Path: utzoo!telecom-request Date: 14 May 91 15:10:08 From: philip@beeblebrox.dle.dg.com (Philip Gladstone) Newsgroups: comp.dcom.telecom Subject: Re: AT&T Card PIN Disclosed Message-ID: Organization: Data General, Development Lab Europe Sender: Telecom@eecs.nwu.edu Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 11, Issue 362, Message 1 of 11 Lines: 30 On 9 May 91 22:20:30 GMT, lia!jgro@fernwood.mpk.ca.us (Jeremy Grodberg) said: > The service rep asked what > PIN I had used, at which point I was stunned; after a brief pause, I > said "I'm not supposed to tell anyone my PIN, you literature says that > real AT&T reps will never ask you for it." The service rep then > pauses, stammers, and says "Well, I'm looking right at it. response from me, which I don't give, because I'm starting to get > sick. OK," she says, "did you use XXXX?" where XXXX was my real PIN! > Not only did she have access to it (which she shouldn't need or have), > she told it to me! Yikes! I am not amused. The banks take a much different view on the security of PINs (at least in the UK). The device that actually stores the PINs is kept apart from the main system and is kept in a controlled (and very secure) environment. All access to this device is via its (IBM) channel attach to the mainframe. This device implements the security policies in force -- i.e. inability to read the PIN, verify only, audit trails etc. I guess the difference is that banks are trying to protect against the loss of significant amounts of money, whilst AT&T is trying to protect against a theft of service (for which you haven't paid [yet]). Philip Gladstone Dev Lab Europe, Data General, Cambridge, UK