But from your point, the codeword would be in the clear as well. Respectively speaking, I don't see how either solution would solve this.

Ed Gerck wrote:
List,

In an effort to stop phishing emails, Citibank is including in a plaintext
email the full name of the account holder and the last four digits of the
ATM card.

Not only are these personal identifiers sent in an insecure communication,
such use is not authorized by the person they identify. Therefore, I believe
that some points need to be made in regard to right to privacy and security
expectations.

It's the usual tactic of pushing the liability to the user. The account
holder gets the full liability for the "security" procedure used by
the bank.

A better solution, along the same lines, would have been for Citibank to
ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character combination
to be used in all emails from the bank to the account holder. This
combination would not be static, because it could be changed by the user
at will, and would not identify the user in any other way.

Private, identifying information of customers have been used before
by banks for customer login. The account holder's name, the ATM card
number, the account number, and the SSN have all been used, and abandoned,
for Internet banking login. Why? Because of the increased exposure
creating additional risks.

Now, with the unilateral disclosure by Citibank of the account holder's
name as used in the account and the last four digits of the ATM number,
Citibank is back tracking its own advances in user login (when they
abandoned those identifiers).

Of course, banks consider the ATM card their property, as well as the
number they contain. However, the ATM card number is a unique personal
identifier and should not be disclosed in a plaintext email without
authorization.

A much better solution (see above) exists, even using plaintext email --
use a codeword that is agreed beforehand with the user. This would be
a win-win solution, with no additional privacy and security risk.

Or is email becoming even more insecure, with our private information
being more and more disclosed by those who should actually guard it,
in the name of security?

Cheers,
Ed Gerck




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Have Phishers stolen your customers' logins? Find out with DIA
https://slam.securescience.com/signup.cgi - it's free!  


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to