Hacker News new | ask | show | jobs
by eqvinox 764 days ago
I moved to Switzerland, and, well, PIN codes for credit cards are 6 digits here by default.

And now I'm asking myself why noone else does this. I don't see hordes of Swiss people complaining about being unable to remember a 6-digit PIN at least.
5 comments
toast0 763 days ago
One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough). My other credit union only does four digits.

I think remembering one 6-digit PIN would be fine, but in the US, it's common to have many banking relationships. If I needed a pin for every credit card, I'd have to write them on the cards or set them all the same.

link
eqvinox 763 days ago
Not sure how this is handled in Switzerland, and I don't have good data on this, but I'd say a lot of people in Europe have at least a debit and a credit card with a PIN each.

Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…

link
toast0 763 days ago
> Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…

Why not have the same password for all your banking accounts then? But everyone says not to reuse passwords.

If someone takes your wallet, it'd be nice if they don't drain all the accounts based on figuring out the pin of one card?

link
eqvinox 762 days ago
Because in most cases you already use your card interchangeably across a wide variety of (hopefully sealed and certified) terminal devices.

Meanwhile your password is very specific to one website, and never entering it elsewhere is key to phising prevention.

(my "security domain" comment was probably worded a bit poorly with the reference to your wallet, the relevant point is that most people consider card terminals interchangeable.)

link
fsckboy 763 days ago
>Also nothing says you can't use the same PIN for multiple cards

he said he can't choose his PIN:

>One of my credit unions gives out (randomized) five digit pins

link
GoblinSlayer 763 days ago
All cards have randomized pins and can later be changed.
link
fsckboy 763 days ago
no, some cards you choose the PIN from the start and never get a randomized PIN

some banks some place in the world might make it a policy not to set PINs but to force random, you can't definitively say what you are saying, rather we can only go by what he said.

link
eqvinox 762 days ago
Nothing in this sentence

> One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough).

says that the PIN on that card can't be changed.

link
andy99 763 days ago
Is there any difference it materially changes security? Where would the extra two digits come into play?
link
shultays 763 days ago
Because (I imagine) you can't really brute force it. If you only have 3 or something tries, it doesn't really make that much of a difference.

And the person that stole your card would just try 123456 instead of 1234 etc and roughly would have a similar chance of success

link
eqvinox 763 days ago
Valid point.

That said, guessing the PIN isn't the only attack; longer PINs also means that you have to "spy" more digits, which can be significant if the "spying" method is not 100% reliable.

But yeah. I guess it doesn't matter as long as you have a lockout mechanism.

link
nytesky 763 days ago
You’ll need to be sure that all the places your cards will go accept the 6 digit pin. Granted this was 20 years ago, but we were in Europe and couldn’t use my wife’s ATM card because she had a 6 digit PIN and all the ATMs were encountered only allowed 4 digits.

Sounds like it may be the reverse with Europe going the 6 digit route, but I think 4 digits is still pretty universal — I think most interfaces provide a enter key to terminate the PIN?

link
skipkey 763 days ago
The very first ATM card I ever got, in the mid 80s in Texas, had a 6 digit PIN. When I got to choose it, it let me put 4 to 6 digits so I chose 6. A few years later they sent me my first debit card with a note that it had the same PIN. It did not. It had been truncated to 4 digits. Which made me unhappy because clearly it was sitting in plaintext in a database somewhere.
link
zamadatix 763 days ago
Even with a 6 digit pin why care it was stored? If someone has access to the bank's infrastructure and the pins aren't there they might as well be even with computers from the 80s.
link
kalleboo 763 days ago
With how small the space of PINs are, is there any point in hashing? To make brute-forcing every PIN infeasible you'd have to make the hash difficulty time intolerably long.
link
dzhiurgis 763 days ago
Majority don’t use PIN anymore - just tap card/phone.
link