bill@camco.Celestial.COM (Bill Campbell) (04/04/91)
I was appalled today when I called about my Visa account and when
asked, entered my account number a voice nicely told me my current
balance and last payment information. This was with the First
Omni Bank Credit Card Center.
There's nothing to keep anyone with the phone number and an
account number from getting this information. How common is
this? Is there no protection from this?
Bill Campbell
--
INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software
UUCP: ...!thebes!camco!bill 6641 East Mercer Way
uunet!camco!bill Mercer Island, WA 98040; (206) 947-5591cs4304ak@evax.arl.utexas.edu (David Richardson) (04/05/91)
(followups to alt.privacy. Change this if you need to). (X-posted to soc.college due to content). In article <959@camco.Celestial.COM> bill@camco.Celestial.COM (Bill Campbell) writes: [Bill called First Omni Bank & gave them his credit card number, & they gave him his balance. [The implication was that they didn't ask for other info to verify his identity - DWR]. ] >There's nothing to keep anyone with the phone number and an >account number from getting this information. How common is >this? Is there no protection from this? This brings up a very good point, for which I have a possible solution: Businesses which give out private information over the phone should have some way of identifying customers. It should be something not likely to be found with the primary identification (such as a credit card #). This means that anything commonly carried in a wallet is out (such as address, drivers license, etc.). I propose using whatever the customer wants to use, be it a PIN, a mother's maiden name, etc. On a related topic, our school in in the discussion stage of phone-in registration. When asked if he would pay a small extra fee to register over the phone, a student said "...but someone may abuse it by using another person's ID number." In this case, a PIN would probably be best. By the way, my credit card has a telephone-balance inquiry, & it required your 5-digit zip code (not to hard to get if someone steals your wallet). A BBS I use requires your mother's maden's name if you forget your password (I gave it my cat's name on the registration sheet). -- David Richardson U. Texas at Arlington +1 817 856 6637 PO Box 192053 Usually hailing from: b645zax@utarlg.uta.edu Arlington, TX 76019 b645zax@utarlg.bitnet, SPAN: UTSPAN::UTADNX::UTARLG::B645ZAX -2053 USA The Lord is my shepherd, I shall not want.
mpd@anomaly.SBS.COM (Michael P. Deignan) (04/08/91)
bill@camco.Celestial.COM (Bill Campbell) writes: >There's nothing to keep anyone with the phone number and an >account number from getting this information. How common is >this? Is there no protection from this? Citibank, my Visa bank, has a similar phone number. All one must do is enter an account number and their 5 digit zip code, and you get your balance, available credit/cash-advance limit, minimum payment/due date. The really annoying thing is that the number you call is right on the back of the credit card. All someone has to do is lift your wallet and voila, they have your card number, your zip code (from license), and instantly they have your credit limit, along with how much they can milk your card for. MD -- -- Michael P. Deignan / Since I *OWN* SBS.COM, -- Domain: mpd@anomaly.sbs.com / These Opinions Generally -- UUCP: ...!uunet!rayssd!anomaly!mpd / Represent The Opinions Of -- Telebit: +1 401 455 0347 / My Company...
