Yesterday I was reminded that implementing security is hard, with or without software.

One of my credit cards was about to expire, and the bank sent me three replacements:

  • one for Art Shelest,
  • another for Mr. Art Shelest,
  • and, for good measure, a card for Art X. Shelest.

Since the mailer only allows two cards, two identical envelopes were used.
All three cards use the same number, same expiration date, and the same security code.
All three cards are activated by a single call to an 800 number.

Taking one of the distinctly stiff envelopes with a redundant card would likely go unnoticed, and the stolen card would become enabled once others were activated. The cards security features are the CVV code and the ZIP code, already in the attacker’s possession. If I detect improper charges, the bank will issue me another three cards and the cycle can start over.

The phone based activation was fine until the feature was improperly scaled to multiple cards.