Monthly Archives: August 2021

Whose number?

These days I get lots of text messages that are verification codes, commonly for 2FA. Mostly I get them when I expect them: I’m actively signing up or logging in somewhere, making a purchase or some other transaction. But a recent one was totally out of the blue: Your Pret A Manger verification code is 624864. This was not expected: though it was indeed lunchtime I had no transaction whatsoever with that purveyor of lunch.

I know just about enough about PAM to know they’re a bona-fide business, though they have no presence whatsoever in my part of the country. I find it plausible they might operate an ordering system involving an app and verification codes. So presumably just a “wrong number”.

But I was mildly intrigued: could it possibly be a scam designed to worry the victim into reacting and getting into something? I fire up the hypothetical app to check I haven’t been erroneously billed, and it turns out that’s the latest vector for installing Pegasus on my phone? Or just tries to confuse me into paying for a scammer’s lunch.

One check I can make is the originating number, shown as “62884”. I googled “62884 Pret a manger”, and drew a complete blank: if they use that number, they don’t acknowledge it anywhere online. But just googling “62884” I see PAM is a red herring. Numerous reports tell of bogus verification codes “from” different businesses. Either a complete scam, or lots of businesses outsourcing to a poorly-designed service.

But if a scam, how is it supposed to work? Just that you reply and it turns out to be a premium rate? It’s not even obvious spam that might elicit a naïve STOP, a trap hinted at by the page linked above. Besides, what prospective victim expects a number sending a “verification code” to be replyable? I’m none the wiser.

OK, this doesn’t matter. Ordinarily I’d ignore it, and I’m not sure why I didn’t. But there are occasions when one wants to verify a business’s number for much more important reasons: for example here and here. Which leads to the suggestion: should businesses be required to list all their phone and SMS numbers used for business (including outsourced ones such as a call centre they might use) on their websites? The only obvious exception to such a rule would be direct numbers for individual employees, with a quid pro quo that their outgoing calls then go through a (public) switchboard number.

If there were such a law, then my first googling could have been considered conclusive when it failed to find 62884 on Pret a Manger’s site. Much more importantly it would have enabled me to verify the Capita number and put a small chink in Virgin’s Kafkaesque anti-customer wall in the anecdotes I linked. And many other cases!

Incorrect Horse Battery Staple

An interesting argument should provoke thought. But if it’s also appealing, it can have an opposite effect: be seen as a solution (to a problem that may or may not be well-specified) and given no further thought.

A good case in point is the xkcd classic Correct Horse Battery Staple. It presents succinctly an appealing argument, and is widely cited as words of wisdom on the subject of passwords. But it seems those who cite it are usually blind to its limitations: if presented as a general solution to the problem of passwords, it’s basically useless.

It’s true that it’s the right solution to a more limited problem: passphrases for cryptographic private keys such as ssh and pgp. As with PIN numbers for your bank cards (a close analogy), you have just one or two to remember. It’s good that the security should be high, particularly where there’s no primary line of defence against brute-force attack (as in the bank suspending your card automatically after three incorrect PIN attempts). But in that context we have always spoken not of passwords but of passphrases: you shouldn’t need xkcd to tell you about them, because you were told when you first followed instructions on using ssh.

However, Correct Horse Battery Staple offers nothing more to the general problem of passwords than the thought it immediately provokes. In the first place, the cartoon’s ideas on what is memorable are perhaps a little disingenuous. So too are the security claims: there are defences against brute force attacks, and 44 bits of entropy is complete nonsense against something as simple as a dictionary, let alone AI that can correlate the supposed memorability of CHBS with its linguistic characteristics.

But far more importantly, it doesn’t scale: how many such phrases can you ever hope to memorise without hopelessly confusing them? No matter how much you might want to argue with my last paragraph, the original problem is still there. I think it’s actually worse!

Great for a passphrase, useless for multiple passwords. What the world needs is password-free cryptographic identity such as PGP and OpenID to replace all those horrible passwords. And without a centralised authority whose own motives and competence might fall under suspicion.