Choose a Real Number



  • I opened a CD at New South Federal (Umbrella) Bank. Along with the account comes online access, for which you create a pin. The number I chose happened to begin with zero. When I go to access the account, it tells me my pin is invalid and locks me out. When I call to inquire, they tell me that a leading zero is not a digit and that I should choose a real number.



  • My guesses:

    1. Using atoi()
    2. Storing as int and the leading zero gets stripped

    OT: Why is that a fair number of programs can't use the same password validation for signup and login? Usually the signup is much less strict which results in locked accounts on login.


  • @Lingerance said:

    OT: Why is that a fair number of programs can't use the same password validation
    for signup and login? Usually the signup is much less strict which results in
    locked accounts on login.
    Probably different teams writing the modules, and no common library. I've had a similar problem (documented here) where Amex allowed an email address (with a + in the local part), which subsequent verification decided was invalid.



  • @Lingerance said:

    My guesses:

    1. Using atoi()
    2. Storing as int and the leading zero gets stripped

    Nah, I bet they just want him to pick a fractional number. Try -1.602e-19, [b]snoofle[/b].



  •  I would have gone with αλeρ.



  • Please do choose a real number.

    It can be a rational, irrational, transcendental, but please do not choose an imaginary one.

    Their login program must stay on the real line, and cannot steer into the complex plane.



  •  I don't know what a CD is, (I thought it meant Compact Disc), but I assume it's some kind of account at what seems to be a bank of some sort. If their only security is some PIN number for online security, I would not like to be their customer. I'd really hope there is some kind of hardware token involved, together with a PIN and maybe some more stuff.

     As to the WTF, yeah that's stupid, but maybe not unexpected, if they hired the boss' nephew to do the coding. They just reduced the search space to crack the number by 10% or so.



  • @RogerWilco said:

     I don't know what a CD is,

    Google knows what a "CD account" is....



  • @RogerWilco said:

    If their only security is some PIN number for online security, I would not like to be their customer. I'd really hope there is some kind of hardware token involved, together with a PIN and maybe some more stuff.
     

    There really should be a bank that requires a hardware dongle to do online banking. And yes, the process should also require "other stuff" as you call it, maybe a retina scanner. This bank could be called MatrixBank, and you and all the other little quasi-hackers could deposit your $250 paychecks from Best Buy into it.




  • @Watson said:

    @RogerWilco said:

     I don't know what a CD is,

    Google knows what a "CD account" is....

    Google also knows what you smell like.




  • @bstorer said:

    Google also knows what you smell like.
     

    I was musing to myself the other day, as I filled in a few search terms, that Google's autocomplete betrayed my utterly unoriginal nature, and while it gave me momentary disappointment with myself, it ultimately led me to believe that maybe, yes, we are all alike as human beings and can always find common ground in some way.

    Then I saw your picture.

     

    I think I prefer belonging to the many thousands-strong camp that entered an offhand query for the movie District 9.



  •  

     @RogerWilco said:

     I don't know what a CD is


  • Discourse touched me in a no-no place

    @bridget99 said:

    There really should be a bank that requires a hardware dongle to do online banking.
    I wish.

     

    My credit union uses my account number (which is actually a sequential number indicating a local member company, concatenated to a sequential number indicating the employee, and then another sequential number within that employee's family), a password (exactly 8 characters), and a captcha - and they don't really seem to get the point of captchas because this one only changes ONCE A DAY (and only on weekdays - as far as I can tell, someone at the bank actually tells it what the correct answer to the captcha it generates), and is the same for all customers - AND the captcha is always a 4 letter english word anyway.

    Somehow that's "two-factor" authentication.



  • @a_dalessandro said:

    Please do choose a real number.

    It can be a rational, irrational, transcendental, but please do not choose an imaginary one.

    Their login program must stay on the real line, and cannot steer into the complex plane.

    The probability that you can express the real in a finite amount of characters is exactly zero.



  • @bridget99 said:

    There really should be a bank that requires a hardware dongle to do online banking.
    Such 'dongles' exist.

    Nationwide card reader



    You place your card into the top of this dongle chip first, the bank gives you a challenge number, you enter the number along with your PIN, and you get the reply which you enter back into the website. The dongle is totally separate form the computer, and is self powered.



