On 17 Sep 2010 at 20:53, Peter Gutmann wrote: > >From the ukcrypto mailing list: > > Just had a new Lloyds credit card delivered, it had a sticker saying I have > to call a number to activate it. I call, it's an automated system. > > It asks for the card number, fair enough. It asks for the expiry date, well > maybe, It asks for my DOB, the only information that isn't actually on the > card, but no big secret. And then it asks for the three-digit-security-code- > on-the-back, well wtf?
> Looks like it's not just US banks whose interpretation of n-factor auth is "n > times as much 1-factor auth". Well, as I understood it, a key part of the auth that wasn't mentioned was the source telephone #, and so lost-in-the-mail/theft would, on top of guessing the trivial questions, also have to call from your home phone [or the phone "associated" with the account]. Not perfectly secure but I was under the impression that ANI was harder to spoof than CallerID is. /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:[email protected] Pearisburg, VA --> Too many people, too few sheep <-- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
