Card transactions by proxy

Ian Batten igb at
Sun Apr 3 20:53:52 BST 2011

> Enter our friend, the mobile phone. Almost everyone has one, or at  
> the very least access to a landline on which they can be contacted.  
> As I see things, the contact number - mobile or landline for a  
> customer is already known to the bank. To authenticate a 'customer  
> not present' transaction, the bank simply sends an automated message

My bank already does that for some combination of high-value, overseas  
and dubious transactions.  I've on several occasions been phoned  
whilst stood at the counter, and asked to confirm what I'm doing.   
Using phones like this is a temping two-factor scheme.  Except...

> Stealing card details becomes pointless once a real-time  
> authentication system like this is in place. You'd need to steal the  
> card details AND the right phone

Or, alternatively, borrow the phone for two minutes and set up  
unconditional call forwarding on it.  The punter might not notice for  
some time, depending on how frequently they get incoming calls.  I  
don't think the caller has any way to establish the ident of the  
terminating phone, do that?


More information about the ukcrypto mailing list