    Depending on how often challenges are required (typically, but not always to set up new payees,) they can be a pain in the ass.



    While the one pictured is branded, it will work with most debit card accounts that require such a device.



    Of course, all this subsequently proves is that you have the card, and that you know the PIN for it, but in essence little different to a SecureID.



  • @PJH said:

    @bridget99 said:
    There really should be a bank that requires a hardware dongle to do online banking.
    Such 'dongles' exist.

    Nationwide card reader



    You place your card into the top of this dongle chip first, the bank gives you a challenge number, you enter the number along with your PIN, and you get the reply which you enter back into the website. The dongle is totally separate form the computer, and is self powered.



    Depending on how often challenges are required (typically, but not always to set up new payees,) they can be a pain in the ass.



    While the one pictured is branded, it will work with most debit card accounts that require such a device.



    Of course, all this subsequently proves is that you have the card, and that you know the PIN for it, but in essence little different to a SecureID.

    Same here in Belgium, same device for the 3-4 banks I know that use it.



  •  Dear AnonymousCoward,

       please let's not  start a flame war.

    But we surely can conjure a Godel Numbering Scheme in order to express any number - even complex one - in a finite number of ASCII characters.

    SIncerely yours,

    Andy



  • @PJH said:

    Such 'dongles' exist.
    There's several types of these dongles - some operate on a number, generated sequentially through the chip on your bank card (there was an analisys on how these readers work in the UK a few months ago), while others generate the code based on time (and can get out of sync with the server if you don't use them often enough). Some of these dongles increase security by having the website you're logging into display a few digits generated by the dongle, which somewhat reduces the risk of MITM attack.

    .



  • @a_dalessandro said:

     Dear AnonymousCoward,

       please let's not  start a flame war.

    But we surely can conjure a Godel Numbering Scheme in order to express any number - even complex one - in a finite number of ASCII characters.

    SIncerely yours,

    Andy

     

     

    This would imply that there are countably many real numbers, since the set of all finite-length strings of a finite set is countable. And this just isn't true.



  • @ender said:

    @PJH said:
    Such 'dongles' exist.
    There's several types of these dongles - some operate on a number, generated sequentially through the chip on your bank card (there was an analisys on how these readers work in the UK a few months ago), while others generate the code based on time (and can get out of sync with the server if you don't use them often enough). Some of these dongles increase security by having the website you're logging into display a few digits generated by the dongle, which somewhat reduces the risk of MITM attack.

    .
    Dutch rabobank uses the same reader. And all major dutch banks except 1 use readers.



    On the WTF side, one of them has an USB connection so you don't have to type the numbers... so we have this device to increase your security, but then let a potential compromised machine access it on it's own.



    The last bank is the biggest WTF. They mail you 1 time pads, on 2 sheets. On login they ask you to enter the numbers from col/row X/Y from sheet 1 and sheet 2. Not much wrong with that. And they mail the two sheets as different letters, great. Except that they mail them on the same day, and thus they arrive at the same day. So you only have to rob my mailbox once.



  • @Daid said:

    The last bank is the biggest WTF. They mail you 1 time pads, on 2 sheets. On login they ask you to enter the numbers from col/row X/Y from sheet 1 and sheet 2. Not much wrong with that. And they mail the two sheets as different letters, great. Except that they mail them on the same day, and thus they arrive at the same day. So you only have to rob my mailbox once.
     

    The paper thing is optional.

    The better alternative is having them send a code via SMS, which I do.



  • @dhromed said:

    @Daid said:

    The last bank is the biggest WTF. They mail you 1 time pads, on 2 sheets. On login they ask you to enter the numbers from col/row X/Y from sheet 1 and sheet 2. Not much wrong with that. And they mail the two sheets as different letters, great. Except that they mail them on the same day, and thus they arrive at the same day. So you only have to rob my mailbox once.
     

    The paper thing is optional.

    The better alternative is having them send a code via SMS, which I do.

    I should point out there are banks in the US that optionally let you use dongles or will SMS you a code, but I don't care for it.  For me, two-factor authentication would more annoyance than help, although I like having the option.  Of course, people need an incentive to keep their account secure in the first place, no matter what method they use.  Unfortunately, the laws here put some of the liability for theft and fraud on the banks rather than the individual, which reduces the incentive to keep your account safe.



