PIN Numbers

Recently I bought a new phone. I stayed on the same carrier, so it was just an upgrade of my call plan and a new piece of hardware. As part of the identity verfication process in the phone store, I was asked my name, the phone number and the PIN number I had provided the company with when I first signed up for my previous phone. This PIN number was also used in the past to verify my identity over the phone when I had a mobile phone stolen and needed it call blocked. It is essentially a shared secret to identify me as me.
It's little different than the password I get asked for at the local video store when I rent a dvd, although they also require I provide then with my membership card (multifactor authentication!)
Back to the phone, I dutifully provided the PIN number and began the process of filling out forms and signing my life away on a new phone contract. While filling in details I noticed at the top of the form there was a box (filled in by the sales clerk) for my PIN. He had dutifully written my PIN in the box as part of application.
I asked him if this was the norm, if this 'secret' number was commonly written in large friendly digits on the applcation forms and he applied in the affirmative.

I did ask his opinion on writing this 'secret' number on a form that is kept in triplicate (one copy to me, one for the store and one sent off to a central office) but he didn't seem interested in discussing the ins and outs of how they secure their data or prevent impersonation.

I guess in the end I got my phone and have to hope one of the three copies of the form with my name, address, date of birth and PIN number don't fall into the wrong hands and someone decides to cancel my account or report my phone as stolen. Although thinking about it, I imagine with a name, address and date of birth alone you could use some social engineering to effective DoS someone's phone. Hmmmm. When is Richard's birthday?

0 comments:

Post a Comment