Ask HN: My bank stores PIN as plain text, should I be worried?
Hello HN,
I received my new credit card with a reminder of my current PIN. I'm not sure how that could be possible without having a database of their customer names, addresses and secret PINs as plain text somewhere.
Shouldn't it be common sense to salt and hash them like any other stored password?
4-digits PINs are also used for other systems like SIM cards or ID cards in Europe, and I guess people often use the same code. Malicious employees could get access to bank accounts or smartphones of their relatives.
And If a leak happens, PINs will be on the wild with names and addresses attached to them, couldn't it be dangerous?
Do I take PIN way too seriously? Should I contact someone about this?
12 comments
[ 2.9 ms ] story [ 44.8 ms ] threadBut hashing them with the customer ID, date of birth, or something else, and using bcrypt to slow bruteforce down could already be an improvement.
Anyway, a 4 digits pin numbers have only 10000 combinations, that can be bruteforced almost instantly.
(On the other hand, sending it by email is not a good idea.)
[1] https://en.wikipedia.org/wiki/Salt_(cryptography)
Don't sweat it. This is the least of your concerns.
The legacy software could explain it. But the difference of processes between my main bank (random temporary PIN obtained with 2-factor authentication: postal letter with code to send back using smartphone) and my credit card company (bank card mailed to my address with current PIN) was weirding me out.
At the same time, why should a bank even include a large-scale leak in their threat model? If a leak happens, the bank is doomed no matter what. No one is going to trust them with their money ever again. So from the bank’s point of view, any post-exposure mitigation, such as hashing a PIN, would likely be a waste of money.
Also, most customers are ok with their account being temporarily locked down in case someone enters a wrong PIN more than a few times. No other business gets away with doing that.
I suspect those are two of the reasons why brute force attacks aren’t at the top of your bank’s threat list, which is probably why they get away with four-digit PINs in 2021 and still sleep at night.
But, I agree I think that it would probably be better to salt and hash the password like other systems do.
(I don't have a credit card though; I prefer to pay in cash. But if I did, one of the things that I would probably want is a longer password.)
However, as soon as the magnetic strop is completely replaced, wouldn't it make sense to store a more complex secret on the chip of the card that will then be transmitted upon entering the correct pin? That would be proper 2FA, I would say.
Of course the chip would have to lock down after multiple attempts (brute force) and it should be non-trivial to access the memory of the chip from the outside, which is already the case I assume? (looking at experts)
A more complex secret is stored on the chip. The PIN is used along with some input, the chip uses the PIN to unlock the internal secret, it signs (or hashes, whatever) the input with the secret and returns the result. Decent chip & PIN devices are even tamper proof to prevent the PIN from being intercepted in the input phase.
Note that the PIN is not limited to 4 digits. It's only 4 digits when dealing with legacy hardware (and magnetic strips). The PIN on my CC is 6 digits.
If the magnetic strip with a 4 digit PIN is still on there, the advanced security of the chip won't help much though. Break the chip and force every system to use the strip and you're done (again, I assume that because there is no unaccessible memory on the strip, anything on there can be easily brute forced so I further assume the information on the strip is not encoded with the PIN at all but then the PIN equals the default authentication method on the bank side, not the more complex secret on the chip)
I had not really thought about this problem, of the PIN being so short, but I assume they work on the idea of: some thing you own (the card), and something you know (the PIN) to provide security.