[necessity]

Heh, both my banks (Banco do Brasil and Santander) are worse. 6 characters, numbers only! "For my safety" they recommend not using my birthday - how thoughtful.

[Moter8]

It's the personal identifier (Kinda like social security number I guess? You write it on every contract you sign basically) and a 4-digit pin here in Spain. Stupidly insecure.

[woliveirajr]

But then you (you= any person) have to consider that it'll block after some tries.

It's different from a system that never blocks passwords, security questions, and so on.

[Drdrdrq]

Great, then it's a DOS attack. Unless it is limited per IP, and then it's not effective again if attacker has a botnet.

[robryk]

Attacker's first attempt has a nonnegligible chance of success. Attacker can just do one attempt against one account and move to attacking a different account after each failure.