42

Capital One recently sent my plastic credit card by post mail and its activation code by a separate post mail. What security problem does this mitigate?

If a rogue element has access to my mail box or home, they will have both the plastic card as well as the activation code. The only thing I can think of is that they are preventing rogue elements on their side from having access to the two pieces at the same time? Or is it something else?

Rodrigo de Azevedo
  • 242
  • 2
  • 13
Lord Loh.
  • 559
  • 4
  • 7
  • 26
    Out of curiosity, did they arrive at the same time? – msanford Oct 18 '19 at 19:54
  • 1
    @msanfordNo. They did not. That would not really be a sucurity measure would it? There is no way to know if I am at home to intercept at least one of the mails on time. Or both mails could be waiting in my mailbox fro me or the salacious actor. – Lord Loh. Oct 18 '19 at 19:55
  • 17
    Exactly: they hope to mitigate against intercepting _one_ of them. Mailbox break-in and they nick a credit card, but it's useless without the code, chucked in the bin. – msanford Oct 18 '19 at 20:18
  • @msanford- I got my plastic card first with a note saying that I should have got my activation code. If not, I should expect it in a few days. – Lord Loh. Oct 18 '19 at 20:23
  • why don't they applied two-factor authentication with your phone? They can write a note in the first mail to call the call-center to set up the card. – kelalaka Oct 19 '19 at 09:09
  • 1
    @kelalaka they do that as well in the UK, often checking the number you phone from. – Ian Ringrose Oct 19 '19 at 20:29
  • several years ago my father's credit card and code were stolen from his mail box. – Jasen Oct 20 '19 at 06:53
  • 3
    In addition to arguments centered on the receiver end (= you), this is pure speculation but: on the sender's end, maybe they send each of the two mails from different facilities, hence mitigating the damage of a malicious actor in the postal service close to one of the places from which they send. – a3nm Oct 20 '19 at 22:41
  • 1
    @a3nm Or in the issuer. – user207421 Oct 21 '19 at 08:58
  • 1
    @LordLoh. I think you mean 'malicious', not 'salacious'. https://www.merriam-webster.com/dictionary/salacious – jcm Oct 21 '19 at 10:24
  • 1
    @a3nm As someone who works for a major UK bank, I can confirm that - for us, at least - the Card and Code are sent from different Print Centres. But, I *don't* know whether or not we use different Print Centres when there is not a card involved - such as for Online Banking credentials. (As much as anything, sending the Card direct from the embosser is cheaper than sending it to the main Print Centre to be forwarded on to the customer!) – Chronocidal Oct 21 '19 at 12:42
  • 1
    @Chronocidal it's likely that you've got 2 specialised print centres - obviously the card, but the secure printing of a PIN needs a process that's not used for other things. While they could be on the same site, they don't have much in common – Chris H Oct 21 '19 at 13:55

3 Answers3

130

Many low level crimes are ones of opportunity, not planned out attacks. By separating the two needed pieces of mail in time, it forces the attacker to intercept the same person's mail more than once.

This prevents a mail thief from simply walking up to homes and looking for credit cards and activating them all in one step. Now suddenly the thief has to go back to the same house, or intercept the same person's mail at least twice, and possibly multiple days in a row. That takes time, effort, and additional exposure.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 58
    when factoring luck and other people into the equation, doing something twice is more than twice as hard as doing it once, yet the cost for the creditor is only twice, which makes for a security bargain. – dandavis Oct 18 '19 at 20:18
  • 1
    By the way, their phone activation system did not recognize the paper mail activation code and sent it by email - something that would have be economical thing to do in the first place, not to mention more secure than paper mail. – Lord Loh. Oct 18 '19 at 20:27
  • 15
    In addition you can check for plastic cards in an envelope by bending it. You can't check for activation codes in the same way. So an attacker would have to open the verification, while he could find a probable credit card without opening anything. – vidarlo Oct 19 '19 at 09:07
  • 28
    Don't forget that the guy with the easiest *opportunity* to steal a card is the postman! Putting the card and authorization in one package makes it too easy - the postman wouldn't even need to *open* the package to know what it was and sell it to a third party. – alephzero Oct 19 '19 at 09:20
  • 6
    Not just the postman who delivers to your door; postal depot staff too. – Michael Harvey Oct 19 '19 at 14:18
  • 33
    Also, sometimes mail ends up in the wrong mailbox. – Andrew Morton Oct 19 '19 at 15:21
  • @vidarlo from a totally anecdotal sample of verification code envelopes they are unmarked but look suspiciously similar and different from other regular post item, and they tend to arrive a few days after the plastic card (not before) so they are relatively easy to intercept them, but obviously more difficult than having the code in the same envelope. – Rsf Oct 21 '19 at 08:23
32

A lot of people get a credit card and leave it in the envelope for a considerable amount of time.

Further, separating the data complicates life very greatly for a mail thief. To snatch one piece of mail is a crime of opportunity. But to snatch two on separate days requires veritable stalking. Having gotten one piece, the thief must now return to the scene of the crime often. That greatly increases exposure, both because of the lingering and the repeated visits.

Further, it's likely the correspondence is not obviously marked with a sender, so the thief does not know which piece of mail to steal, and must steal a lot of it. This greatly increases the chance of the owner noticing their mail is going missing, which would defeat the entire exercise as the owner would cancel the card.

And after all that, there's a fair chance that the piece the thief lifted was the second to arrive... In which case the other half of the puzzle will never show up. The thief could check for weeks and never get it. When to give up?

Harper - Reinstate Monica
  • 3,101
  • 10
  • 17
3

Credit cards are stochastically secure (like all banking).

They aren't trying to make the system unbreakable, they are trying to make the fraud losses be a suitably low percentage of the margin.

(And optimise for cost and convenience - if you had to visit a branch and show three forms of ID, as well as their needing many expensive branch clerks, a lot of customers would never activate their card and hence never generate any revenue).

Rich
  • 817
  • 6
  • 5
  • make that "like all security". Noone with a working brain invests in security if cost is greater damage times probability. – Haukinger Oct 21 '19 at 14:20
  • @Haukinger Actually making such a bad investment is the foundation of insurances. Your mark relates only to mass market (here: the bank issuing many credit cards) where the law of big numbres evens out any risk aversion. From the perspective of a one-time "player" and with damage comparable to their capacity, things are different – Hagen von Eitzen Oct 21 '19 at 16:05
  • @HagenvonEitzen but insurances only work, _because_ people are dumb and do not realize that "self-insuring" is a better deal. If you have an information advantage, of course, things look different, and also if you don't have enough money to set aside for your "self-insurance" (indemnity insurance comes to mind, and, to a lesser degree, health insurance) – Haukinger Oct 21 '19 at 20:20