[17290] in cryptography@c2.net mail archive
Re: Citibank discloses private information to improve security
daemon@ATHENA.MIT.EDU (Lance James)
Tue May 31 15:46:56 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 31 May 2005 11:20:50 -0700
From: Lance James <lancej@securescience.net>
To: Ed Gerck <edgerck@nma.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <42963D4D.2020108@nma.com>
Ed Gerck wrote:
> Suppose you choose "A4RT" as your codeword. The codeword has no privacy
> concern
> (it does not identify you) and is dynamic -- you can change it at will,
> if you
> suspect someone else got it.
>
> Compare with the other two identifiers that Citibank is using. Your full
> name
> is private and static. The ATM's last-four is private and static too
> (unless
> you want the burden to change your card often).
>
I agree on the privacy issue, your point is well taken there.
> Lance James wrote:
>
>> But from your point, the codeword would be in the clear as well.
>> Respectively speaking, I don't see how either solution would solve this.
>>
>>
>> Ed Gerck wrote:
>>
>>> List,
>>>
>>> In an effort to stop phishing emails, Citibank is including in a
>>> plaintext
>>> email the full name of the account holder and the last four digits of
>>> the
>>> ATM card.
>>>
>
>
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Have Phishers stolen your customers' logins? Find out with DIA
https://slam.securescience.com/signup.cgi - it's free!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
