Hacker News new | ask | show | jobs
by blastrat 3622 days ago
um, pretty secure even against dedicated thieves.

a four digit PIN is pretty secure when you have centralized authentication (the one bank) and get very very few tries before account lock-out, which is how Debit cards work.

If you had 3000 stolen debit cards, you'd have a shot at guessing a few of them while locking out 2990+ other ones, and I'm kinda thinking the bank might notice you doing that.

have you heard that thieves are guessing PINs someplace in the world? I haven't, and the world is full of dedicated thieves.

and even then, do you know how long that would take versus what you get when you guess one? $500? you might actually make more money panhandling or flipping burgers; of course you've got to trade that off against free meals and healthcare in prison :)
3 comments
anexprogrammer 3621 days ago
> have you heard that thieves are guessing PINs someplace in the world? I haven't, and the world is full of dedicated thieves.

Not so much guessing, but there have been several cases, at least one very well publicised, where thieves have gamed the PIN generator sequences[1].

What often happens, of course, in cases where wide systemic problems exist in banking is it's very effectively hushed. For rather obvious reasons.

[1] http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/...

link
nxzero 3621 days ago
Sounds like organized crime, which is to say a rogue employee was forced, paid, or conspired to only generate one of three PINs knowing that they'd the theif would get three chances.

Today, pretty sure that a solicitor in the same situation would be required by law to report the information to the Serious Organized Crime Agency.

link
rrobukef 3621 days ago
My bank sent me a new card with the same PIN as my old card. Somewhere my bank has a backup of each and every PIN.

Now, it may be encrypted (not during renewal) or hashed (10000 values, <1s verification) but neither gives any security. (It's safer however than sending a new PIN with the card or in another letter)

link
brokenmachine 3618 days ago
Of course the bank has your PIN (or hashed PIN), how else would they be able to check if you were entering it correctly?

The security is based on how hardened the server storing those PINs is.

link
rrobukef 3618 days ago
By storing the public key of your unique debit card and you only have the PIN inside the chip. This limits attacks to physical access and trained professionals in chip deconstruction.

This however needs a way to send your initial PIN over an insecure channel. To limit the attack surface go to the secure website to receive your PIN (no humans) (either an old card/digital state ID) or go in person and force a new PIN.

link
brokenmachine 3617 days ago
Thanks for the reply. Interesting, I didn't think of this possibility.
link
flukus 3618 days ago
By storing it as a hash, just like how every other password should be stored.
link
brokenmachine 3617 days ago
That's what I said.

> Of course the bank has your PIN (or hashed PIN)

All the previous poster said was that the bank said they sent him a card with the same PIN. The bank can do this by storing PINs or hashed PINs.

As rrobukef noted, storing a PIN hashed offers little additional security as storing them unhashed because of the small number of unique PINS that are possible.

link
kiba 3622 days ago
I stand corrected.
link