On Wed, Jul 13, 2005 at 12:15:48PM -0400, Perry E. Metzger wrote:
> John Denker <[EMAIL PROTECTED]> writes:
>> My point here is that knowing who I am shouldn't be a
>> crime, nor should it contribute to enabling any crime.
>> Suppose you know who I am.  Suppose you know my date of
>> birth, social security number, and great-great-grandmother's
>> maiden name.  As Spike said, so what?
> I tend to agree. It is equally ridiculous to use a credit card account
> number as the "secret" to authorize a transaction, since that "secret"
> has to be given out several times a day.

I went to pay my credit card bill today via a transfer out of my current
account. The amount was 714 quid or so. When I do this, I normally have
to sign a piece of paper to authorise the transaction - I'm happy with
this. In addition, I was also asked to confirm my date of birth and my
home postcode. (Just as a simple challenge, these are two data about me
that everyone on this list should quite trivially be able to find out).
Given the discussion, I commented that they weren't particularly secure
questions, so why bother asking them.  Apparently it's because my name
wasn't printed on the credit card bill. (HSBC have started printing it
in two sheets).

It didn't occur to her that she could quite easily have asked to see the
piece of plastic which is my credit card, which has the same numbers as
on the sheets, and my name. When I showed her that, she said "well, we
don't take credit cards as identification", and I pointed to the numbers
on the bill. I then got told that this only happened because the transaction
was between 500 and 1000 pounds. If it had been more, I would have needed
to show them a driving licence or passport (I don't drive, and I do now
have a passport, but there were several weeks where I was getting it
replaced recently - what if I'd needed to pay a large amount in, or if I'd
forgotten about it).

They also only bothered to tell me about this when I went there. I don't
routinely carry photo-ID and given the speed with which they processed the
queue, and the questions they asked. I suspect I'd have had a fairly major

>> And that is precisely where the problem lies.  Any
>> system that lets _identification_ serve as _authorization_
>> is so incredibly broken that it is hard to even discuss
>> it.  I don't know whether to laugh or cry.
> Again, yes.

I'm not so sure about this.

> However, I would like to make one small subtle point. In fact, what
> you are complaining about is not the use of identification for
> authorization -- that is a totally separate and equally sad discussion
> -- but the use of widely known pieces of information about
> someone to identify them. The issue is that the bank pretends only you

Very much so!



Matthew Byng-Maddick          <[EMAIL PROTECTED]>           http://colondot.net/
                      (Please use this address to reply)

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to