Something you have, something else you have, and, uh, something else you have
Bernie Cosell
bernie at fantasyfarm.com
Fri Sep 17 16:36:32 EDT 2010
On 17 Sep 2010 at 20:53, Peter Gutmann wrote:
> >From the ukcrypto mailing list:
>
> Just had a new Lloyds credit card delivered, it had a sticker saying I have
> to call a number to activate it. I call, it's an automated system.
>
> It asks for the card number, fair enough. It asks for the expiry date, well
> maybe, It asks for my DOB, the only information that isn't actually on the
> card, but no big secret. And then it asks for the three-digit-security-code-
> on-the-back, well wtf?
> Looks like it's not just US banks whose interpretation of n-factor auth is "n
> times as much 1-factor auth".
Well, as I understood it, a key part of the auth that wasn't mentioned
was the source telephone #, and so lost-in-the-mail/theft would, on top
of guessing the trivial questions, also have to call from your home phone
[or the phone "associated" with the account]. Not perfectly secure but I
was under the impression that ANI was harder to spoof than CallerID is.
/Bernie\
--
Bernie Cosell Fantasy Farm Fibers
mailto:bernie at fantasyfarm.com Pearisburg, VA
--> Too many people, too few sheep <--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list