Comments on: Identity Theft 101

By: John

John — Sat, 10 May 2008 16:42:43 +0000

It’s daft using them for security really as DoB and mothers maiden name are actually available from public records (in the UK).

By: Cynthia Armistead

Cynthia Armistead — Wed, 07 May 2008 14:48:31 +0000

I haven’t given anyone my mother’s actual maiden name in years, because the information is so insecure. I use a variety of other responses, including a couple of roleplaying characters’ mothers’ maiden names. I don’t know why more people don’t do something like that.

By: DK

DK — Wed, 07 May 2008 10:02:12 +0000

heh, Bipin, alot of work is needed in this area. I think more of us will need to do the unforgivable in the future and change our Mother’s maiden names before it gets better ;)

By: Bipin Upadhyay

Bipin Upadhyay — Wed, 07 May 2008 09:05:16 +0000

DK,
It reminds me of a couple of logical flaws I discovered in my Banking/CC portal a couple of weeks ago.

1. As per the PCI-DSS guidelines, they need to maintain TFA. My bank requires another password and your mobile (for sms) as the second factor of T-FA.
2. Once you have the longin password (or you are able to take highjack the session somehow), you can change the password as well as the mobile number.
3. Caught in any trouble doing that (or to bypass the time delay for the change to take place), call customer care, tell them your dDOB and Mother’s maiden name (as you mentioned) and you are in. :|
4. You can even change the user id. :)
5. The Captcha (which is linked to the card number) takes the digit positions from the client’s page. So if you know any three digits, you can bypass it. No need to bruteforce.

There were a few more specific flaws, but then what the hell! They have SSL & firewall & IDS & … :)

I had to change my Mother’s maiden name for my other CC account. My mom is not going to forgive me. Ever :(