[Karty] Z cyklu: korporacyjni zbieracze numerów kart i odpowiedzi na pytania kontrolne

Piotr J. Ochwal karty at ochwal.net
Mon Apr 3 23:32:40 CEST 2006 

z zaprzyjaźnionej listy UKcrypto:

<snip>

Many people top up the credit on account-less SIMs using a credit/debit
card. There is a severe limit on the amount of credit then can be loaded in
any one transaction and a limit also on ne transaction per 24 hours. This
may be irritating from time to time buy one might presume it an attempt to
'nanny-protect' any whose card is stolen or misused. However, the networks
also apply a further and less obvious restriction. The networks record the
details of cards and answers to the 'security' questions. These card details
are then registered in a permanent associaton with the phone number
(SIM)topped. The asociation of any card with more than two numbers is
dissallowed and an attempt to top up a third or subsequent SIM wil fail. It
seems likely that these records are network-specific, so that by having two
SIMs for each of (say) the 5 London networks one could operate up to 10
account-less phones with a single payment card, albeit with some careful
managment.

Why this restriction? More nannying? It seems more likely to associate with
reasonable assuredness phone numbers with identifiable individuals. But why
and for the benefit of whom? The network companies can hae no interest in
such a procedure, which leaves the card issuing companies (whose own the
cards. Because of the avaibility also of cash top-up it is very unlikely
that the LEA could be the prime movers for this restictive arrangement -
though doubtless they will seek to improve the quality of their enquiries as
required by (under due process) by availing themselves of information
stored.

Who authorises and/or requires the network companies to maintain detailed
and permanent records of names of card holders, card numbers and answers to
security questions? Not the account holders. Again, it seems that this can
only be the card-issuing companies. Why should they do such a thing without
stating in their T&C that they do it? Why should the network companies
comply with such a requirement?

Any thoughts?
Owen

More information about the Karty mailing list