Security Stupidity

Every so often, I’ll see a scenario that just leaves me utterly gobsmacked. Sadly, they’re usually based around security of some sort – for whatever reason, it’s something I’m generally pretty tuned in to, and aware of.

Yesterday’s one was an absolute blinder – and caused by a complete lack of thought/awareness.

While I was walking at lunchtime, the person in front of me was paying a bill over the phone. Using hands-free, so it was all done out loud.  (I don’t quite get why some people use hands-free for conversations on mobiles while walking – particularly when they’re still holding the mouthpiece to their mouths anyway. People be weird)

That wasn’t so bad – he was entering the card details using the keypad, so in that aspect it was fairly secure. Not how I’d have chosen to do it, but hey, I’m not one to judge.

The bit where it all went tits up, though, was that the payment line then reads the numbers back to the user, as a confirmation. “If this is correct, press 1“.

It’s a scenario where the developers etc. have thought about how to confirm the card data, and it makes sense to read it back. They’ve just not seen the real-world situations where people then do these things in public, on hands-free speakers. But it meant that – were I a bad person – I’d have all of that guy’s card information (it even read back the CV2 validation number) which I could have made use of.

 

And in case anyone’s wondering, I did tap him on the shoulder when he’d finished the call, and explained that he really should get that card changed ASAP. If I could hear it, or if he does that on a regular basis, then the card is compromised, and it’s only fair to make him aware of it.

It’s up to him, of course – but the fact I told him his card number, expiry date, and CV2 (correctly – I really do need to get out more) certainly seemed to focus his mind somewhat…



Leave a Reply

Your email address will not be published. Required fields are marked *