Log in

No account? Create an account
brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Card Activation [May. 13th, 2006|05:35 pm]
Brad Fitzpatrick

Wamu just "upgraded" a debit card I never use to another debit card I'll never use. They say "upgraded" but really they just mean "we changed our contract from Visa to MasterCard, so sorry.... you have to go through a bunch of shit."

I went to activate the card online (normally I use the phone) and they wanted:

-- card number
-- 3 digit security code
-- my FULL social security number
-- date of birth
-- account type
-- account number
-- old card number (the visa it's replacing)
-- expiration date of old card

Fuck all that. I'm not giving them my full social security number.

I called the 800 number where they wanted:

-- card number
-- 3 digit security code

And then the robot happily informed me that my card was activated.

Can we get a LOL out there?

[User Picture]From: ckd
2006-05-14 12:40 am (UTC)
The 800 number can use ANI to check that you appear to be calling from the phone number associated with the account. Not perfect, but better than "coming from some IP address" is.
(Reply) (Thread)
[User Picture]From: askbjoernhansen
2006-05-15 09:27 am (UTC)

ANI not safe ...

And sure, regular joes can't fake their ANI -- but can you count on a fraudster being a regular joe?

- ask
(Reply) (Parent) (Thread)
[User Picture]From: askbjoernhansen
2006-05-15 09:30 am (UTC)

Re: ANI not safe ...

oh, I forgot to add: I (too) prefer the convenience of just having to call the number and give them my account number and have the robot be satisfied with that.

With credit cards then almost by law it's hard to care about the security. Fraud is almost 100% Not My Problem (speaking as card holder, speaking as merchant it's of course not so).

- ask
(Reply) (Parent) (Thread)
[User Picture]From: imgreen
2006-05-14 12:40 am (UTC)
isn't that because it's linked to your phone number so they know it's you calling?
(Reply) (Thread)
[User Picture]From: henry
2006-05-14 01:42 am (UTC)
or someone on a lineman's headset at your phone box, since they already know where you live when they swiped your mail. shopping spree!
(Reply) (Parent) (Thread)
[User Picture]From: grahams
2006-05-14 02:14 am (UTC)
(Reply) (Thread)
[User Picture]From: loganb
2006-05-14 02:52 am (UTC)

1337 Sprint Customer Support

Operator: "Hello, can I have your phone number and online account password?"
Me: "Yes my number is XXX-XXX-XXXX and the last four digits of my SSN are XXXX"
(they accept either)
Opertaor: "Thank you, next time you call you can also give us your online password of XXXXXXX"

(Reply) (Thread)
[User Picture]From: grumpy_sysadmin
2006-05-21 01:20 am (UTC)

Re: ANI not safe ...

"Hello, we don't hash passwords. Don't ever use this password anywhere else, ever."
(Reply) (Parent) (Thread)
[User Picture]From: mark3
2006-05-14 02:57 am (UTC)
I just went through the same thing with Bank of America. Someone got my card number and started having a ball with it, the Bank shut it off so quick it wasn't funny, then called me. They sent out a new card and I found the same nonsense on the web site, so I called the 800 number and only had to give them the card number and the security code. The bad thing was it was a regular charge card with a whopping credit limit, the good thing was the realized quickly that I couldn't be in three different stores making purchases at the same time. So they declined everything and blocked the account.
(Reply) (Thread)
[User Picture]From: smackfu
2006-05-14 03:01 am (UTC)
I've had cards where you only had to call the number. The robot answered and just said "your card has been activated". I thought that was clever.

I guess they figure that if you are calling from the right phone, and know the number to call, you probably have the card anyway so reciting digits from it gives no additional security.
(Reply) (Thread)
[User Picture]From: uke
2006-05-14 07:24 am (UTC)
They already have your SSN.
(Reply) (Thread)
[User Picture]From: brad
2006-05-14 07:35 am (UTC)
Oh, I'm quite certain of that. I object to how often it's "required" when it shouldn't be. Also that security principle that the more your credentials are asked for, the less important they become. I'm quite certain my operating system has my password, but once it asks me for it every 30 seconds to do any action, I stop thinking about why I'm entering it.

Wikipedia, unsurprisingly, explains why I hate giving out SSNs better than I could, for those that are confused:

(Reply) (Parent) (Thread)