bparr@well.sf.ca.us (Barry L. Parr) (04/08/91)
The AT&T Universal card offers an 800 number that will give you the balance on your Visa, using your Zip code as a PIN. This is the next best thing to no security at all. Barry Parr/M&T Publishing/Redwood City, CA
barmar@think.com (Barry Margolin) (04/09/91)
In article <24095@well.sf.ca.us> bparr@well.sf.ca.us (Barry L. Parr) writes: >The AT&T Universal card offers an 800 number that will give you the >balance on your Visa, using your Zip code as a PIN. This is the >next best thing to no security at all. That seems crazy to me. The Universal card already has a secret PIN associated with it, to be used when using it as a calling card. So why do they use a different, and easily-determined, PIN for balance information? -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
mjb@sequent.com (04/09/91)
In article <1991Apr9.020427.26222@Think.COM> barmar@think.com (Barry Margolin) writes: "In article <24095@well.sf.ca.us> bparr@well.sf.ca.us (Barry L. Parr) writes: ">The AT&T Universal card offers an 800 number that will give you the ">balance on your Visa, using your Zip code as a PIN. This is the ">next best thing to no security at all. " "That seems crazy to me. The Universal card already has a secret PIN "associated with it, to be used when using it as a calling card. So why "do they use a different, and easily-determined, PIN for balance "information? Yeah, that's what I thought, too. I send them a paper letter suggesting that they use the PIN instead of the zip code to authenticate the user. No response. Maybe I don't charge enough stuff to get customer service. Maybe I should charge even *less* stuff in the future. I like the concept, though. Matthew. [mjb@sequent.com]
johne@hp-vcd.HP.COM (John Eaton) (04/10/91)
> >"In article <24095@well.sf.ca.us> bparr@well.sf.ca.us (Barry L. Parr) writes: >">The AT&T Universal card offers an 800 number that will give you the >">balance on your Visa, using your Zip code as a PIN. This is the >">next best thing to no security at all. >" >"That seems crazy to me. The Universal card already has a secret PIN >"associated with it, to be used when using it as a calling card. So why >"do they use a different, and easily-determined, PIN for balance >"information? > >Yeah, that's what I thought, too. I send them a paper letter suggesting >that they use the PIN instead of the zip code to authenticate the user. ---------- You absolutely do not want them to use your cards PIN for phone ID. A thief who steals your card only gets three guesses of your PIN once it is in the machine. He gets as many as his autodialer can punch out via the phone. If he can get your PIN from the 800 number then he can get all sorts of cash from your card. John Eaton !hp-vcd!johne
barmar@think.com (Barry Margolin) (04/10/91)
In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes: >You absolutely do not want them to use your cards PIN for phone ID. A thief >who steals your card only gets three guesses of your PIN once it is in the >machine. He gets as many as his autodialer can punch out via the phone. If >he can get your PIN from the 800 number then he can get all sorts of cash >from your card. I don't understand this response, as there's no "machine" involved. I was replying to a message about the AT&T Universal card, which can be used as an AT&T Calling Card. The PIN I referred to is the one that you enter over the phone when charging long-distance phone calls. I think you're referring to the PIN used in an ATM. Maybe the AT&T card uses the same PIN for both, but that's a separate problem, and doesn't diminish the value of using the PIN when requesting information in preference to using the ZIP code. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
mjb@sequent.com (04/10/91)
In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes: >You absolutely do not want them to use your cards PIN for phone ID. A thief >who steals your card only gets three guesses of your PIN once it is in the >machine. He gets as many as his autodialer can punch out via the phone. If >he can get your PIN from the 800 number then he can get all sorts of cash >from your card. Indeed, it turns out that the Universal Card has the same PIN for the calling card number and the MasterCard number (arguably a Bad Idea). Well, I learn something new and terrifying every day. However, the by-phone-account-balance system lets you change your PIN over the phone, so a thief who steals my card gets all the free guesses at my PIN that he wants, anyway. Fun *and* profit! Feh. Matthew.
johne@hp-vcd.HP.COM (John Eaton) (04/11/91)
<<< < Maybe the AT&T card uses the same PIN < for both, but that's a separate problem, and doesn't diminish the value of < using the PIN when requesting information in preference to using the ZIP < code. ---------- I am assuming that the same PIN is used for calling card as well as Cash advances from ATM's. If someone finds your card and tries to get a cash advance then he only has three guesses before the ATM eats it. If he can have his computer call in and brute force the PIN via phone then he will probably be able to get cash off of your card. John Eaton !hp-vcd!johne
janson@athena.mit.edu (James A Anderson) (04/11/91)
In <1991Apr10.161630.3499@sequent.com> mjb@sequent.com writes " In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes: >You absolutely do not want them to use your cards PIN for phone ID. A thief >who steals your card only gets three guesses of your PIN once it is in the >machine. He gets as many as his autodialer can punch out via the phone. If >he can get your PIN from the 800 number then he can get all sorts of cash >from your card. Indeed, it turns out that the Universal Card has the same PIN for the calling card number and the MasterCard number (arguably a Bad Idea). Well, I learn something new and terrifying every day. However, the by-phone-account-balance system lets you change your PIN over the phone, so a thief who steals my card gets all the free guesses at my PIN that he wants, anyway. Fun *and* profit! Feh." one should distinguish between the risk of using the PIN and the risk offered by a system's failure to respond to suspicious behavior. my bank, for example, offers access to account information over the phone. the PIN is used to restrict access. in order to reduce the exposure to unauthorized access, erroneous PIN's are handled as if they had been entered at an ATM: once three errors have been made, no access is permitted. that restriction remains in effect for 24 hours (both by phone and at an ATM) if this occurs repeatedly, the account is brought to the attention of bank personnel. (i've observed the first response only.) while this is not perfect, i believe it reduces the risk to the same level as allowing ATM access. a small distinction, but important none the less. yours, james.
