Something you have, something else you have, and, uh, something else you have

[Peter Gutmann]

>From the ukcrypto mailing list:

  Just had a new Lloyds credit card delivered, it had a sticker saying I have
  to call a number to activate it. I call, it's an automated system.

  It asks for the card number, fair enough. It asks for the expiry date, well
  maybe, It asks for my DOB, the only information that isn't actually on the
  card, but no big secret. And then it asks for the three-digit-security-code-
  on-the-back, well wtf?

  AIUI, and I may be wrong, the purpose of activation is to prevent lost-in-
  the-post theft/fraud - so what do they need details which a thief who has
  the card in his hot sweaty hand already knows for?

Looks like it's not just US banks whose interpretation of n-factor auth is "n
times as much 1-factor auth".

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com