Why do banks allow you change your PIN number?

Brendan Burgess

Brendan Burgess

Founder
Messages
52,211
I heard a guy on BBC's Money Box programme complaining that the bank refused to give him a refund after his CC was stolen and used fraudulently.

He had left his wallet behind in a house in which he was working - he was an electrician.
He had his driving license in the wallet.
His PIN number was his date of birth.

In my mind, he did not deserve a refund.

There are many other cases where people have guessable pins e.g. 6789.

Why don't the CC companies simply issue people random pins and don't allow them to change them?

Or make it difficult for people to change their PIN number and if they do, they lose protection against mis-use.

Brendan
 
Brendan Burgess said:
Why don't the CC companies simply issue people random pins and don't allow them to change them?
Click to expand...

Because more people will write it down, stick it on the bathroom mirror, put it in their handbag or whatever....

I once did a security review for a Japanese company, who prided itself on how strong the passwords were that they were issuing for the users. However on the floor, the users were having difficulty remember them so they were doing things like stick it on the back of the keyboard, under the monitor, on the underside of the desk and what not...

No matter what system you come up with there will be some breaches and the more complex you make it the more breaches you will have!
 
Most German banks do it that way Brendan. You get issued your pins for cards, Internet banking etc and you just have to learn them. Neither of my 2 banks allows you to change pins for cards. One of the two allows you to change login details for Internet banking though.

I see the point about making it too complex but people can fairly quickly learn a four digit random pin tbh and won't write it down. Internet banking codes are another matter however.
 
Jim2007 said:
Because more people will write it down, stick it on the bathroom mirror, put it in their handbag or whatever....
Click to expand...

+1. It's nuts. I worked for a company that made you change each of your half dozen passwords every ninety days. An extra security feature was that you couldn't make new passwords that were variations on old ones -- you had to have completely new passwords each time. Needless to say, writing passwords down was commonplace.

I don't write my banking pins down anywhere because I've only had one for many years. Same pin for all cards. I have another different pin for all telephone-related things ... SIM unlock code, voice-mail(s), telephone top-ups etc. If I wasn't allowed change all these things, I'd have a donzen different pins, which would all have to be written down somewhere, much less securely.
 
dub_nerd said:
+1. It's nuts. I worked for a company that made you change each of your half dozen passwords every ninety days. An extra security feature was that you couldn't make new passwords that were variations on old ones -- you had to have completely new passwords each time. Needless to say, writing passwords down was commonplace.....
Click to expand...

Hi,

I think a lot of large companies do this now and to be honest, in my own experience, it's once a month we have to change the various passwords ...

quite honest, it's doing nothing only increasing the risk of people writting down the various passwords, as they simply cannot remember all of them.

There are other forms of security, which could be used rather than passwords, but clearly it's not as cheap as just forcing a person to keep changing their passwords - hence we all have to continue to tolerate it, just so our I.T. Departments can claim we have an acceptable level of security for our computers, our Bank can claim the same etc.

It's time for the likes of electronic finger prints to be used, in conjunction with photos etc - if it's good enough for US Immigration, then it's good enough for me :)

Getting back to pin numbers, by virtue of the fact that they are only four digits, they can be easily "cracked" regardless, imho. Six or Eight digits, would be more secure ....

Regards

Mr. Earl.
 
MrEarl said:
... Getting back to pin numbers, by virtue of the fact that they are only four digits, they can be easily "cracked" regardless, imho. Six or Eight digits, would be more secure ....
Click to expand...
What increases the security of a 4-digit PIN is not the 5,040 different combinations you can have (tiny in security terms), it's the fact that you only have at most 3 attempts to get it right before the card is suspended or retained in the ATM. This is why ATM thieves employ ATM skimmers with pin-hole cameras or shoulder-surfers to memorise PINs

Increasing the digits to six for example will give 151,200 unique combinations, but will probably increase the temptation for people to write the PIN down somewhere.

If we stick with a 4 character PIC (personal identification code, as it's no longer a number), but include upper and lower-case letters as well as digits, we probably won't increase the temptation to write the PIC down, but the number of unique combinations increases to 13,388,280 or by 2,656 times in comparison to a 4 digit PIN.

In order to accommodate this however, the banks would need to install "full-sized" keyboards like a mobile phone's on the ATMs and that probably won't happen any time soon, given the massive hard-ware and soft-ware costs associated with the changes needed.

The real reason we are left with user-changeable 4-digit PINs in Ireland IMO is so the banks can shovel the blame onto the customer for any losses associated with lost cards or intercepted PINs. In other words, the bankers are really saying "chip 'n pin is not really secure as we pretended, but that's your fault Mr & Mrs Customer; you simply can't be trusted to keep secrets securely".