barmar@think.com (Barry Margolin) (04/12/91)
In article <6750020@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes: >I am assuming that the same PIN is used for calling card as well as Cash >advances from ATM's. If someone finds your card and tries to get a cash >advance then he only has three guesses before the ATM eats it. If he can >have his computer call in and brute force the PIN via phone then he will >probably be able to get cash off of your card. Well, he can, even though the balance inquiry service doesn't use the same PIN. All he has to do is program his computer to try to make long distance phone calls with my card number. When he gets "Thank you for using AT&T" he knows he has cracked it. Hopefully AT&T keeps track of the number of wrong calling-card PINs given, and disables the card after too many. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
jfw@neuro (John F. Whitehead) (04/13/91)
In article <1991Apr11.184329.11411@Think.COM> barmar@think.com (Barry Margolin) writes: >All he has to do is program his computer to try to make long distance >phone calls with my card number. When he gets "Thank you for using AT&T" >he knows he has cracked it. > >Hopefully AT&T keeps track of the number of wrong calling-card PINs given, >and disables the card after too many. You are only given 3 tries to get your calling card number right on an AT&T phone call and then you are disconnected. Assuming that you know that a certain phone number has a calling card number associated with it, you could get a computer to crack it would be possible with an average of 1,667 calls, or a maximum of 3,334 phone calls. This could be done but would obviously be time consuming. But you wouldn't get away with it -- AT&T checks for such strange calling behavior. About two years ago, I wanted to order concert tickets long distance from work, so I charged it to my calling card. I dialed, entered my card number, and the line was busy. I repeated this many times over the next two hours trying to get through the busy line. Less than two hours after I gave up my quest for tickets, I got a phone call from AT&T. They said, "Are you aware that your calling card was being used excessively this morning? We have noticed that 150 calls were placed over a two hour period using your credit card number and are contacting you at the daytime phone number we have in your records. Do you know about this?" I explained what I did and thanked them very much for being so observant. And this was with me using my *correct* calling card number! So if you get a computer to redial to figure out your calling card PIN, it will certainly be noticed if it takes more than a few attempts. John Whitehead Internet: jfw@neuro.duke.edu Department of Neurobiology jfw@well.sf.ca.us Duke University Medical Center Bitnet: white002@dukemc Durham, North Carolina
res@colnet.uucp (Rob Stampfli) (04/15/91)
In article <1991Apr10.210855.6250@athena.mit.edu> janson@athena.mit.edu (James A Anderson) writes: >in order to reduce the exposure to unauthorized access, erroneous PIN's [given >over the phone] are handled as if they had been entered at an ATM: once three >errors have been made, no access is permitted. >that restriction remains in effect for 24 hours (both by phone and at an ATM) This causes a new potential for abuse, though. Suppose I dislike you for some reason. With the mere knowledge of your credit card number (which I could get if you ever use your card in my store) I can effectively prevent you from using it at any ATM for an extended period by simply making a few phone calls per day. And, there is very little chance I would ever be caught, if I took some relatively simple precautions. -- Rob Stampfli, 614-864-9377, res@kd8wk.uucp (osu-cis!kd8wk!res), kd8wk@n8jyv.oh