In message <[log in to unmask]>, at 09:06:36
on Fri, 4 Mar 2005, Jethro R Binks <[log in to unmask]> writes
>But anyway, I thought the point of the three digit check number was that
>it was ONLY on the card, so it can only be given by the card's (physical)
>holder.
If you are diving the dumpster outside a mail order merchant it is
conceivable (but very bad practice) to find a record of the 3-digit
check number. But a dishonest employee could get hold of them as well,
especially if they were manning a telesales desk where the number was
requested over the phone.
>I also occasionally get calls from "my bank" to discuss my account, they
>then start to ask me things like my date of birth and my mother's maiden
>name and all that sort of thing to "confirm my identity". I refuse,
>telling them that *they* called *me* out of the blue, so they should be
>proving their identity to *me* first.
I had one of those last week, and he gave me an 0800 number to call him
back, after I refused to discuss anything over the phone. But as he also
admitted he was trying to sell me something, I didn't bother.
> And realistically, the only way
>this could happen is to have a shared passphrase. Neither side discloses
>it in full, but requests the first or third letters (or words) or
>whatever. I keep meaning to write to them to complain about this.
That kind of scheme is vulnerable to iterative attack (unless you become
suspicious of the multiple phone calls).
>Neither do I see how typing a PIN number, which anyone could discover and
>type in, is any safer than a signature which supposedly only the
>legitimate card holder can reproduce (that being the premises of
>signatures through the centuries). Of course, it isn't any safer,
>whatever the banks claim.
There's been a long debate about this elsewhere, and many believe it's
merely a way for the banks to shift the risk onto the customer. But more
recently they seem to be acknowledging that if there's been a
non-negligent "leak" of the PIN then the customer will be treated
sympathetically.
--
Roland Perry
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|