The wisdom of the ill informed

Perry E. Metzger perry at piermont.com
Tue Jul 1 12:46:44 EDT 2008


Stephan Neuhaus <neuhaus at st.cs.uni-sb.de> writes:
> On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
>
>> Ed, there is a reason no one in the US, not even Wells Fargo which you
>> falsely cited, does what you suggest. None of them use 4 digit PINs,
>> none of them use customer account numbers as account names. (It is
>> possible SOMEONE out there does this, but I'm not aware of it.)
>
> Many German savings banks use account numbers as account names (see,
> e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/)
> http://www.stadtsparkasse-kaiserslautern.de ), as does, for example,
> the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi
> ). Most will not use 4-digit PINs, though.

And, Wells Fargo will let you use your PIN as part of a lost password
procedure, although I believe they require a lot of other pieces of
information at the same time like account number, online account name
and SSN.

My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.

>> I understand some European banks even do stuff like mailing people
>> cards with one time passwords.
>
> Do you mean TANs (TransAction Numbers)? TANs are used to authorize
> transactions that could affect your account balance.  So stealing the
> PIN will let you look at the balance, but will not let you steal money
> (through this channel).
>
> (Or maybe you knew all this already and I just missed the irony.)

I knew part of it, but your additional information was worthwhile.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list