What I was suggesting wasn't asking the account holder, but asking the bank. With a little training, the call center reps should be able to handle adding together the last few digits of a card number.
I agree that asking account holders for this would be confusing, but since the bank is the one calling in this case it makes sense that the caller (bank) should provide information first.
Of course, it appears that in this guy's case, not even this would have worked, since they apparently had his full card number.
If the account holder has to ask the bank for a piece of information, the account holder will also have to produce it for comparison.
Summing the last four digits could unintentionally leak information (what if those digits are all zeros?), so the challenge question should be carefully chosen by the bank, not just whatever the account holder comes up with.
There may be inferences you can make from the sum that aren't immediately obvious. If cards can end in four zeros, the sum and the last four digits contain equivalent information, but you would also confirm that three of the digits are zeros if the sum was 1. It's something that, if I were a bank, I would want someone with a background in number theory to weigh in on. If I were a paranoid bank exec, I wouldn't trust the low-wage customer support reps I had on staff to vet customer questions for how much information they might leak and would instead have blanket prohibitions on answering questions from customers until after the authentication phase of the call.
Questions like "is the sum even?" trade a lower opportunity for information leakage for a greater opportunity for a random guess to be correct.
I understand the perspective of the paranoid bank exec! But if the alternative is that their customers are trained to give out personal information whenever someone calls and says they're from the bank, that's quite possibly worse.
It would be nice if when someone called me from an institution, they gave me a code that I could enter after calling the number on the back of my card. That way I would have confidence I'm talking to the bank and would feel comfortable giving out verification information.
In the past, it has always been a headache to find my way back to the department that called me.
Don't forget the last digit is a checksum digit too. Which I still can't give you an attack, but I also agree that I definitely can't say I'm sure there isn't one.
That does reduce the number of possibilities greatly, which might matter for some attack scenarios, but usually not IMHO as rate limits should thwart any online brute force.
I'd be interested to know how greatly, if someone has the equation for that.
I agree that asking account holders for this would be confusing, but since the bank is the one calling in this case it makes sense that the caller (bank) should provide information first.
Of course, it appears that in this guy's case, not even this would have worked, since they apparently had his full card number.