Current authentication procedures
Ben Laurie
ben at algroup.co.uk
Fri, 25 Jun 1999 13:43:04 +0100
Ian Miller wrote:
> A bank, which I have recently opened an account with, phoned me to set me
> up on their telephone-banking service. This was them asking for various
> bits of information to allow them to authenticate me, when I used the
> service. Essentially it was a key-exchange operation. I was asked a few
> questions to verify that I really was the account holder. When it got to
> the first question that could not be answered from my phone-book entry, I
> asked the bank employee to authenticate herself; after all, she had phoned
> me. They already had far more evidence of my identity than I had of the
> callers', and it was already clear that the main purpose of the call was
> for them to obtain information from me, not to give me any. (The _only_
> information that caller had provided was knowing that I had recently opened
> an account.) After some discuss it became clear that this was impossible,
> as the employee was forbidden to give out any account specific information.
We've had the same problem with alarm-monitoring companies.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi