Need someone to lead product or development at your software company? I lead product and engineering teams and I'm looking for my next opportunity. Check out my resume and get in touch.

Credit Card Activation a security risk

Freshness Warning
This blog post is over 13 years old. It's possible that the information you read below isn't current and the links no longer work.

You may have received a credit card with a sticker on it asking you to activate your card by calling a special number for your home phone.

The credit card verification system uses caller ID or ANI to check the number you’re calling from and checks to see if that’s the home number they have on record for you. The idea is that only the legitimate cardholder can call from their home phone. I mean you have to be inside my house to call from my home number, right?

I use a VoIP system as my home phone. Any calls I make are transmitted over the internet before they make it onto the regular telephone system. I’ve got a regular phone number—in fact it’s the same number I’ve had for five years, even before I used VoIP. My phone number shows up in caller ID, just like a "regular" phone. The difference is, for normal landlines, the caller ID information is set at the local phone office. For my VoIP system, the number is set in my phone system—a little box that sits on a shelf in my house.

That means I could change my caller ID to show any number I wanted. I can show mine. I could show yours. I could show up as anybody.

A bad guy that intercepts a new credit card only needs to know your home phone number to use a similar system. And it’s not hard to get someone’s home phone number.

So why are credit card companies using an easily-discovered and easily-spoofed token for authentication?

October 10, 2006 2:18 PM

Maybe because in the history of credit cards, voip is very new technology. They've been around in commercial/personal use for something like 50+years now, and voip? A few years, tops. Mind you, activating online requires you to enter, what, your phone number? postcode? digits on the card/paper? All this is verifiable through taking your maill (when they take your card in the first place). Social security number? Obtainable. Mothers maiden name? Same. Frequent fliers number? Easy. Makes you wonder what IS a safe way to verify personal information/identity. At least you're covered on a credit card for misuse :)

October 11, 2006 2:49 AM

It is a bit stupid of them to not test that is secure before using it and if they had this flaw should have been noticed and sorted lets hope they stop this form of activation soon.

Tama D.
October 12, 2006 4:46 PM

I don't think it is designed to deter the most sophisticated of criminals and hackers, but I think it is rather cost efficient and effective deterrent from petty thieves and what nots from snatching a new card in the mail and activating it.

October 14, 2006 8:16 AM

Telephone-based card activation has been around for a lot longer than VoIP systems. Credit card systems take a long time to change. And the coffin's nail: There are much easier ways to steal your credit card...

May 20, 2010 12:36 AM

So are you guys saying anyone that got a card in the mail can just call the activation line show the card holders phone number and thats it, and its activated???

Adam Kalsey
May 20, 2010 9:50 AM

Yes, it's trivial to make a phone call as you or any other number. I can do it with two lines of code.

This discussion has been closed.

Recently Written

The Components of A Developer Experience (Sep 19)
Making your API a well-rounded product will help developers decide if your API is right for them and help grow their usage.
Principles of Developer Experience: An Introduction (Sep 15)
You can create a great developer experience for everything you build. Introducing the six principles of developer experience.
The KPI that measures Product-Market Fit (Sep 9)
If you ask this question to a different small group of your users every week, you can measure trends over time to determine if you're moving toward product-market fit.
Don't use NPS to measure user happiness for enterprise software (Sep 7)
Measuring the satisfaction and enjoyment of end users is a key to unlocking product-led growth. Net Promoter Score is the wrong tool for this.
Ask One Question To Help You Reach Product-Market Fit (Sep 3)
Learn what adjacent problems you need to solve to become twice as valuable to your customers.
How to scale your product team from one product manager to an entire organization (Aug 25)
As your product management team scales, you'll have issues around redundancy, communication, and consistency. Here's now you might solve those.
Software engineering manager interview questions (Aug 6)
Here are some questions I like to use to get a sense of who an engineering manager is and how they work.
A framework for onboarding new employees (May 15)
There’s no single good way to onboard an employee that works for every role. Here's a framework for creating a process that you can adapt to each situation.


What I'm Reading


Adam Kalsey

+1 916 600 2497


Public Key

© 1999-2020 Adam Kalsey.