On Fri, 17 Sep 2010, Steven Bellovin wrote:
On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:
From the ukcrypto mailing list:
AIUI, and I may be wrong, the purpose of activation is to prevent lost-in-
the-post theft/fraud - so what do they need details which a thief who has
the card in his hot sweaty hand already knows for?
Looks like it's not just US banks whose interpretation of n-factor auth is "n
times as much 1-factor auth".
I don't know how NZ banks do it; in the US, they use the phone number you're
calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b)
don't know how.
Its 1-1/2 factor authentication, and the rest of the steps are quality
control for card manufacturing. Much cheaper to use the customer as the
final quality control inspector.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com