Curve Product Update August 2019

If they know your passcode that you set up ( which should be longer than 4 digits, please implement that :stuck_out_tongue: ) then yeah they’ll be able to access it. Maybe don’t set your passcode to your birth year/1234/0000 as precautions? :slight_smile:

I’m assuming you are not talking to me about this, but just to make sure…are you?

Thanks Marie.

What about if you have set up a complex password. Would that be enough to get you back into your account?

There are some nice features coming it seems I do agree I think email addresses should be the main contact detail. And two factor authentication is a great idea security wise!

Are we going to be able to have curve on apple/android/gpay?

With the virtual card how would that work in terms of being able to use it in store?

Why can only new customers be able to choose their pins?

All the features sounds nice. And about login by phone number, it doesn’t matter for me tbh. BUT, there should be easy way to change phone number. Like using special question-answer, authentication token or whatever else is safe enough. That would be best compromise between Curve Team plans and people that aren’t happy about this change because of problems with transfering current phone number to other carrier in some countries.

One of the cases for using the recovery process is if you’ve forgotten your password. Having a complex password will not affect the process :slight_smile:

Yes. You’ll find other topics on that within the community.

The card will show the details, but you can’t use it in the store. :point_down:

It will be possible to set the PIN code, not change it. That’s why new customers will be able to choose, but current customers cannot change it.

As the article posted by @Pawel also mentions hashing could be a wrong choice (because of collision). Have you thought about that?

Hash It!
The first instinct is often just to hash the contact information before sending it to the server. If the server has the SHA256 hash of every registered user, it can just check to see if those match any of the SHA256 hashes of contacts transmitted by a client.

Unfortunately, this doesn’t work because the “preimage space” (the set of all possible hash inputs) is small enough to easily calculate a map of all possible hash inputs to hash outputs. There are only roughly 10^10 phone numbers, and while the set of all possible email addresses is less finite, it’s still not terribly great. Inverting these hashes is basically a straightforward dictionary attack. It’s not possible to “salt” the hashes, either (they always have to match), which makes building rainbow tables possible.