Perry E. Metzger
Tue, 01 Jul 2008 15:16:25 -0700
Stephan Neuhaus <[EMAIL PROTECTED]> writes: > On Jul 1, 2008, at 17:39, Perry E. Metzger wrote: > >> Ed, there is a reason no one in the US, not even Wells Fargo which you >> falsely cited, does what you suggest. None of them use 4 digit PINs, >> none of them use customer account numbers as account names. (It is >> possible SOMEONE out there does this, but I'm not aware of it.) > > Many German savings banks use account numbers as account names (see, > e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/) > http://www.stadtsparkasse-kaiserslautern.de ), as does, for example, > the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi > ). Most will not use 4-digit PINs, though. And, Wells Fargo will let you use your PIN as part of a lost password procedure, although I believe they require a lot of other pieces of information at the same time like account number, online account name and SSN. My experience with European banks is quite limited -- my consulting practice is pretty much US centric. My general understanding, however, is that they are doing better, not worse, with login security. >> I understand some European banks even do stuff like mailing people >> cards with one time passwords. > > Do you mean TANs (TransAction Numbers)? TANs are used to authorize > transactions that could affect your account balance. So stealing the > PIN will let you look at the balance, but will not let you steal money > (through this channel). > > (Or maybe you knew all this already and I just missed the irony.) I knew part of it, but your additional information was worthwhile. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]