CC shared secret
Roland Perry
ukcrypto at chiark.greenend.org.uk
Thu, 7 Aug 2008 21:19:47 +0100
In article <E1KR8fu-0005ew-00@mta2.cl.cam.ac.uk>, Ross Anderson
<Ross.Anderson@cl.cam.ac.uk> writes
>Last week their credit card people wrote to me asking me to call them
>at once to verify a suspicious transaction. I did so and the lady at
>the call centre demanded my password. I explained that I had been
>careful never to set one. She brusquely contradicted me, told me I'd
>set one, said it might be my mother's maiden name, and told me 'its'
>first and last letters - which were indeed the first and last letters
>of my mother's maiden name.
This is symptomatic of my main worry in this thread. Did that lady have
your [let's assume you had supplied it previously just for a moment]
shared secret on the screen in front of her in the clear? Isn't that a
big risk. Or is it so difficult to type in a name you give them and get
it right, that they have to use the human being rather than a computer
to check it's correct?
>I protested and she said she would not speak to me any more as I 'had
>refused the security questions'.
>
>It looks like the RBS has decided to deal with the refuseniks and the
>can't-be-bothered-niks by simply giving us all passwords, whether we
>consented or not.
So you *have* told RBS your mother's maiden name in some other context?
--
Roland Perry