404: Signature Not Found

May 7, 2021

By Kevin King

We’ve come a long way from when we had to sign paper receipts when paying by credit card, and then have a store manager or cashier look over at that receipt and the signature at the back of the card to visually (and vaguely) try and ascertain if they were the same.

Over the past decade in the United States, it has become increasingly unlikely that you would have to sign for a purchase made using a credit card. In the beginning, this (not needing to sign) only occurred when you made an online purchase or other types of Card Not Present transactions, but gradually, many in-store retailers also stopped requiring signatures for low dollar amount purchases. For most, these changes were welcome, as they made regular purchases easier to complete in everyday life by reducing transaction — or point-of-sale — friction.

Now, even in that rare instance when you do sign for things like a big purchase of home improvement supplies or when making a purchase at a U.S. Post Office, it’s likely your signature looks nothing like your “normal” signature because of the size of the receipt or the quality of the electronic signature technology.

Intuitively, it made sense that signatures protected you from fraud; after all, you had to sign the back of a card before you used it, in the place where it said something like “AUTHORIZED SIGNATURE – NOT VALID UNLESS SIGNED.” Additionally, the tech in payment processing terminals communicates directly with the credit card company when you make a purchase; logically, you’d assume that it would send that signature along to help authenticate your purchase. In the real world, however, signing for a purchase is not about your security; instead, signature collection is about who is liable for fraud when it occurs.

How Liability Worked

Originally, credit card companies waited for you to report a card stolen or dispute a transaction on your account before they conducted a fraud investigation. Following a stolen card or disputed transaction report, the merchants were contacted to supply receipts. If a merchant produced the receipt with a signature, then the credit card company was liable for the fraud and removed the charge from the account. If, however, the merchant in question did not have the receipt, then that merchant was liable for the fraud and was required to pay the credit card company back the purchase amount.

The result of this liability scheme was that high volume, low purchase amount retailers, like coffee shops, had to store countless slips of paper with signatures to protect themselves from being liable for relatively rare fraudulent purchases of a few dollars or less. Many then concluded that the overall cost of the fraud was far less than the cost to protect themselves from the fraud, a realization that resulted in the elimination of signatures for small value transactions.

It Was A Wild, Wild Web Out There

In a world not so long ago, credit card fraud used to be significantly more difficult to perform at scale. Card number thefts would require physical access to old receipts through dumpster diving or insider access, or the theft of a wallet. However, the internet has made credit card theft much easier to carry out. Entire retail networks or payment processing networks can be compromised, resulting in the theft of millions of card numbers. These stolen card numbers can often be bought online for a few dollars a piece. As a result, credit card companies became much more aggressive in their fraud prevention.

Remember the time a few years ago when you went to buy something and the cashier at the store would ask you if you wanted to swipe or insert your card? And sometimes, even if you had a card with a chip, they didn’t have the ability to allow your card to be inserted and would ask you to swipe anyway? In 2015, credit card companies began issuing cards with embedded microchips in them to customers, thus shifting liability for fraud occurring at the point-of-sale to sellers that had not switched their processing hardware to include what were called EMV-compliant card readers. 

How did the chip help? At the point-of-sale, the microchip would generate a unique code for the transaction that could not be used for any other purchase. The older, magnetic swipe, on the other hand, basically generated the same information for every transaction, leaving your card more vulnerable to fraud. 

There have been dramatic changes since that time on the fraud protection side. Credit card companies now mine your purchasing history as well as use emerging software algorithms to predict and prevent fraud. And you know what’s fascinating? None of the security protections they use involve using your signature. While it would be nice if we could use a signature as an additional form of fraud protection for credit card purchases, there is no good way of doing this currently.

The Problem With Signatures

Graphology, or the study of the patterns in handwriting that may help identify a person, their personality traits, or their mental state when writing, is generally considered a pseudoscience. While the conclusions drawn from the science are, at best, suspect, we have known for a long time that handwriting changes as we age and can change as the result of major physical, psychological or medical conditions. Alzheimer’s and depression are known to affect handwriting. A 2018 study by researchers at the University of Haifa indicated that changes in handwriting, including shapes of letters, and spacing, could indicate an individual’s state of mind, for instance, if someone was angry or tired.

What might surprise you is how much your own handwriting has simply just changed. These changes likely occurred naturally, but handwriting is as much a personal expression as it is a form of communication. By dedicating time and effort, you can even consciously alter your handwriting long term. Even if you consciously work to keep the same signature, change is inevitable.

The issue of handwriting changes is compounded when low quality, poorly maintained equipment is used to capture a signature. The performance requirements for commodity signature capture hardware are often at odds with the need to capture high quality signatures. Sensitive capture technologies need regular calibration, tend to be more fragile than the less sensitive designs, and are significantly more expensive.

Additionally, the placement and size of capture devices alter the ease of use. For example, systems that use finger input instead of stylus input produce significantly different signatures, because different muscles are used in each activity. All of this means that electronic signature verification is an even more impossible task than even verifying a signature.

The author is head of development and Product Architect with Biometrica.com. You can reach him at marketing@biometrica.com