Strong Signals: Information Polluters?

By John Parkinson  |  Posted 12-01-2003

Does your business have a customer loyalty program? Do you have CRM extensions that let you issue and track customized membership tokens—magnetic-stripe or bar-coded cards and key chain tags, maybe even smart cards—for some segments of your customer base? Do you use this information to help you operate your business? If you do, I bet you think these customer information-based capabilities are a great idea. Many customers agree; they like getting special recognition and "personalized" deals from you and your competitors.

But not all your customers are so positive, and the irrepressible march of cheap, prevalent technology is making it easier for them to rebel against what they see as the encroachment of corporate CRM. Take a look at this URL before reading on: epistolary.org/rob/bonuscard/. One of my colleagues who participates in our weak-signals research program came across it in early October 2003—it's just the sort of aberrant customer behavior that we seek to identify and then track over time. I wonder how many people are now participating, and how far the impact is spreading?

The Web site offers a way for people to swap bar-coded ID numbers from supermarket and other loyalty program cards, and to generate and print copies of other people's numbers to use on their own cards. You can also generate randomized numbers that could be a part of the program, but aren't necessarily issued yet, effectively polluting the CRM databases with both misinformation and noise. Although it's probable that only a small number of people are doing this so far, the problem with noisy customer databases is that if you can't trust all of it, pretty soon you can't trust any of it—essentially rendering useless all your expensively collected, stored and analyzed information.

After I visited the site, I sat down and inventoried the number of bar-coded and magnetic-striped membership tokens my family routinely carries around. Turns out it's quite a lot:

  • Five national or regional grocery store or superstore chains, one local grocer and a local liquor store chain.

  • Five hotel groups' frequent guest programs.

  • Six airlines' frequent-flier programs and three airline club membership programs.

  • Two car rental companies.

  • Two professional associations.

  • Two software company subscription programs.

  • Two credit-card companies' premium services programs (not the credit cards themselves).

  • Two insurance programs—health and dental.

  • Three roadside assistance programs—one from each of the manufacturers of my family's automobiles and one from our auto insurance company.

  • National Park Service and public radio membership cards.

  • The American Association of Retired People (I'm getting old, okay?).

    That's 37 memberships—not counting the usual slew of debit and credit cards, store cards, building-entry cards, corporate ID cards and a couple of Speed Pass tokens. Maybe you have even more. Several of my neighbors (my unrepresentative but quickly available survey sample) easily beat this count.

    Of my family's 37 tokens, 32 use magnetic-stripe cards and only 5 use bar codes stuck or printed on cards. But 3 of those with bar codes are big national or regional retail chains.

    Now you probably don't have a magnetic-stripe reader/writer and the associated software at home—but I do (being a CTO brings with it all kinds of technology access perks). So I checked to see how many of the magnetic-stripe cards contained encrypted data. As I expect you know, there are ISO standards for how the data on magnetic stripes is formatted so that industry-standard terminals can read the cards. Cards containing especially sensitive information, such as debit and credit cards, encrypt the data and require special software to decrypt the byte string from the card reader. Encryption costs money and adds complexity, however, so if the data is not considered sensitive, many organizations that issue cards don't bother. In fact, none of the magnetic stripes on the 32 membership cards I tested was strongly encrypted, and the stripes on 6 of the cards contained no information at all—instead depending on someone reading and keying the embossed membership number, I presume.

    That leaves me with 24 programs that I could potentially interfere with via the magnetic cards, and 5 I can mess with via the bar codes.

    Printing bar codes yourself is trivially cheap, and that's a routine source of problems for retailers that use bar codes to indicate SKUs or prices on items in stores—in other words, nearly everyone. Print the label for, say, a $15 CD and use it to cover the store-printed code on a $150 Walkman, and chances are you'll get away with it. Retailers don't like to admit this goes on, but they do occasionally catch people using this trick and it's a well-known cause of "shrink."

    Shifting identities around among members of a loyalty program could allow some people to get better deals than they otherwise would, either by achieving a higher level of status or better discounts. And it might even let people "arbitrage" memberships across brands or geographies. This decreases the accuracy of the information for some customer segments, but probably not materially. More worrying would be the insertion of random misaligned transactions into the databases—such as unissued numbers or randomly cross-linked individuals. A little statistical modeling indicates that even a relatively low level of such noise significantly degrades the usefulness of the data for small segment analysis and moderately increases the costs of handling exceptions.

    Can the same mischief be made with unencrypted (or lightly encrypted) magnetic-stripe cards? Absolutely, although right now it's a lot more expensive to do so. As a test, I reprogrammed a bunch of old loyalty program cards (I keep almost everything) with other ID numbers borrowed from friends and colleagues, and they worked just fine. Tracking down the hardware and software to do this would take a lot more effort than printing bar codes, but it's not impossible. It took me about a day to find everything I needed to play around with unencrypted data—all available legally and openly online. The technology is becoming cheaper (opt-in loyalty programs are proliferating, increasing manufacturing volumes for the hardware and attracting developers to the software) and more common (smart-card access to a PC at work, for example, will eventually ensure that these devices make it into the preowned and surplus markets). That means it will soon be within the reach of any dedicated "information polluter."

    You might think of this behavior as an early episode in civilian-sector "information warfare." We've already seen examples of corporate information warfare actions—Wal-Mart's decision in 2001 to cut off market researchers Information Resources Inc. and ACNielsen from Wal-Mart's point-of-sale data comes to mind. Now we are seeing "civilians"—consumers—join in.

    Most consumers and retail businesses don't yet see the collection of customer transaction data as being truly strategic. Yet it can—and does—influence many retail decisions: store location driven by demographics and socioeconomic profiles; merchandizing mix and category management decisions based on expected buying patterns; promotional pricing aimed at specific population segments; even store layouts. All these factors and more are increasingly driven by presumed-to-be-accurate customer information. So efforts to render that same customer data less reliable, and perhaps even meaningless, represent an important and adverse development for the companies that are coming to rely on knowing who their customers are as well as what they're buying. Seller beware!

    John Parkinson is chief technologist for the Americas at Cap Gemini Ernst & Young.