Newsgroups: comp.org.eff.talk
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!snorkelwacker.mit.edu!bloom-picayune.mit.edu!athena.mit.edu!janson
From: janson@athena.mit.edu (James A Anderson)
Subject: Re: ANYONE CAN FIND MY CREDIT CARD BALANCE & LAST PMT
Message-ID: <1991Apr10.210855.6250@athena.mit.edu>
Followup-To: comp.org.eff.talk
Sender: news@athena.mit.edu (News system)
Organization: Massachusetts Institute of Technology
References: <959@camco.Celestial.COM> <6750018@hp-vcd.HP.COM> <1991Apr10.161630.3499@sequent.com>
Date: Wed, 10 Apr 91 21:08:55 GMT
Lines: 32

In <1991Apr10.161630.3499@sequent.com> mjb@sequent.com writes
" In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
  >You absolutely do not want them to use your cards PIN for phone ID. A thief
  >who steals your card only gets three guesses of your PIN once it is in the
  >machine. He gets as many as his autodialer can punch out via the phone. If 
  >he can get your PIN from the 800 number then he can get all sorts of cash
  >from your card.

  Indeed, it turns out that the Universal Card has the same PIN for the
  calling card number and the MasterCard number (arguably a Bad Idea).
  Well, I learn something new and terrifying every day.  However, the
  by-phone-account-balance system lets you change your PIN over the
  phone, so a thief who steals my card gets all the free guesses at my
  PIN that he wants, anyway.  Fun *and* profit!  Feh."

one should distinguish between the risk of using the PIN and the risk offered
by a system's failure to respond to suspicious behavior.

my bank, for example, offers access to account information over the phone.
the PIN is used to restrict access.
in order to reduce the exposure to unauthorized access, erroneous PIN's are
handled as if they had been entered at an ATM: once three errors
have been made, no access is permitted.
that restriction remains in effect for 24 hours (both by phone and at an ATM)
if this occurs repeatedly, the account is brought to the attention
of bank personnel. (i've observed the first response only.)
while this is not perfect, i believe it reduces the risk to the same level
as allowing ATM access.

a small distinction, but important none the less.
yours,
james.