What the fxck?

| Comments (4) | COMSEC
So, the other day I needed to register an account with Chase. Part of the registration procedure is the now ubiquitous out-of-band delivery of some token/code to your cell phone, email address, etc. (I've heard this called "loopback" or "answerback").

Here's what they offer me (somewhat reformatted and trimmed, and with my phone number redacted even further):

We'll show you all contact information we have on file for you. Some of it may be outdated, but we'll only send you an Activation Code using the method you select. Note: For security reasons, we have hidden parts of your contact information below with "xxx." Learn more about why we do this.


Phone Call to :

OR E-mail Message to: exr@rtfm.com

First, note the duplication of the phone numbers: YYYY appears twice. A minor issue, though. Note also the substitution of the numbers with xxx.

Now check out the email address: exr@rtfm.com. Note that the middle letter of my username is k, not x, and this isn't xxx either. Anyway, so I'm registering here for the first time and I look at this clearly wrong address, and I figure it's a typographical or transcription error (x looks like k, after all) and I should call get it fixed. But no.... this is just their masking technique.1 OK, so maybe I'm a moron, but seriously, how hard would it be to use * instead of x, like everyone else?

1. Mrs. Guesswork hypothesizes that their algorithm is to take the middle part of my username and so if my username were longer I would get the full xxx treatment.


Yup. As someone with a longer email address, I can confirm that Chase x's out most (all? It's been a week or two) of the letters in the middle during that step.

And note that they mask the wrong portion of each telephone number! The last four digits are the most sensitive-- if I have an inkling of your physical address (not hard to get) I can guess your area code easily and your exchange prefix with modest effort. If you have an unlisted number, though, I will be stuck for the last four digits (though I could risk annoying some thousands of people by dialing mostly at random to ask for you)! Given the last four digits, instead of making thousands of calls to find you, I need only place tens- to- hundreds (depends on whether I think you have a wireless or VOIP phone) to likely ring your number.

If the bank wishes you to choose whether they ring your voice line or your fax line, and, perhaps, to avoid choosing some old number that you had back in college, they should use a mask like 111-1XX-XXX1 which would show you the area code (really not much point in hiding that) and just the most indicative couple of digits from the local number.

RISKS Digest (vol. 24, #91) just accepted a note from me regarding masking techniques for account numbers; perhaps I should send PGN a note about your experience.

months. The directors of some of those banks sometimes took advantage of LdKdggKrCB own interest and safety, therefore, he might find it necessary, in this very

Britain, either altogether, or very nearly, a monopoly against LdKdggKrCB and trouble of exportation, when, so far as he can, he thus

Leave a comment