Security theater?

Peter Tomlinson pwt at iosis.co.uk
Wed Sep 8 18:17:16 BST 2010


Peter Fairbrother wrote:
> Just had a new Lloyds credit card delivered, it had a sticker saying I 
> have to call a number to activate it. I call, it's an automated system.
>
> It asks for the card number, fair enough. It asks for the expiry date, 
> well maybe, It asks for my DOB, the only information that isn't 
> actually on the card, but no big secret. And then it asks for the 
> three-digit-security-code-on-the-back, well wtf?
>
> AIUI, and I may be wrong, the purpose of activation is to prevent 
> lost-in-the-post theft/fraud - so what do they need details which a 
> thief who has the card in his hot sweaty hand already knows for?
>
> And especially details like the three-digit-security-code-on-the-back 
> which can be used to help defraud?
>
> I don't get it, unless it's just bad security theatre.
>
> -- Peter Fairbrother
Automated by getting you to key in numbers, I assume - which means they 
cannot use voice analysis software to (attempt to) detect the equivalent 
of sweaty palms from the stress of being an imposter.

This reminds me that there was a period when all the customers of my 
bank (in this city I suspect, perhaps not everywhere) had to go and 
collect credit cards at a nominated branch of the bank - and they didn't 
really check ID there, either. I assume 'all' because there was no 
obvious reason, such as my card being lost, why I should have to do that.

Bring on eID tokens: Kable and The Reg reported that "UK.gov fishes for 
ID ideas. Turns to IT suppliers, says 'Er, what do you think?' ":

"Directgov has asked IT suppliers to come up with new thinking on 
identity verification.

The team, which is now within the Cabinet Office, has issued a 
pre-tender notice published in the Official Journal of the European 
Union, saying that it wants feedback on potential requirements for the 
public sector on all aspects of identity verification and 
authentication. This is particularly relevant to online and telephone 
channels, and the notice says the services include the provision of 
related software and computer services."

See http://www.theregister.co.uk/2010/09/02/directgov_id/

So why do they want to buy something, when there is another way to do 
it: in late June the USA asked the whole country to look at this: "Draft 
Plan for National Online ID". The person who sent that on to me wrote 
"Rather than presenting a detailed plan, the proposed National Strategy 
for Trusted Identities in Cyberspace is painted in broad brush strokes.  
The proposal involves having consumers use secure identifiers, such as 
smart identity cards or digital certificates, to authenticate their 
identities before online transactions are conducted.  The plan would be 
voluntary and would allow consumers to choose their identifiers from a 
range of public and private services.  The White House is seeking 
comments on the proposal." (And wanted those comments very quickly.)

See:
http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trusted-identities-cyberspace
http://www.dhs.gov/xlibrary/assets/ns_tic.pdf

However, I have not yet followed up the progress of the discussion in 
the USA.

Peter




More information about the ukcrypto mailing list