Something you have, something else you have, and, uh, something else you have
Sean Donelan
sean at donelan.com
Sat Sep 18 02:15:43 EDT 2010
On Fri, 17 Sep 2010, Steven Bellovin wrote:
> On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:
>> From the ukcrypto mailing list:
>> AIUI, and I may be wrong, the purpose of activation is to prevent lost-in-
>> the-post theft/fraud - so what do they need details which a thief who has
>> the card in his hot sweaty hand already knows for?
>>
>> Looks like it's not just US banks whose interpretation of n-factor auth is "n
>> times as much 1-factor auth".
>>
> I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how.
Its 1-1/2 factor authentication, and the rest of the steps are quality
control for card manufacturing. Much cheaper to use the customer as the
final quality control inspector.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list