Hacker News new | comments | show | ask | jobs | submit login

My phone company has a neat way around this.

When I declined to give them my details as they'd called me they proposed I give my date of birth with one number changed, and they'd tell me which one was changed and what the true value was.

That's obviously not a completely secure system, but validating by birth date isn't very secure anyway.

Figure 1/3rd of people will change the month, then you have 11 possibilities for the true value, so a scammer would be able to get about one correct answer for every 33 people they called... probably enough to make it worthwhile for them.

The best way around this is to end the call and then call the company back at their publicly listed phone number.

I typically do one of two things if I don't feel like calling them back.

1. Give them a wrong piece of contact information, like the wrong house address on the correct street. A scammer without this information would probably accept it; a company that already has this information will point out that that it's wrong.

2. Only give them a part of the information, like the last digit of my house number, and ask them to supply the rest - this assures both of us that we're the person we're expecting to talk to.

I like to talk the guy on the other end of the phone through computing a secure hash of my personal data, by hand.

Neat. Problem is that I would not consider my birthday private data, so I must assume that an aspiring scammer can get hold of it. (If for nothing else, just because I broadcast it on facebook.)

They solved the first half of the puzzle: That is how to verify the knowledge of an information without any of the parties leaking too much of it. But they did this with an information, which knowledge is not worth verifying.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact