[17265] in cryptography@c2.net mail archive
Re: Citibank discloses private information to improve security
daemon@ATHENA.MIT.EDU (Ed Gerck)
Mon May 30 18:16:41 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 26 May 2005 14:19:09 -0700
From: Ed Gerck <edgerck@nma.com>
To: Lance James <lancej@securescience.net>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <42963718.8020404@securescience.net>
Suppose you choose "A4RT" as your codeword. The codeword has no privacy concern
(it does not identify you) and is dynamic -- you can change it at will, if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full name
is private and static. The ATM's last-four is private and static too (unless
you want the burden to change your card often).
Lance James wrote:
> But from your point, the codeword would be in the clear as well.
> Respectively speaking, I don't see how either solution would solve this.
>
>
> Ed Gerck wrote:
>
>> List,
>>
>> In an effort to stop phishing emails, Citibank is including in a
>> plaintext
>> email the full name of the account holder and the last four digits of the
>> ATM card.
>>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
