Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!decwrl!mcnc!duke!neuro!jfw
From: jfw@neuro (John F. Whitehead)
Newsgroups: comp.org.eff.talk
Subject: Re: ANYONE CAN FIND MY CREDIT CARD BALANCE & LAST PMT
Message-ID: <22174@duke.cs.duke.edu>
Date: 12 Apr 91 18:04:52 GMT
References: <959@camco.Celestial.COM> <6750020@hp-vcd.HP.COM> <1991Apr11.184329.11411@Think.COM>
Sender: news@duke.cs.duke.edu
Reply-To: jfw@neuro.duke.edu (John F. Whitehead)
Organization: Dept. of Neurobiology, Duke University Medical Center
Lines: 38
Nntp-Posting-Host: neuro.neuro.duke.edu

In article <1991Apr11.184329.11411@Think.COM> barmar@think.com (Barry Margolin) writes:

>All he has to do is program his computer to try to make long distance
>phone calls with my card number.  When he gets "Thank you for using AT&T"
>he knows he has cracked it.
>
>Hopefully AT&T keeps track of the number of wrong calling-card PINs given,
>and disables the card after too many.

You are only given 3 tries to get your calling card number right on an AT&T
phone call and then you are disconnected.  Assuming that you know that a
certain phone number has a calling card number associated with it, you could
get a computer to crack it would be possible with an average of 1,667 calls,
or a maximum of 3,334 phone calls.  This could be done but would obviously
be time consuming.

But you wouldn't get away with it -- AT&T checks for such strange calling
behavior.  About two years ago, I wanted to order concert tickets long 
distance from work, so I charged it to my calling card.  I dialed, entered
my card number, and the line was busy.  I repeated this many times over the
next two hours trying to get through the busy line.

Less than two hours after I gave up my quest for tickets, I got a phone
call from AT&T.  They said, "Are you aware that your calling card was
being used excessively this morning?  We have noticed that 150 calls were 
placed over a two hour period using your credit card number and are 
contacting you at the daytime phone number we have in your records.  Do
you know about this?"

I explained what I did and thanked them very much for being so observant.
And this was with me using my *correct* calling card number!  So if you
get a computer to redial to figure out your calling card PIN, it will
certainly be noticed if it takes more than a few attempts.

    John Whitehead                     Internet:  jfw@neuro.duke.edu
    Department of Neurobiology                    jfw@well.sf.ca.us
    Duke University Medical Center     Bitnet:    white002@dukemc           
    Durham, North Carolina