Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIN security

From: B 650 <dunc.on.usenet () googlemail com>
Date: Fri, 23 Jan 2009 19:23:04 -0000
Comments inline below
----- Original Message ----- From: <s0h0us () yahoo com> 
To: <security-basics () securityfocus com>
Sent: Friday, January 23, 2009 1:50 PM
Subject: PIN security
This inquiry is more intended for those of you in the banking industry but I would appreciated everyone's comments.
I am recommending increasing the number of characters required to create a PIN (this gives access to both phone and Internet Banking). Transactions allowed over these means are limited. The risk here is associated with possible identity theft but more so insider fraud.(creating bogus accounts and internally transferring funds from compromised accounts)
How will increasing the number of characters in PIN reduce insider fraud? How will increasing the number of characters in the PIN reduce identity theft?
I am also recommending that accounts that have not been electronically accessed during the past 12 months(phone or internet) using a PIN, should be disabled and require a re-PINning at next login. 

Why?


I'm looking for comments regarding this topic of PIN security:
Should users be require to rePIN every x amount of months?
No - Unless a PIN is compromised, it is secure. If it is compromised, I seriously doubt that a "bad guy" will wait X months before accessing the account, they will use it ASAP to get as much funds as possible before there is the chance for the owner to a) realise it's compromised or b) change the PIN for another reason. 


Is requiring that dormant accounts be disabled reasonable?


I don't see the logic.
What about actual account numbers? should they contain a certain number characters (min. 8)?
Account numbers are not secret information. You give them out to all sorts of companies, so there are potentially thousands of employees of those companies with access to that information. Making them longer doesn't make any sense.
Part of the authenticating process also requires providing answers to chanllenge questions, should these be updates every so often? 

See point above re: PIN
Part of my recommendations need to take into the consideration the impact on the customers and the financial institution itself.
Huge customer impact (having to change regularly will mean you *will* forget it, which will undoubtably happen when you need to access the account urgently...). Remeber that most banks etc will reset your PIN and *mail* you a replacement, meaning at least 2-3 days without access to your account. Huge financial institution overhead resetting forgotten PINs, and securely communicating them to the user. 


Thanks is advance for your thoughts and comments
Previous By Date Next
Previous By Thread Next

Current thread: