Re: PIN security

[Kevin Tunison <ktunison () gmail com>]

On Fri, Jan 23, 2009 at 1:50 PM,  <s0h0us () yahoo com> wrote:
> This inquiry is more intended for those of you in the banking industry but I would appreciated everyone's comments.
>
> I am recommending increasing the number of characters required to create a PIN (this gives access to both phone and 
> Internet Banking). Transactions allowed over these means are limited. The risk here is associated with possible 
> identity theft but more so insider fraud.(creating bogus accounts and internally transferring funds from compromised 
> accounts)

I believe as part of PCI-DSS PINs should not be stored more than
necessary (once?) at the Issuer.  If they are stored, then they should
just be encrypted as PANs are, and are never retransmitted.



> I am also recommending that accounts that have not been electronically accessed during the past 12 months(phone or 
> internet) using a PIN, should be disabled and require a re-PINning at next login.
> I'm looking for comments regarding this topic of PIN security:
> Should users be require to rePIN every x amount of months?
> Is requiring that dormant accounts be disabled reasonable?
> What about actual account numbers? should they contain a certain number characters (min. 8)?
> Part of the authenticating process also requires providing answers to chanllenge questions, should these be updates 
> every so often?
> Part of my recommendations need to take into the consideration the impact on the customers and the financial 
> institution itself.
> Thanks is advance for your thoughts and comments

If you read through the PCI-DSS requirements (while they are
open-ended), you will find that if they are implemented with more than
just a 'tick the box' mentality, the security and anti-fraud behind
them is well thought out.

With the risk of insider-fraud being mentioned, it would seem that
further understanding of your organizations structure is needed by you
to do the job well.  There are many financial fraud systems on the
market (and they are required by Visa et al) that help combat this
type of thing.  If you search 'Issuer Fraud Systems' you will find
quite a few solutions.  While most will deal with transaction fraud
(which is what you are ultimately worried about anyways) some also
tie-in to the larger security model as well.

Having consumers remember more numbers will just be asking for further
people writing them down or requesting forgotten ones.  If all this is
supposed to be online only, then look at something like RSA tags
and/or onetime passwords.

Warm Regards,

KevinT