Here is an interesting article from the NY Times where Bruce Schneier, a well-known security guru, answers a series of questions and ends up summarizing his philosophy on security. Very interesting reading.
Bruce Schneier Blazes Through Your Questions
Last week, we solicited your questions for Internet security guru Bruce Schneier. He responded in force, taking on nearly every question, and his answers are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for “crime pays” to see his sober assessment of why it’s better to earn a living as a security expert than as a computer criminal.
Hi Andrew, speaking of security I remember at one point you posting stuff about financial institutions and security.
Can you think of any valid reason that would make having one’s credit card institution switch from signing in with credit card number + password to userID that you create (like your Myspace or Facebook!) + password?
Funny you should ask, PC Financial just did this change yesterday for my Mastercard account. Of course, it happened when I was in a hurry and I was ambushed, meaning I was not given a chance to do this at a time when I could come up with a good username. I hope I chose a good one. I did store it in my KeePass password archive.
The reason may be to prevent the credit card number from being leaked in a phishing attack or through malware. With a username, the bad guys can’t create false credit cards but with the number they can.
I will have to look more carefully, but is the credit card number visible once you login using the the new username? It might be cool if the bad guys did not get the card number even if they login to your account.
That makes sense. And makes me somewhat less grumpy about the “being ambushed suddenly with the choose a username” factor.
And no, I don’t think they do see the number. I know when I print statements it only shows the last 4. I think it only shows the last 4 on screen too.
Of course you can still use your credit card number to login to check PC Points.