Security Basics mailing list archives
Re: PIN security
From: Kevin Tunison <ktunison () gmail com>
Date: Sun, 25 Jan 2009 11:37:22 +0000
On Fri, Jan 23, 2009 at 1:50 PM, <s0h0us () yahoo com> wrote:
This inquiry is more intended for those of you in the banking industry but I would appreciated everyone's comments. I am recommending increasing the number of characters required to create a PIN (this gives access to both phone and Internet Banking). Transactions allowed over these means are limited. The risk here is associated with possible identity theft but more so insider fraud.(creating bogus accounts and internally transferring funds from compromised accounts)
I believe as part of PCI-DSS PINs should not be stored more than necessary (once?) at the Issuer. If they are stored, then they should just be encrypted as PANs are, and are never retransmitted.
I am also recommending that accounts that have not been electronically accessed during the past 12 months(phone or internet) using a PIN, should be disabled and require a re-PINning at next login. I'm looking for comments regarding this topic of PIN security: Should users be require to rePIN every x amount of months? Is requiring that dormant accounts be disabled reasonable? What about actual account numbers? should they contain a certain number characters (min. 8)? Part of the authenticating process also requires providing answers to chanllenge questions, should these be updates every so often? Part of my recommendations need to take into the consideration the impact on the customers and the financial institution itself. Thanks is advance for your thoughts and comments
If you read through the PCI-DSS requirements (while they are open-ended), you will find that if they are implemented with more than just a 'tick the box' mentality, the security and anti-fraud behind them is well thought out. With the risk of insider-fraud being mentioned, it would seem that further understanding of your organizations structure is needed by you to do the job well. There are many financial fraud systems on the market (and they are required by Visa et al) that help combat this type of thing. If you search 'Issuer Fraud Systems' you will find quite a few solutions. While most will deal with transaction fraud (which is what you are ultimately worried about anyways) some also tie-in to the larger security model as well. Having consumers remember more numbers will just be asking for further people writing them down or requesting forgotten ones. If all this is supposed to be online only, then look at something like RSA tags and/or onetime passwords. Warm Regards, KevinT
Current thread:
- PIN security s0h0us (Jan 23)
- Re: PIN security B 650 (Jan 23)
- Re: PIN security Kevin Tunison (Jan 27)
- <Possible follow-ups>
- Re: PIN security evilwon12 (Jan 23)
- Re: PIN security rohnskii (Jan 23)
- Re: Re: PIN security bradrose (Jan 27)