For online banking I like the little Enigma-machines that AIB issued a while ago (the belated PostBank also used them) which creates a once-off code for the transaction. Using these at ATMs in their current form is impractical, but there is I believe scope for some smart development in this area.
 
mathepac said:
What increases the security of a 4-digit PIN is not the 5,040 different combinations

Increasing the digits to six for example will give 151,200 unique combinations,
Click to expand...

A 4 digit number gives 10,000 combinations
A 6 digit number gives 1,000,000 combinations.
 
mathepac said:
The real reason we are left with user-changeable 4-digit PINs in Ireland IMO is so the banks can shovel the blame onto the customer for any losses associated with lost cards or intercepted PINs. In other words, the bankers are really saying "chip 'n pin is not really secure as we pretended, but that's your fault Mr & Mrs Customer; you simply can't be trusted to keep secrets securely".
Click to expand...

Yes, that appears to be the case.

The digits dont have to be unique. So the higher number of combinations as per Mrs Vimes would seem to be the figure.

Is a pin number with repeated digits worse than one with unique numbers? 0000 or 7777 would stike me as pretty dumb!
 
Mrs Vimes said:
A 4 digit number gives 10,000 combinations
A 6 digit number gives 1,000,000 combinations.
Click to expand...

The number of combinations does not reflect user behaviour as the top 10 most frequently used 4-digit codes would account for approximately 25% of pin numbers. Even if you go to 6 digits, many users will follow predictable patterns with a very high percentage going for their date of birth.

A bank can easily assess whether your selected PIN number is weak or strong and should tell you.
 
Last edited:
The Irish PIN is 4 digits by default but you can change it to 6 digits for some cards at an ATM.
 
ontour said:
Even if you go to 6 digits, many users will follow predictable patterns with a very high percentage going for their date of birth.

A bank can easily assess whether your selected PIN number is weak or strong and should tell you.
Click to expand...
When I registered for online banking with Ulster Bank, they issued me a user login consisting of my d.o.b. (DD/MM/YY) with four extra digits tacked on, the first two of which were zeros. They issued my wife a number with her d.o.b. plus four digits identical to mine +1, i.e. the next in the series — say '0042' and '0043'.

I agree with mathepac's assessment that this is about shifting liability off the bank and onto the customer. Ditto for the introduction of (now effectively mandatory) chip-and-pin cards.
 
Mrs Vimes said:
A 4 digit number gives 10,000 combinations
A 6 digit number gives 1,000,000 combinations.
Click to expand...

If you have 10 digits, 0 to 9, and want to calculate the number of 4-digit combinations you can have, the calculation is 10x9x8x7 = 5,040

If you have 10 digits, 0 to 9, and want to calculate the number of 6-digit combinations you can have, the calculation is 10x9x8x7x6x5 = 151,200

or has my maths failed me again?
 
Last edited:
Yes that would be true if the first number could not be repeated like in the lotto.
But you could go 0000 to 9999
 
mathepac said:
If you have 10 digits, 0 to 9, and want to calculate the number of 4-digit combinations you can have, the calculation is 10x9x8x7 = 5,040

If you have 10 digits, 0 to 9, and want to calculate the number of 6-digit combinations you can have, the calculation is 10x9x8x7x6x5 = 151,200

or has my maths failed me again?
Click to expand...

According to the multiplication principle, if an event occurs n times and another independent event occurs m times, then the two events can occur in n x m different ways.

In the PIN case, you have to select 4 digits, i.e, 4 different independent events.
For each digit, you have 10 options (1 to 9 plus 0). so the total number of combinations would be 10 x 10 x 10 x 10 = 10000.
 
ontour said:
The number of combinations does not reflect user behaviour as the top 10 most frequently used 4-digit codes would account for approximately 25% of pin numbers. Even if you go to 6 digits, many users will follow predictable patterns with a very high percentage going for their date of birth.

A bank can easily assess whether your selected PIN number is weak or strong and should tell you.
Click to expand...

In theory the bank could warn you that a number may be weak, but as you say human behaviour is the most important aspect of security. Even if people pick 4 digits at random, the chance are that they will use the same 4 digits as a password on many other systems as well, so the numbers are likely to become known or are collectable....
 
Each extra digit multiples the possible combinations by 10.

1 Digit : 10
2 Digits : 100
3 Digits : 1000
4 Digits : 10000 (as worked out by antonios above)
5 Digits : 100000
6 Digits : 1000000

etc...
 
Jim2007 said:
...human behaviour is the most important aspect of security. Even if people pick 4 digits at random, the chance are that they will use the same 4 digits as a password on many other systems as well, so the numbers are likely to become known or are collectable....
Click to expand...
True...

[broken link removed]
 
You must log in or register to reply here.
Back
Top