[145902] in cryptography@c2.net mail archive
Re: Something you have, something else you have, and, uh, something else you have
daemon@ATHENA.MIT.EDU (John Gilmore)
Mon Sep 27 20:02:54 2010
To: Steven Bellovin <smb@cs.columbia.edu>
cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, cryptography@metzdowd.com
In-reply-to: <EFAD36E4-1151-450D-AC4F-0F6560A2BDDC@cs.columbia.edu>
Date: Fri, 17 Sep 2010 16:43:33 -0700
From: John Gilmore <gnu@toad.com>
> I don't know how NZ banks do it; in the US, they use the phone
> number you're calling from. Yes, it's spoofable, but most folks (a)
> don't know it, and (b) don't know how.
No, they don't use the phone number to validate anything. I routinely
ignore the instructions to "call from your home phone". I call in from
random payphones to "activate" my cretin cards, and they activate just
fine.
Perhaps there's a database record made somewhere with the phone number
of that payphone -- but the card is active, and I could be stealing
money from it immediately.
Note also that their ability to get that phone number depends on the
FCC exemption that allows 800-numbers to bypass caller-ID blocking.
If the FCC ever comes to its senses (I know, unlikely) then making
somebody call an 800-number will not even produce a phone number.
John
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
