Proponents of this type of security believe that these qualify
as ???something you know??? and therefore are suf?¬?cient to prove or assist in proving
identity. The trouble with using questions such as these is that this merely
becomes an arms race and eventually falls prey to modern methods of pre-texting
and phishing.
Not all that long ago, before computers roamed the Earth, it was easy enough to
use only a credit card number over the phone??”or even in person??”to buy
goods and services. The algorithm used to generate card numbers (called the
Luhn formula) wasn??™t widely known, and many merchants (and card issuers)
treated possession of the card number as possession of the account itself. After
fraud levels increased, card issuers required the accompaniment of the expiry
date??”a fact that only the cardholder and the card issuer would know??”to be
able to charge to the account. Of course, the inevitable happened; fraudsters began
to acquire the expiry dates to go with the account number. Card issuers
fought back again, and in the late 1990s they added the Card Security Code
294 Guidance for a Relying Party
Prompting the User to Use Information Cards
Despite the changes to the user interface, users may ignore elements
in the page that they believe are not related to the task at
hand.
Pages:
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427