[onaworkcomputer]

It'd be unreasonable to ask someone to perform a hash of those last four digits (how would your mom respond if the bank asked her for the sha256 hash of her card number?), but it could be helpful to ask questions that don't reveal too much information, like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"

It would be difficult to come up with something you could reasonably ask an account holder to figure out on their own that also wasn't easy to randomly guess.

[lucb1e]

> like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"

Exactly. After only a few of these you have an equivalent security level to checking the four digits directly but at each step of the way there is a 50% chance that the attacker, not knowing the number yet, gets it wrong and you stop giving more info. If they do a thousand calls a day, they'll still get some people, but it's probably not you so that's at least a small win.

You might enjoy learning about PAKE/SPEKE, which has similar properties.

> An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties (Wikipedia: PAKE)

Just enough enjoyment to then get depressed wondering why nobody is using these nice things

[smeej]

My mom would only have a 50% chance of correctly adding four single-digit numbers, and if she had to divide them by 3, she'd be lost.

She's an intelligent woman who's just lousy at arithmetic. I'd guess hers would be approximately the median experience if something like this became standard.

[gnicholas]

What I was suggesting wasn't asking the account holder, but asking the bank. With a little training, the call center reps should be able to handle adding together the last few digits of a card number.

I agree that asking account holders for this would be confusing, but since the bank is the one calling in this case it makes sense that the caller (bank) should provide information first.

Of course, it appears that in this guy's case, not even this would have worked, since they apparently had his full card number.

[giaour]

If the account holder has to ask the bank for a piece of information, the account holder will also have to produce it for comparison.

Summing the last four digits could unintentionally leak information (what if those digits are all zeros?), so the challenge question should be carefully chosen by the bank, not just whatever the account holder comes up with.

[gnicholas]

Can you explain what the information leak would be? Also, I think it's not possible for a credit card to end in all zeroes.

[giaour]

There may be inferences you can make from the sum that aren't immediately obvious. If cards can end in four zeros, the sum and the last four digits contain equivalent information, but you would also confirm that three of the digits are zeros if the sum was 1. It's something that, if I were a bank, I would want someone with a background in number theory to weigh in on. If I were a paranoid bank exec, I wouldn't trust the low-wage customer support reps I had on staff to vet customer questions for how much information they might leak and would instead have blanket prohibitions on answering questions from customers until after the authentication phase of the call.

Questions like "is the sum even?" trade a lower opportunity for information leakage for a greater opportunity for a random guess to be correct.

[gnicholas]

I understand the perspective of the paranoid bank exec! But if the alternative is that their customers are trained to give out personal information whenever someone calls and says they're from the bank, that's quite possibly worse.

It would be nice if when someone called me from an institution, they gave me a code that I could enter after calling the number on the back of my card. That way I would have confidence I'm talking to the bank and would feel comfortable giving out verification information.

In the past, it has always been a headache to find my way back to the department that called me.

[jrochkind1]

Don't forget the last digit is a checksum digit too. Which I still can't give you an attack, but I also agree that I definitely can't say I'm sure there isn't one.

[hunter2_]

That does reduce the number of possibilities greatly, which might matter for some attack scenarios, but usually not IMHO as rate limits should thwart any online brute force.

I'd be interested to know how greatly, if someone has the equation for that.

[hunter2_]

For sure. I wonder what the state of the art is in human-friendly challenges.

[Zachsa999]

Please select pictures containing a boat.

[giaour]

"What is pictured on the front of my card?" might not be a bad question (assuming the bank allowed account holders to choose from a large variety of images or upload their own). It's data that the bank could capture on card issuance, that anyone who has been in the physical presence of the card could answer, and that would not be captured by payment systems.

[droffel]

The dataset for hashed credit card numbers is small enough that it can be easily represented in a static lookup table, or brute forced.

[giaour]

Brute forced by a human voice on a phone call? You must talk quickly.

[NavinF]

He almost certainly meant that sha256(card number) can be bruteforced to figure out what card number was hashed. 10^12*256 bits is only 29 TiB.

So providing a hashed card number to a potential scammer is just as bad as providing the card number.

[indiv0]

So just ask the other party to give you a salt they generate on the spot? And/or you do so on your end?

You can still get targeted for a direct attack but much less likely to end up caught in a dragnet approach.

[giaour]

That would prevent using a pre-generated lookup table but doesn't help much with brute force attacks. All possible card numbers is a finite set, and if you have the sha256(card number + salt), you can figure out which card number was used as input given the improbability of sha256 collisions within that set.

Keep in mind this in the context of an account holder asking the bank to authenticate themselves on a phone call using data only the bank and the account holder should know. sha256(card number) was an example of something that is obviously inappropriate, and I don't think sha256(card number + salt) is any different qualitatively.

[hunter2_]

Not to mention, how many bits of salt can you transmit by voice in this context without this turning into a whole song and dance?

> That would prevent using a pre-generated lookup table

Only for a healthy pinch of salt, not a couple grains, right?