[145901] in cryptography@c2.net mail archive
Re: Something you have, something else you have, and, uh, something else you have
daemon@ATHENA.MIT.EDU (Bernie Cosell)
Mon Sep 27 20:02:31 2010
X-Barracuda-Envelope-From: bernie@fantasyfarm.com
From: "Bernie Cosell" <bernie@fantasyfarm.com>
To: cryptography@metzdowd.com
Date: Fri, 17 Sep 2010 16:36:32 -0400
In-reply-to: <E1OwWhb-0003uQ-8I@wintermute02.cs.auckland.ac.nz>
On 17 Sep 2010 at 20:53, Peter Gutmann wrote:
> >From the ukcrypto mailing list:
>
> Just had a new Lloyds credit card delivered, it had a sticker saying I have
> to call a number to activate it. I call, it's an automated system.
>
> It asks for the card number, fair enough. It asks for the expiry date, well
> maybe, It asks for my DOB, the only information that isn't actually on the
> card, but no big secret. And then it asks for the three-digit-security-code-
> on-the-back, well wtf?
> Looks like it's not just US banks whose interpretation of n-factor auth is "n
> times as much 1-factor auth".
Well, as I understood it, a key part of the auth that wasn't mentioned
was the source telephone #, and so lost-in-the-mail/theft would, on top
of guessing the trivial questions, also have to call from your home phone
[or the phone "associated" with the account]. Not perfectly secure but I
was under the impression that ANI was harder to spoof than CallerID is.
/Bernie\
--
Bernie Cosell Fantasy Farm Fibers
mailto:bernie@fantasyfarm.com Pearisburg, VA
--> Too many people, too few sheep <--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
