Credit Card Activation a security risk

Freshness Warning
This article is over 13 years old. It's possible that the information you read below isn't current.

You may have received a credit card with a sticker on it asking you to activate your card by calling a special number for your home phone.

The credit card verification system uses caller ID or ANI to check the number you’re calling from and checks to see if that’s the home number they have on record for you. The idea is that only the legitimate cardholder can call from their home phone. I mean you have to be inside my house to call from my home number, right?

I use a VoIP system as my home phone. Any calls I make are transmitted over the internet before they make it onto the regular telephone system. I’ve got a regular phone number—in fact it’s the same number I’ve had for five years, even before I used VoIP. My phone number shows up in caller ID, just like a "regular" phone. The difference is, for normal landlines, the caller ID information is set at the local phone office. For my VoIP system, the number is set in my phone system—a little box that sits on a shelf in my house.

That means I could change my caller ID to show any number I wanted. I can show mine. I could show yours. I could show up as anybody.

A bad guy that intercepts a new credit card only needs to know your home phone number to use a similar system. And it’s not hard to get someone’s home phone number.

So why are credit card companies using an easily-discovered and easily-spoofed token for authentication?

Dan
October 10, 2006 2:18 PM

Maybe because in the history of credit cards, voip is very new technology. They've been around in commercial/personal use for something like 50+years now, and voip? A few years, tops. Mind you, activating online requires you to enter, what, your phone number? postcode? digits on the card/paper? All this is verifiable through taking your maill (when they take your card in the first place). Social security number? Obtainable. Mothers maiden name? Same. Frequent fliers number? Easy. Makes you wonder what IS a safe way to verify personal information/identity. At least you're covered on a credit card for misuse :)

James
October 11, 2006 2:49 AM

It is a bit stupid of them to not test that is secure before using it and if they had this flaw should have been noticed and sorted lets hope they stop this form of activation soon.

Tama D.
October 12, 2006 4:46 PM

I don't think it is designed to deter the most sophisticated of criminals and hackers, but I think it is rather cost efficient and effective deterrent from petty thieves and what nots from snatching a new card in the mail and activating it.

Harald
October 14, 2006 8:16 AM

Telephone-based card activation has been around for a lot longer than VoIP systems. Credit card systems take a long time to change. And the coffin's nail: There are much easier ways to steal your credit card...

JOhn
May 20, 2010 12:36 AM

So are you guys saying anyone that got a card in the mail can just call the activation line show the card holders phone number and thats it, and its activated???

Adam Kalsey
May 20, 2010 9:50 AM

Yes, it's trivial to make a phone call as you or any other number. I can do it with two lines of code.

Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.

Name:

Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Best Of

  • Google on the desktop Google picks up Picasa, giving them an important foothold on people's PCs.
  • Embrace the medium The Web is different than print, television, or any other medium. To be successful, designers must embrace those differences.
  • Simplified Form Errors One of the most frustrating experiences on the Web is filling out forms. When mistakes are made, the user is often left guessing what they need to correct. We've taken an approach that shows the user in no uncertain terms what needs to be fixed.
  • Let it go Netscape 4 is six years old.
  • Lock-in is bad T-Mobile thinks they'll get new Hotspot customers with exclusive content and locked-in devices.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

Recently

Managers and technical ability (Dec 26)
In technical fields, the closer you are to the actual work being done, the closer your skills need to resemble those of the people doing the work.
Dysfunctions of output-oriented software teams (Sep 17)
Whatever you call it, the symptom is that you're measuring your progress by how much you build and deliver instead of measuring success by the amount of customer value you create.
Evaluative and generative product development (Aug 30)
Customers never even talk to the companies that don't fit their needs at all. If the only product ideas you're considering are those that meet the needs of your current customers, then you're only going to find new customers that look exactly like your current customers.
Product Manager Career Ladder (Aug 19)
What are the steps along the product management career path?
Building the Customer-Informed Product (Aug 15)
Strong products aren't composed of a list of features dictated by customers. They are guided by strong visions, and the execution of that vision is the primary focus of product development.
Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.

Subscribe to this site's feed.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey

Resume

PGP Key

©1999-2020 Adam Kalsey.