« If only I had $40,000 (EU) lying around…
Seaweed Soup »

The security is scaring me

I’ve had the privilege (?) of activating a couple credit card and changing my account information over the last few days, and I must say, it’s freaking me out. You get the credit card with a sticker on the front that says to call a number to activate the credit card. All well and good. So I call the number, and after a short greeting (”Thank you for calling XYZ credit…”) it asks me to enter or say my 16-digit account number. Ok, now I’m not a hacking or social engineering genius here, but John Technophoeb could come up with the idea to purchase 1-800 numbers that are just common dialing mistakes away from the credit card phone number. Then all you’d have to do is sit by the phone all day, pick up, ask people for their account numbers, then head off to the Bahamas. And it gets better. When people think they are talking to their back or credit provider, they’ll pretty much hand over any information that’s requested without.

Phone: Social Security Number?

Me: 987-65-4323

Phone: Mother’s maiden name?

Me: Boitano

Phone: Childhood pet’s sexual orientation?

Me: straight…what!?!

During the course of my various phone calls, I was asked for all of the following information: account number, last 4 digits of SSN, home phone number, zipcode, mothers maiden name. With all that info, it would be VERY easy to impersonate me, and the individual on the other end never really did anything to authenticate themselves other than silently nod when I got the answers right.

What’s really needed is some mutual authentication. For example, many financial websites are going to setups where they prove who they are before you completely prove who you are. For example, when I log into my brokerage account, they first ask me for my username. After that has been submitted they show me an image that I have selected, and if it’s what I expect, I enter my password and finish authentication. If I don’t see the right image, I know I’m not at the right site. Users should be leery whenever they enter there username as password on the same page. It’s easy to make a mistake when typing a web address.

Anyway, like I said, I’m not a security expert and I know work is being done to prevent fishing in web browsing. I just feel like I’m without any protection when I use the phone, and a lot of times I give away more personal information there than on a website.

This entry was posted on Sunday, February 4th, 2007 at 1:39 am and is filed under Complaints, Random. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “The security is scaring me”

  1. Judy Shapiro Says:
    February 5th, 2007 at 11:44 am

    You’re right to be concerned. Since anything within the browser can be faked — a “Man-in-the-Middle” attack is virtually undetectable for most web visitors. There is hope. There is a new free tool called VerificationEngine. It authenticates web content (thus the identity) of over 200,000 home page logos of well trafficed web sites. Authentication happens OUTSIDE the browser environment making it “spoof proof”. Innovative banks are using it too to protect the login boxes on sites. So get and be protected. Be safe out there :)

  2. shoe Says:
    February 5th, 2007 at 12:37 pm

    Hmm . . . a free new tool called VerificationEngine huh? Sounds great. It’s a good thing we have these conversations about cool new software we find with each other. Wait a minute . . . what’s this I see? Hmm - VerificationEngine is a Comodo product. Seems like your name links to comodo.com. Well that’s odd because who would talk like a TV ad in a conversational blog comment? That would just be stupid right? That must not be the case - maybe it’s just a coincidence. . .

  3. Shanley Says:
    February 5th, 2007 at 12:54 pm

    You’re getting better with blog style. That White Bear color scheme was scaring me.

  4. Shanley Says:
    February 5th, 2007 at 12:57 pm

    On a related topic: what’s with the three digit security code on credit cards now? I thought that it was introduced by credit card companies as an extra safeguard against fraud in non face-to-face transactions. Yet every online store is now asking for it. Someone told me about a year ago that a law was passed to prevent anyone from asking for it, but either that’s wrong or it’s not being enforced.

  5. rmorlok Says:
    February 5th, 2007 at 5:21 pm

    Yeah, when I used that I was trying something to get a black background. I was going to change the colors eventually (didn’t like the orange) but by the time Shoe started harassing me, I figured I’d just change the whole theme. I ended up having to change the colors anyway (it originally had a girly purple). Anyway, I’ve also bumped up the text size which I don’t think looks as nice, but it makes it easier to read. I plan to do a few more minor improvements over the next few weeks.

  6. rmorlok Says:
    February 5th, 2007 at 5:23 pm

    Responding to Shanley’s second comment, my card now has two 3-digit numbers on the back. One apparently is for card activation, and the other is the one Shanley mentioned. Instead of addressing fundamental flaws in the system, they seem to like to add more random numbers.

  7. shoe Says:
    February 5th, 2007 at 6:26 pm

    See, the new set of 3 digits refers directly to the aforementioned ‘pet’s sexual orientation’. It’s so that will be readily available.

  8. rmorlok Says:
    February 5th, 2007 at 6:42 pm

    I’d like to see the translation table for those numbers…

Leave a Reply