Security theater?
Peter Tomlinson
pwt at iosis.co.uk
Wed Sep 8 18:17:16 BST 2010
Peter Fairbrother wrote:
> Just had a new Lloyds credit card delivered, it had a sticker saying I
> have to call a number to activate it. I call, it's an automated system.
>
> It asks for the card number, fair enough. It asks for the expiry date,
> well maybe, It asks for my DOB, the only information that isn't
> actually on the card, but no big secret. And then it asks for the
> three-digit-security-code-on-the-back, well wtf?
>
> AIUI, and I may be wrong, the purpose of activation is to prevent
> lost-in-the-post theft/fraud - so what do they need details which a
> thief who has the card in his hot sweaty hand already knows for?
>
> And especially details like the three-digit-security-code-on-the-back
> which can be used to help defraud?
>
> I don't get it, unless it's just bad security theatre.
>
> -- Peter Fairbrother
Automated by getting you to key in numbers, I assume - which means they
cannot use voice analysis software to (attempt to) detect the equivalent
of sweaty palms from the stress of being an imposter.
This reminds me that there was a period when all the customers of my
bank (in this city I suspect, perhaps not everywhere) had to go and
collect credit cards at a nominated branch of the bank - and they didn't
really check ID there, either. I assume 'all' because there was no
obvious reason, such as my card being lost, why I should have to do that.
Bring on eID tokens: Kable and The Reg reported that "UK.gov fishes for
ID ideas. Turns to IT suppliers, says 'Er, what do you think?' ":
"Directgov has asked IT suppliers to come up with new thinking on
identity verification.
The team, which is now within the Cabinet Office, has issued a
pre-tender notice published in the Official Journal of the European
Union, saying that it wants feedback on potential requirements for the
public sector on all aspects of identity verification and
authentication. This is particularly relevant to online and telephone
channels, and the notice says the services include the provision of
related software and computer services."
See http://www.theregister.co.uk/2010/09/02/directgov_id/
So why do they want to buy something, when there is another way to do
it: in late June the USA asked the whole country to look at this: "Draft
Plan for National Online ID". The person who sent that on to me wrote
"Rather than presenting a detailed plan, the proposed National Strategy
for Trusted Identities in Cyberspace is painted in broad brush strokes.
The proposal involves having consumers use secure identifiers, such as
smart identity cards or digital certificates, to authenticate their
identities before online transactions are conducted. The plan would be
voluntary and would allow consumers to choose their identifiers from a
range of public and private services. The White House is seeking
comments on the proposal." (And wanted those comments very quickly.)
See:
http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trusted-identities-cyberspace
http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
However, I have not yet followed up the progress of the discussion in
the USA.
Peter
More information about the ukcrypto
mailing list