Diners club switches to passwords

Justin justin-cypherpunks at soze.net
Mon Jun 16 15:20:27 PDT 2003


Adam Shostack (2003-06-16 15:50Z) wrote:

> I just called Diner's Club, and was suprised to be asked for a
> password to (replace? supplement?) my mother's maiden name.
> 
> Is this something that Citibank in general is doing?  How long before
> this becomes a standard of due care?  Also, I'm curious what the
> forgot-my-password recovery mechanisms will be...

Never fear; if you forget your password and the secret token used for
authentication if you forget your password, they will still auth you.
All they need is your account info, birthdate, and the last 4 digits of
your SSN.

Secure, indeed.  Even after most people realize the utility of
relatively strong _required_ passwords being used, as they often are in
movies, to deal with banks, they are satisfied when real banks use two
publicly available pieces of information and 13 bits of your
maybe-or-maybe-not-so-secure SSN is good enough.

Imagine the panic if Americans were required to use passwords like
"b2\9690d" to access their bank accounts.  I suppose the objection would
be that we're not all as smart as Michael Douglas.  (That's the password
for one of his accounts in "The Game.")

-- 
Freedom's untidy, and free people are free to make mistakes and commit
crimes and do bad things.  They're also free to live their lives and do
wonderful things.   --Rumsfeld, 2003-04-11





More information about the cypherpunks-legacy mailing list