[145892] in cryptography@c2.net mail archive
Re: Something you have, something else you have, and, uh, something else you have
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri Sep 17 16:30:06 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <E1OwWhb-0003uQ-8I@wintermute02.cs.auckland.ac.nz>
Date: Fri, 17 Sep 2010 16:04:36 -0400
Cc: cryptography@metzdowd.com
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:
> =46rom the ukcrypto mailing list:
>=20
> Just had a new Lloyds credit card delivered, it had a sticker saying =
I have
> to call a number to activate it. I call, it's an automated system.
>=20
> It asks for the card number, fair enough. It asks for the expiry =
date, well
> maybe, It asks for my DOB, the only information that isn't actually =
on the
> card, but no big secret. And then it asks for the =
three-digit-security-code-
> on-the-back, well wtf?
>=20
> AIUI, and I may be wrong, the purpose of activation is to prevent =
lost-in-
> the-post theft/fraud - so what do they need details which a thief who =
has
> the card in his hot sweaty hand already knows for?
>=20
> Looks like it's not just US banks whose interpretation of n-factor =
auth is "n
> times as much 1-factor auth".
>=20
I don't know how NZ banks do it; in the US, they use the phone number =
you're calling from. Yes, it's spoofable, but most folks (a) don't know =
it, and (b) don't know how.
Of course, in many newer houses here there's a phone junction box =
*outside* the house. So -- steal the envelope, and plug your own phone =
into the junction box, and away you go...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
