jgro@fernwood.mpk.ca.us> (05/10/91)
I had an interesting, and slightly frightening experience over the
weekend with my AT&T credit card. My card had just been renewed, and
I was replacing the old one in my wallet with my new one, and since I
usually use MCI but now had the AT&T card in my hand, I thought I'd
check to make sure I remembered the PIN for it. I tried dialing a
friend long distance using the AT&T card, and used the PIN I
remembered. It didn't work.
I called AT&T to ask them to change it. I had set my PIN over the
phone originally, and although I was somewhat worried about this, I
noticed that they had one person take all my personal information
(account number, name, address, SS#, etc.), and a different person
take my PIN, so I took the leap of faith to think that the person who
took my PIN didn't know what account it was for. I was able to
believe that they were taking good security measures. Anyway, I
called and told the service rep that I had forgotten my PIN, and
wanted to change it. Again I was taken through the most rigorous
identification process of anyone I've done business with over the
phone, including banks and stock brokers. The service rep asked what
PIN I had used, at which point I was stunned; after a brief pause, I
said "I'm not supposed to tell anyone my PIN, you literature says that
real AT&T reps will never ask you for it." The service rep then
pauses, stammers, and says "Well, I'm looking right at it. <pause for
response from me, which I don't give, because I'm starting to get
sick> OK," she says, "did you use XXXX?" where XXXX was my real PIN!
Not only did she have access to it (which she shouldn't need or have),
she told it to me! Yikes! I am not amused. I bet many people use the
same PIN all over the place, and allowing AT&T employees to see
customer's PINs, and access to their credit records and telephone
records, could be an invitation to fraud. I'm very glad the PIN I
gave them is one I use no where else.
Continuing, now that the service rep assured me I was using the right
PIN, I naturally wanted to know why it didn't work. She told my that
my card was shipped "in the same mail sack" as a bunch of other cards
which were stolen from the mail. They had called and left a message
("I'm calling from AT&T. It's very important you return my call at
800 xxx xxx"), and when I didn't return the call, they blocked my
account. I didn't return the call because they had cried wolf before,
and when I called them back they couldn't even tell me why they had
called me! It sure would have been helpful if they had left a more
detailed message. Even a second phone call would have been nice. As
it was I just thought it was some spurious sales call or friendly
check to make sure that I had gotten my card, and since I had my card
and didn't want to talk to a salesperson, I didn't call back.
It just goes to show how hard it is to get this stuff right, and how
the risks don't go away, they just transform themselves into new and
unexpected forms.
Jeremy Grodberg jgro@lia.com josh@happym.wa.com (Joshua_Putnam) (05/14/91)
In <telecom11.351.8@eecs.nwu.edu> lia!jgro@fernwood.mpk.ca.us (Jeremy Grodberg) writes: > I had an interesting, and slightly frightening experience over the > weekend with my AT&T credit card. [details deleted] > Again I was taken through the most rigorous identification process > of anyone I've done business with over the phone, including banks and > stock brokers. This reminds me of a problem I had with my AT&T Visa Card soon after I got it. I was out buying a new laptop computer, which was by far the largest charge I had then put on the card. The clerk had to call for authorization. What identifying information did they ask for? Mother's maiden name? No, although they had that from the application. They asked for my ZIP code! As if anyone stealing my wallet would not be able to get the code from my driver's license, voter registration, etc. I was in too much of a hurry to complain about lax security, so I gave them my ZIP code, which has been the same for twenty years. "I'm sorry," the voice on the phone said, "that is incorrect." I presented half a dozen forms of picture ID, including my passport, all showing my correct ZIP code, but they still refused to accept the charge. Finally the operator let slip the code she was really looking for, that of the main post office serving my local one. So I "confessed" to my "mistake" and the charge was accepted. End of story. (Except, of course, the half-dozen letters it took to get them to correct their records for future use.) > It just goes to show how hard it is to get this stuff right, and how > the risks don't go away, they just transform themselves into new and > unexpected forms. You can say that again! Josh_Putnam@happym.wa.com Happy Man Corp. 206/463-9399 x102 4410 SW Pt. Robinson Rd., Vashon Island, WA 98070-7399 fax x108
bicker@hoqax.att.com (Brian Charles Kohn) (05/14/91)
In comp.dcom.telecom, Jeremy Grodberg <lia!!jgro@fernwood.mpk.ca.us> wrote on 9 May 91 22:20:30 GMT.: > I called AT&T to ask them to change [my PIN]. I had set my PIN over the > phone originally, and although I was somewhat worried about this, I > I was able to > believe that they were taking good security measures. Anyway, I > called and told the service rep that I had forgotten my PIN, and > wanted to change it. Again I was taken through the most rigorous > identification process of anyone I've done business with over the > phone, including banks and stock brokers. The service rep asked what > PIN I had used, at which point I was stunned; after a brief pause, I > said "I'm not supposed to tell anyone my PIN, you literature says that > real AT&T reps will never ask you for it." I believe the warning refers to the fact that no AT&T rep will ever call you and ask for it. In this case, you called them. It is assumed that you know who you called; That is not the case when you receive a call. > [many people use the] > same PIN all over the place, and allowing AT&T employees to see > customer's PINs, and access to their credit records and telephone > records, could be an invitation to fraud. One should never use the same PIN for more than one thing. Most BBSs, for example, allow the SYSOP to see your password. (UNIX will be our salvation, eh?) Brian Charles Kohn AT&T Bell Laboratories Quality Process Center Quality Management System E-MAIL: att!hoqax!bicker (bicker@hoqax.ATT.COM) Consultant PHONE: (908) 949-5850 FAX: (908) 949-7724 [Moderator's Note: Another thing I think our original correspondent neglected to note was that when calling *any* credit card organization to discuss changing your PIN, there is going to have to be some verbalization of the old PIN itself. Usually, discussions about the PIN itself are the only reasons the PIN need be recited, however. PAT]
