[145904] in cryptography@c2.net mail archive
Re: Something you have, something else you have, and, uh, something
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Sep 27 20:03:53 2010
Date: Sat, 18 Sep 2010 02:15:43 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: cryptography@metzdowd.com
In-Reply-To: <EFAD36E4-1151-450D-AC4F-0F6560A2BDDC@cs.columbia.edu>
On Fri, 17 Sep 2010, Steven Bellovin wrote:
> On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:
>> From the ukcrypto mailing list:
>> AIUI, and I may be wrong, the purpose of activation is to prevent lost-in-
>> the-post theft/fraud - so what do they need details which a thief who has
>> the card in his hot sweaty hand already knows for?
>>
>> Looks like it's not just US banks whose interpretation of n-factor auth is "n
>> times as much 1-factor auth".
>>
> I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how.
Its 1-1/2 factor authentication, and the rest of the steps are quality
control for card manufacturing. Much cheaper to use the customer as the
final quality control inspector.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
