Banks and Google mailing PIN codes on pieces of paper

THE ARRIVAL of three PIN codes in my mail, two from credit cards and the other from Google showed the different approaches to security, or lack thereof, in paper-mailing of somewhat "sensitive" information.

Mark Edwards at WinITPro recently went incandescent at Google's new policy of verifying AdSense accounts with a phone call to the registered phone number using an IVR. But isn't that much more reasonable than mailing a sensitive piece of information on a printed piece of paper?.

Google's AdSense PIN code

Since I'm located down in South America I never got such verification call for my AdSense account. I'm assuming here the call approach applies only to US addresses. Instead, I received last week a printed PIN code that I had to enter into my AdSense profile as a means of address verification. The white card was delivered by the postman along with the regular junk.

Just by pure chance, the same week I received PINs from two of my credit cards, mailed by the bank after my phone request to operate with them at ATMs. Both also didn't require a signature. Yet, contrasting the "security measures" used by banks and Google left me scratching my head. Either the banks are too paranoid, or Google is too naive. Or probably, as I suspect, both approaches are incredibly stupid for the 21th century.

Let's start with Credit Card ATM PIN codes... those are useless unless you have the actual, physical credit card. And when used, those PIN codes need to be changed immediately on the first use. Likewise, the Google PIN code can only be used once, and the information by itself serves no purpose: you need my Adsense user name and password.

Credit card ATM PIN codes, mailed with "security" measures

So why are the security measures used when mailing these two PIN codes so different?. The banks mail the credit card PIN codes in an opaque envelope. You have a really really hard time trying to see-through the envelope to get the code without opening it. In one of the two, it was almost impossible. In the Mastercard one, someone could read it without opening the envelope, using a very very bright halogen lamp and some fine eyesight, I guess. Plus, those CC pin codes are mailed in secure "tear down" envelopes so that you can tell immediately if someone has opened them.

Google might as well print the PIN code outside next to the address. Why bother folding a translucent card? And what does a "secure" envelope protect anyway?

Google's mailed PIN code, on the other hand, arrives on a folded piece of thin white cardboard glued together as an envelope with three round plastic stickers, featuring the bright coloured Google logo printed in one side and the mailing address on the other. Just lifting the Google card to the nearest window revealed the code printed inside, thanks to the thin white translucent card stock.

One could say for the sake of argument that those measures are maybe designed not so much to protect the information while "in transit" on the postal system but rather to protect them from prying eyes at the place the information is printed, where it's more likely someone might have access to the "other half" of the required data. Then, in that case, Google trusts its employees a lot more than credit card companies.

Don't get me wrong, I'm not blaming Google for anything here, just wondering aloud why the different paranoia thresholds since, as I explained, credit card PIN numbers are also useless without having possession of the other half of the authentication, namely the credit card. And Google's PIN code is also useless without the Adsense log-in data, so it's not like someone could use it to verify an account they don't have, and then redirect Adsense money flow elsewhere.

So, consider this a public service announcement... what is your take on it? Are banks too paranoid when mailing PIN numbers, or is Google too naive?. What good are tear-down envelopes if someone can steal the entire mail piece with the person never knowing about it in the first place?. And why is it oh-so-wrong for Google to phone you with an IVR on a land line for validation?. And can't they all implement secure tokens once and for all as some US banks have been doing for a long time?.

What are the pros and cons of mailing PIN codes in printed pieces of paper?. Is Google's phone call validation an invasion of privacy?. And wouldn't a determined Frank Abagnale always laugh all the way to the bank?. INQuiring minds want to know. Please, fire on in the comments section. µ