Skip to content

let me introduce you to something very stupid

I got this in the mail the other day from one of my credit cards:

IMG_2075.JPG

I believe what they want me to do is write down my username and password and tack it up somewhere by my computer.

Yes, my credit card company has actively encouraged me to do this.

Published inTrue Stories

6 Comments

  1. I’m bored, so, for a change, I’ll be like you, Jim. I’ll totally ignore the obvious spirit of your argument and instead nitpick the details and exploit the semantics in order to make you look like a moron. Here goes:

    1) It doesn’t ask for the password, but rather a “password hint.”

    2) Security is not breached if someone knows your username.

    3) So what if someone can log into your account? What are they going to do? Pay your credit card bill? Such a tragedy! Seriously, I don’t have that particular card, but on my account, you can’t even find out the card number, expiration date, or checking account number. Nothing of use.

    Yes, it is frivolous, but it is not what you make it out to be.

  2. eviljim eviljim

    1) Password hint is just as bad, and the average person stupid enough to use this will just write down their password.

    2) See #1

    3) You can do far more than that from your citicard account.

    But let’s suppose you can’t. Submit a 2,000 payment on someone’s account. BAM, their account is overdrafted if they don’t have that much in checking and fees are abound.

    And yes, you can get a fully valid credit card number, expiration date, CVV number, and name with JUST a citibank login and password — check out “Virtual Account Numbers”, if your card offers it. It will let anyone with access to your citibank account create a fully valid credit card number, expiration date, etc, tied to your original card.

  3. Good job.

  4. Anonymous Anonymous

    no offense, but to start…

    ~dont most people always use the same user name for just about everything, well they have like two or three. The one for everybody to know, like a screen name, and then the one for more important things (which oddly enough I find most people use some combinaton of their name…how secure is that?) with that said, a user name is typically easy to come by.

    ~passwords are not as easy to get, however the same principle applies to those. there is the one password for everyday mumbo jumbo and then the other for more important things, such as accounts and what not. If you think hard enough, you will probably be able to get close to what the password is…or maybe just try looking over their shoulder as they type it.

    Now for me, I would not want to actually access somebody’s account and start messing with money, however I would get more joy out of inconviniencing the account holder. For example, you use the user name and start trying to guess the password. For most secure accounts, you only get so many tries to get the right password before the user gets blocked out of their account. So after a max has been reached, the user can no longer access the account until it is all straightened out wiht the company, AND the account’s security was not breached. Thus a win win for both parties…or at least a tie for the account holder.

  5. Hello! I happen to work for Citi, though I’m nothing more than one of their mnions (they are the true Umbrella Corporation of Resident Evil game lore).

    First, this quote is quite wrong: “And yes, you can get a fully valid credit card number, expiration date, CVV number, and name with JUST a citibank login and password — check out “Virtual Account Numbers”, if your card offers it. It will let anyone with access to your citibank account create a fully valid credit card number, expiration date, etc, tied to your original card.”
    Yes, you can get a “VAN” but it is only good once for a specific merchant, and doesn’t give you the important info, like the REAL number, the REAL CVV, or the REAL expiration date. If the transaction is considered unusual by our Fraud Early Warning Department (FEW), the account is flagged and suspended until the cardmember is contacted. And believe me, the FEW dept has a tendancy to consider the most minor thing to be suspicious. They’re damn good at what they do.

    This quote is correct: “For most secure accounts, you only get so many tries to get the right password before the user gets blocked out of their account. So after a max has been reached, the user can no longer access the account until it is all straightened out wiht the company, AND the account’s security was not breached. Thus a win win for both parties…or at least a tie for the account holder.” We do lock access to the account online, and might even flag the plastic. FEW tends to have an itchy trigger finger when it comes to flagging online transactions with Virtual Acct Numbers.

    And as mentioned before, we suggest only writing the password HINT so you don’t have to call us (meaning you’d talk to me). We’d just give you the hint if you called, and if you didn’t know it – well, then we’d ask for everything but your height in centimeters.

    Cheers, and such… adieu.

  6. You are right. It’s not a major issue. I’ve actually had my card temporarily cut off a couple times beacause of fraud early warning (although both were just because I was traveling).

    I still think a lot of people (people who would need to, say, write down a password hint) would simply write down their password and leave it at that.

    Doing something like this just makes it easier for fraud to happen. As a merchant who accepts credit cards myself, it’s people like ME who end up getting screwed, not the card holder. Even if it’s a tiny little near-insignificant thing… it’s still a new potential way to get into someone’s account, and I dislike it.

Leave a Reply