Security Basics mailing list archives
PIN security
From: s0h0us () yahoo com
Date: Fri, 23 Jan 2009 06:50:07 -0700
This inquiry is more intended for those of you in the banking industry but I would appreciated everyone's comments. I am recommending increasing the number of characters required to create a PIN (this gives access to both phone and Internet Banking). Transactions allowed over these means are limited. The risk here is associated with possible identity theft but more so insider fraud.(creating bogus accounts and internally transferring funds from compromised accounts) I am also recommending that accounts that have not been electronically accessed during the past 12 months(phone or internet) using a PIN, should be disabled and require a re-PINning at next login. I'm looking for comments regarding this topic of PIN security: Should users be require to rePIN every x amount of months? Is requiring that dormant accounts be disabled reasonable? What about actual account numbers? should they contain a certain number characters (min. 8)? Part of the authenticating process also requires providing answers to chanllenge questions, should these be updates every so often? Part of my recommendations need to take into the consideration the impact on the customers and the financial institution itself. Thanks is advance for your thoughts and comments
Current thread:
- PIN security s0h0us (Jan 23)
- Re: PIN security B 650 (Jan 23)
- Re: PIN security Kevin Tunison (Jan 27)
- <Possible follow-ups>
- Re: PIN security evilwon12 (Jan 23)
- Re: PIN security rohnskii (Jan 23)
- Re: Re: PIN security bradrose (Jan 27)