Creativity and security

Fri Mar 24 16:31:49 EST 2006

| > If all that information's printed on the outside of the card, then
| > isn't this battle kind of lost the moment you hand the card to them?
| 
| 1-  I don't hand it to them.  I put it in the chip-and-pin card reader 
| myself.  In any case, even if I hand it to a cashier, it is within my
sight 
| at all times.
| 
| 2-  If it was really that easy to memorize a name and the equivalent of a 
| 23-digit number at a glance without having to write anything down, surely 
| the credit card companies wouldn't need to issue cards in the first place?
| 
|   IOW, unless we're talking about a corrupt employee with a photographic 
| memory and telescopic eyes, the paper receipt I leave behind is the only 
| place they could get any information about my card details....
You're underestimating human abilities when there is a reward present.
Back in the days when telephone calling cards were common, people used
to "shoulder surf", watching someone enter the card number and
memorizing it.  A traditional hazing in the military is to give the new
soldier a gun, then a few seconds later demand that he tell you the
serial number from memory.  Soldiers caught out on this ... only get
caught out once.

Besides, there's a lot less to remember than you think.  I don't know
how your chip-and-pin card encoding is done, but a credit card number is
16 digits, with the first 4 (6?) specifying the bank (with a small
number of banks covering most of the market - if you see a card from
an uncommon bank, you can ignore it) and the last digit a check digit.
So you need to remember one of a small number of banks, a name, and
11 digits - for the few seconds it takes for the customer to move on
and give you the chance to scrawl it on a piece of paper.  Hardly very
challenging.
							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com