CC shared secret

Ross Anderson ukcrypto at chiark.greenend.org.uk
Thu, 07 Aug 2008 17:49:18 +0100 

Roland:

> I just got an email (which seems to be genuine) from one of my credit 
> card companies saying they have enroled me (unsolicited) in "Verified by 
> Visa", and my password will be the answer to one of the "shared secrets" 
> used during login to my online account with them.

I have come across an interesting and potentially quite unpleasant
pair of features.

The RBS is one of the banks at which I maintain an account, and as
with my other banks I've been very careful not to set up a password
with them for phone and Internet banking, because of the liability
transfer that gets kicked off (see Bohm, Brown and Gladman). 

Last week their credit card people wrote to me asking me to call them
at once to verify a suspicious transaction. I did so and the lady at
the call centre demanded my password. I explained that I had been
careful never to set one. She brusquely contradicted me, told me I'd
set one, said it might be my mother's maiden name, and told me 'its'
first and last letters - which were indeed the first and last letters
of my mother's maiden name. I protested and she said she would not
speak to me any more as I 'had refused the security questions'.

It looks like the RBS has decided to deal with the refuseniks and the
can't-be-bothered-niks by simply giving us all passwords, whether we
consented or not.

The second disfeature with the RBS is that when I attempted a few
weeks ago to use one of their cards to buy a ticket from Easyjet, the
Easyjet website insisted I pick a password for their equivalent of
VbV. I phoned their call centre and asked if I could get a card that
did not have this feature enabled. Not even the supervisor to whom I
eventually spoke seemed able to understand what I was on about, let
alone help. People who use their Coutts brand seem to have better 
luck but speaking to someone who understands the bank's own systems
doesn;t seem to be an option for us proles.

It really does seem like a race to the bottom, doesn't it? Pretty 
soon we'll all be asked for our mothers' maiden names whenever we 
shop, and when stuff goes wrong it'll all be our fault

Ross