On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:
> From the ukcrypto mailing list:
>
> Just had a new Lloyds credit card delivered, it had a sticker saying I have
> to call a number to activate it. I call, it's an automated system.
>
> It asks for the card number, fair enough. It asks for the expiry date, well
> maybe, It asks for my DOB, the only information that isn't actually on the
> card, but no big secret. And then it asks for the three-digit-security-code-
> on-the-back, well wtf?
>
> AIUI, and I may be wrong, the purpose of activation is to prevent lost-in-
> the-post theft/fraud - so what do they need details which a thief who has
> the card in his hot sweaty hand already knows for?
>
> Looks like it's not just US banks whose interpretation of n-factor auth is "n
> times as much 1-factor auth".
>
I don't know how NZ banks do it; in the US, they use the phone number you're
calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b)
don't know how.
Of course, in many newer houses here there's a phone junction box *outside* the
house. So -- steal the envelope, and plug your own phone into the junction
box, and away you go...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
