The wisdom of the ill informed
Perry E. Metzger
perry at piermont.com
Tue Jul 1 12:46:44 EDT 2008
Stephan Neuhaus <neuhaus at st.cs.uni-sb.de> writes:
> On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
>
>> Ed, there is a reason no one in the US, not even Wells Fargo which you
>> falsely cited, does what you suggest. None of them use 4 digit PINs,
>> none of them use customer account numbers as account names. (It is
>> possible SOMEONE out there does this, but I'm not aware of it.)
>
> Many German savings banks use account numbers as account names (see,
> e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/)
> http://www.stadtsparkasse-kaiserslautern.de ), as does, for example,
> the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi
> ). Most will not use 4-digit PINs, though.
And, Wells Fargo will let you use your PIN as part of a lost password
procedure, although I believe they require a lot of other pieces of
information at the same time like account number, online account name
and SSN.
My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.
>> I understand some European banks even do stuff like mailing people
>> cards with one time passwords.
>
> Do you mean TANs (TransAction Numbers)? TANs are used to authorize
> transactions that could affect your account balance. So stealing the
> PIN will let you look at the balance, but will not let you steal money
> (through this channel).
>
> (Or maybe you knew all this already and I just missed the irony.)
I knew part of it, but your additional information was worthwhile.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list