Card transactions by proxy
igb at batten.eu.org
Sun Apr 3 20:53:52 BST 2011
> Enter our friend, the mobile phone. Almost everyone has one, or at
> the very least access to a landline on which they can be contacted.
> As I see things, the contact number - mobile or landline for a
> customer is already known to the bank. To authenticate a 'customer
> not present' transaction, the bank simply sends an automated message
My bank already does that for some combination of high-value, overseas
and dubious transactions. I've on several occasions been phoned
whilst stood at the counter, and asked to confirm what I'm doing.
Using phones like this is a temping two-factor scheme. Except...
> Stealing card details becomes pointless once a real-time
> authentication system like this is in place. You'd need to steal the
> card details AND the right phone
Or, alternatively, borrow the phone for two minutes and set up
unconditional call forwarding on it. The punter might not notice for
some time, depending on how frequently they get incoming calls. I
don't think the caller has any way to establish the ident of the
terminating phone, do that?
More information about the ukcrypto