Path: utzoo!utgpu!watserv1!watmath!iuvax!mailrus!accuvax.nwu.edu!nucsrl!telecom-request
From: dwp@cci632.uucp (Dana Paxson)
Newsgroups: comp.dcom.telecom
Subject: Re: Phone Credit Cards
Message-ID: <3438@accuvax.nwu.edu>
Date: 1 Feb 90 13:51:22 GMT
Sender: news@accuvax.nwu.edu
Reply-To: dwp@cci632.uucp
Organization: Computer Consoles Inc. an STC Company, Rochester, NY
Lines: 31
Approved: Telecom@eecs.nwu.edu
X-Submissions-To: telecom@eecs.nwu.edu
X-Administrivia-To: telecom-request@eecs.nwu.edu
X-Telecom-Digest: Volume 10, Issue 69, message 4 of 10


On the subject of phone credit cards/calling cards:

Why is the PIN emblazoned on the AT&T calling card, right there for
everyone to see?  I've worked on computer password management, and one
thing my cohorts and I kept telling people was: Don't put your
password in a visible place in written form.  I've used bank cards at
ATMs, and the banks I have cards for have been uniform in their
refusal to put the PIN on the card.  But I use the phone card, and Lo!
there is my complete access authentication, for anyone to read over my
shoulder, or use if the card is found lying somewhere.

Bad enough it is, that the PIN is so short and so structured (see the
recent articles on this subject); but why make matters worse by
displaying it?

BTW, I once got two bank ATM cards from two different banks, having
two different account numbers -- but the identical four-digit PIN!  I
speculated that maybe the banks bought the passwords (or the
algorithm) from the same guy ...

My input: Get the PINs off the cards.  If people can't deal with that,
they can't deal with bank ATMs either.  Furthermore, don't put the
PINs IN the cards (magnetically) either.  For secure communications,
the data channel and the authentication channel should be separate.


Dana Paxson
Systems Architecture

Disclaimer:  the opinions expressed above are my very own.