  • @morbiuswilters said:

    @dhromed said:

    @Daid said:

    The last bank is the biggest WTF. They mail you 1 time pads, on 2 sheets. On login they ask you to enter the numbers from col/row X/Y from sheet 1 and sheet 2. Not much wrong with that. And they mail the two sheets as different letters, great. Except that they mail them on the same day, and thus they arrive at the same day. So you only have to rob my mailbox once.
     

    The paper thing is optional.

    The better alternative is having them send a code via SMS, which I do.

    I should point out there are banks in the US that optionally let you use dongles or will SMS you a code, but I don't care for it.  For me, two-factor authentication would more annoyance than help, although I like having the option.  Of course, people need an incentive to keep their account secure in the first place, no matter what method they use.  Unfortunately, the laws here put some of the liability for theft and fraud on the banks rather than the individual, which reduces the incentive to keep your account safe.

    It's not two factor authentication. I don't have a username+password to remember. I need my physical card, any reader of the right bank, and my pin.



    You login with your bank account number (written on the card), and use the reader to generate an authentication code (requires pin)

    Then I can view my bank details. I can setup a transaction, but to finalize it I need to use the reader again. This time I first need to enter my pin, then a number the website gives (depending on the transfer amount you get more numbers) and then it gives the authentication code which you can use to finalize the transaction.



    I don't carry any username+password. I don't leave the username+password around if I use someones computer

    I can use my banking just about anywhere, as long as there is a reader, and I don't have to remember anything but my pin.



  • @Daid said:

    It's not two factor authentication. I don't have a username+password to remember. I need my physical card, any reader of the right bank, and my pin.

     

    You need a physical card (something you have) and your PIN (something you know). That is exactly what two-factor authentication is.



  • @morbiuswilters said:

    For me, two-factor authentication would more annoyance than help, although I like having the option.

    My bank only does two-factor authentication when adding a beneficiary. That way whoever gets hold of my login details can pay my creditors at best, and if I lose my phone (preferred authentication method), I can still pay my bills.



  • @Daid said:

    On the WTF side, one of them has an USB connection so you don't have to type the numbers... so we have this device to increase your security, but then let a potential compromised machine access it on it's own.
    The bank which gave me that reader also let you use your card with a normal PC cardreader - you just needed to install their middleware on your computer, to access the certificate stored on the card, then the card was used to log you in to your account, and to sign any transactions. Interestingly, it appears that some of their clerks weren't aware of this option, as one of them told me that she though only business users had the option to use a card reader.



  •  @Veinor said:

    @a_dalessandro said:

     Dear AnonymousCoward,

       please let's not  start a flame war.

    But we surely can conjure a Godel Numbering Scheme in order to express any number - even complex one - in a finite number of ASCII characters.

    SIncerely yours,

    Andy

     

     

    This would imply that there are countably many real numbers, since the set of all finite-length strings of a finite set is countable. And this just isn't true.

     My thoughts exactly. See definable real number in the wikipedia if you need more details.



  • @AnonymousCoward said:

    @a_dalessandro said:
    Please do choose a real number.
    The probability that you can express the real in a finite amount of characters is exactly zero.
    Not necessarily. The distribution you use to choose the number may well assign a positive probability to a finite subset of the reals.  And speaking of the probability of a real number having some property without specifying the distribution used to choose it is meaningless anyway (provided that there's at least one real number that has it and one that doesn't), since there's no "natural" (i.e. uniform) probability distribution over the reals.

    What you meant was that the set of real numbers expressible in a finite amount of characters has Lebesgue measure zero.  Unfortunately, that's not what you wrote.



  • @vyznev said:

    there's no "natural" (i.e. uniform) probability distribution over the reals.

     Yes there is, it's called zero.  Which is what he said.



  • @cfgauss said:

    @vyznev said:

    there's no "natural" (i.e. uniform) probability distribution over the reals.

     Yes there is, it's called zero.  Which is what he said.

     

    Umm, with a nick like that, you should better know what a probability distribution is.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.