9 Jul
2012
9 Jul
'12
8:24 a.m.
On 07/07/2012 14:05, Andy Smith wrote:
In the end I asked the person on IRC to send me a photo or scan of a
utility bill bearing their name and address as present in BitFolk's
customer database, and on receipt of that I did reset their
password.
If it had been you in the customer's position would you have
considered that reasonable?
Assuming I have already convinced you by correctly answering questions
about my account that are not so easily discovered as a name and address
(e.g. account name and service type; on which server the VPS is running;
the method, frequency and amount of payments, etc.) then, yes, I would
consider that reasonable. If someone has gone to the effort of mining
enough of my information that they can convincingly pose as me, then I
don't think it would cause them any trouble to fake a more secure form
of ID -- bearing in mind that you won't see it in person.
If you want to increase security, you could borrow a couple of tricks
from the banking world:
1. send a one-time code to a registered mobile by SMS; and/or
2. reset the password and send it via snail mail to the registered address.
In general I'm against this modern trend of requiring government-issued
photo ID every time I want to buy a packet of crisps. In most cases it
is unnecessary and ridiculous.
Out of curiosity, if you call out a locksmith because you've lost your
house keys, how do they satisfy themselves that you are indeed the
owner/occupant of the house?
Chris
--
Chris Smith <cjs94(a)zepler.net>