philip@beeblebrox.dle.dg.com (Philip Gladstone) (05/14/91)
On 9 May 91 22:20:30 GMT, lia!jgro@fernwood.mpk.ca.us (Jeremy Grodberg) said: > The service rep asked what > PIN I had used, at which point I was stunned; after a brief pause, I > said "I'm not supposed to tell anyone my PIN, you literature says that > real AT&T reps will never ask you for it." The service rep then > pauses, stammers, and says "Well, I'm looking right at it. <pause for > response from me, which I don't give, because I'm starting to get > sick. OK," she says, "did you use XXXX?" where XXXX was my real PIN! > Not only did she have access to it (which she shouldn't need or have), > she told it to me! Yikes! I am not amused. The banks take a much different view on the security of PINs (at least in the UK). The device that actually stores the PINs is kept apart from the main system and is kept in a controlled (and very secure) environment. All access to this device is via its (IBM) channel attach to the mainframe. This device implements the security policies in force -- i.e. inability to read the PIN, verify only, audit trails etc. I guess the difference is that banks are trying to protect against the loss of significant amounts of money, whilst AT&T is trying to protect against a theft of service (for which you haven't paid [yet]). Philip Gladstone Dev Lab Europe, Data General, Cambridge, UK
Jiro Nakamura <jiro@shaman.com> (05/15/91)
I would like to relate that about a year ago, I forgot the PIN to my
AT&T Universal Card. So I phone AT&T Univ. up and tell them that,
fully expecting them to give me a whole new one. They ask my mom's
maiden name, my SS number, and then *tell* me what the old one was. I
was pretty shocked. :-(
Compare this with my bank's Phone Access Line PIN number*. No one
knows what my PAL/PIN is except the computer and it won't tell anyone.
They send you the PIN in a sealed envelope (you know, the type that
has carbon paper inside and is printed in one go through a dot matrix
printer and has the tear ends on it). None of the tellers know it,
and apparently can't find out. It's just like UNIX. If you forget the
old one, the computer has to churn you a new one (no, you can't even
choose your own).
I like the bank's system, albeit I can't choose the number.
PAL is a system by which I can do inquiries and transfer with my handy
touch-tone phone. For some reason, the PIN has nothing to do with my
regular ATM PIN, so I have to remember two numbers. :-(
Jiro Nakamura jiro@shaman.com
Shaman Consulting (607) 253-0687 VOICE
(607) 253-7809 FAX/Modemhullp@cogsci.Berkeley.EDU () (05/16/91)
In article <telecom11.362.1@eecs.nwu.edu> philip@beeblebrox.dle.dg.com (Philip Gladstone) writes: > I guess the difference is that banks are trying to protect against the > loss of significant amounts of money, whilst AT&T is trying to protect > against a theft of service (for which you haven't paid [yet]). I wish this were true. The card in question is a VISA + calling card and if the PIN got into the wrong hands hundreds of dollars in cash advances at just about any ATM could be lost in days. If you didn't know about this loss of security, you'd be liable for, I believe $50 but the hassle involved would be enormous. When I got my AT&T Universal card, I called them to request a form on which to request a PIN number that I could remember (the usual way is as you describe with nobody but the PIN-generating computer knowing what your PIN is). The clerk said she could give me one over the phone. I was totally astounded and a bit pissed but ... it was very convenient I must admit as I could go out and use the thing in ATM's right away instead of waiting for a new PIN authorization which takes at least 10 days the other way. Philip V. Hull INTERNET: hullp@cogsci.berkeley.edu BITNET: hullp@cogsci.berkeley.bitnet UUCP: ucbvax!cogsci!hullp OR: ucbvax!cogsci.berkeley.edu!hullp
Mike Morris <morris@grian.cps.altadena.ca.us> (05/17/91)
jiro@shaman.com (Jiro Nakamura) writes: (edited...) > Compare this with my bank's Phone Access Line PIN number*. No one > knows what my PAL/PIN is except the computer and it won't tell anyone. > They send you the PIN in a sealed envelope (you know, the type that > has carbon paper inside and is printed in one go through a dot matrix > printer and has the tear ends on it). I have accounts at three banks. Two are like his, you can't pick your PIN. The third allows you to. I assume it depends on who wrote the system. Mike Morris WA6ILQ PO Box 1130 Arcadia, CA. 91077 818-447-7052
Mark.Kreutzian@uunet.uu.net> (05/18/91)
> printer and has the tear ends on it). None of the tellers know > it, and apparently can't find out. It's just like UNIX. If you > forget the old one, the computer has to churn you a new one (no, you > can't even choose your own). The "Black Box" that was mentioned in an earlier post is called an Atalla and the process is called DES-PIN. The process can be set to allow the customer to select the PIN or have the PIN selected solely by the Atalla box. Mark K. Kreutzian ivgate!command!mark@uunet.uu.net American Express Info Svcs Co ***** Insert standard disclaimer ****** The .COMmand Center (Opus 1:5010/23)