Re: Something you have, something else you have, and, uh, something else you have
On 17 Sep 2010 at 20:53, Peter Gutmann wrote: From the ukcrypto mailing list: Just had a new Lloyds credit card delivered, it had a sticker saying I have to call a number to activate it. I call, it's an automated system. It asks for the card number, fair enough. It asks for the expiry date, well maybe, It asks for my DOB, the only information that isn't actually on the card, but no big secret. And then it asks for the three-digit-security-code- on-the-back, well wtf? Looks like it's not just US banks whose interpretation of n-factor auth is n times as much 1-factor auth. Well, as I understood it, a key part of the auth that wasn't mentioned was the source telephone #, and so lost-in-the-mail/theft would, on top of guessing the trivial questions, also have to call from your home phone [or the phone associated with the account]. Not perfectly secure but I was under the impression that ANI was harder to spoof than CallerID is. /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:ber...@fantasyfarm.com Pearisburg, VA -- Too many people, too few sheep -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Something you have, something else you have, and, uh, something else you have
I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how. No, they don't use the phone number to validate anything. I routinely ignore the instructions to call from your home phone. I call in from random payphones to activate my cretin cards, and they activate just fine. Perhaps there's a database record made somewhere with the phone number of that payphone -- but the card is active, and I could be stealing money from it immediately. Note also that their ability to get that phone number depends on the FCC exemption that allows 800-numbers to bypass caller-ID blocking. If the FCC ever comes to its senses (I know, unlikely) then making somebody call an 800-number will not even produce a phone number. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Something you have, something else you have, and, uh, something else you have
On Fri, 17 Sep 2010, Steven Bellovin wrote: On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote: From the ukcrypto mailing list: AIUI, and I may be wrong, the purpose of activation is to prevent lost-in- the-post theft/fraud - so what do they need details which a thief who has the card in his hot sweaty hand already knows for? Looks like it's not just US banks whose interpretation of n-factor auth is n times as much 1-factor auth. I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how. Its 1-1/2 factor authentication, and the rest of the steps are quality control for card manufacturing. Much cheaper to use the customer as the final quality control inspector. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Something you have, something else you have, and, uh, something else you have
On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote: From the ukcrypto mailing list: Just had a new Lloyds credit card delivered, it had a sticker saying I have to call a number to activate it. I call, it's an automated system. It asks for the card number, fair enough. It asks for the expiry date, well maybe, It asks for my DOB, the only information that isn't actually on the card, but no big secret. And then it asks for the three-digit-security-code- on-the-back, well wtf? AIUI, and I may be wrong, the purpose of activation is to prevent lost-in- the-post theft/fraud - so what do they need details which a thief who has the card in his hot sweaty hand already knows for? Looks like it's not just US banks whose interpretation of n-factor auth is n times as much 1-factor auth. I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how. Of course, in many newer houses here there's a phone junction box *outside* the house. So -- steal the envelope, and plug your own phone into the junction box, and away you go... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
