Something you have, something else you have, and, uh, something else you have

Steven Bellovin smb at cs.columbia.edu
Fri Sep 17 16:04:36 EDT 2010


On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:

> From the ukcrypto mailing list:
> 
>  Just had a new Lloyds credit card delivered, it had a sticker saying I have
>  to call a number to activate it. I call, it's an automated system.
> 
>  It asks for the card number, fair enough. It asks for the expiry date, well
>  maybe, It asks for my DOB, the only information that isn't actually on the
>  card, but no big secret. And then it asks for the three-digit-security-code-
>  on-the-back, well wtf?
> 
>  AIUI, and I may be wrong, the purpose of activation is to prevent lost-in-
>  the-post theft/fraud - so what do they need details which a thief who has
>  the card in his hot sweaty hand already knows for?
> 
> Looks like it's not just US banks whose interpretation of n-factor auth is "n
> times as much 1-factor auth".
> 
I don't know how NZ banks do it; in the US, they use the phone number you're calling from.  Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how.

Of course, in many newer houses here there's a phone junction box *outside* the house.  So -- steal the envelope, and plug your own phone into the junction box, and away you go...


		--Steve Bellovin, http://www.cs.columbia.edu/~smb





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list