In message
<[log in to unmask]>, at
15:15:29 on Thu, 20 Oct 2005, Simon Howarth
<[log in to unmask]> writes
>My bank always ask me something like "the 3rd and 5th letters of your
>password".
Just as long you remember that someone purporting to be from the same
bank asked you for the 1st and 4th yesterday and the 2nd and 6th the day
before...
>You could easily ask them the same thing - it works both
>ways, and in itself does not give out too much information.
I did that once and the [credit card] company person promptly told me my
full password. I always thought they didn't have the whole thing in
front of them, just a means to verify the "extracts" they ask about.
Needless to say, I cancelled the card as I didn't want to be dealing
with such an insecure outfit!
In case people think I'm asking for a double standard here, I'm not. I
want to be able to verify who they are, but not if that means they
compromise my security in the event that *they* aren't talking to the
person they think they are.
What it needs is an *additional* shared secret, so that if I challenge
them they say "we have on file that you've asked us to say 'xyzabc' in
these circumstances".
--
Roland Perry
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|