|
|
|
|
|
|
by Hackbraten
1859 days ago
|
|
|
In Europe, most banks already assume in their threat model that your PIN may be already in the hands of criminals.
That’s why you need a second factor for most bank interactions: a physical card, a smartphone/smartwatch, or a token generator. At the same time, why should a bank even include a large-scale leak in their threat model? If a leak happens, the bank is doomed no matter what. No one is going to trust them with their money ever again. So from the bank’s point of view, any post-exposure mitigation, such as hashing a PIN, would likely be a waste of money. Also, most customers are ok with their account being temporarily locked down in case someone enters a wrong PIN more than a few times. No other business gets away with doing that. I suspect those are two of the reasons why brute force attacks aren’t at the top of your bank’s threat list, which is probably why they get away with four-digit PINs in 2021 and still sleep at night. |
|
|