I said above, I only get sent email to my work account if they are undoubtedly work only; anything I buy with the work credit card is clearly work-related only, but for instance taxi receipts, flights or hotel bookings may be personal, and so the account is set to mail my personal account only — when needed I forward the email messages over, but usually I just need the receipts for expensing.

And hey, even the EFF, who I renewed my support today, uses Square to take donations, so why not?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s