• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Piet Souris
  • Carey Brown
  • Stephan van Hulst
Bartenders:
  • Frits Walraven
  • fred rosenberger
  • salvin francis

Banks and Security

 
Marshal
Posts: 3592
512
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My bank has a catchphrase Your Security - Our Priority, but their online password policy doesn't seem to reflect that.  I had to set a password for online access this morning and found that I was forced to specify a password of exactly 6 characters with no special characters (no even spaces, periods, etc.), no option for a second factor.



Is there some technological reason for this?  Maybe limitations of old backend systems that they are still using?
 
Saloon Keeper
Posts: 13067
281
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

PIN length
The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also suggests that the issuer should not assign PINs longer than six digits.


https://en.m.wikipedia.org/wiki/ISO_9564
 
Ron McLeod
Marshal
Posts: 3592
512
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:

PIN length
The standard specifies that PINs shall be from four to twelve digits long...


In this case, it is password for online access, not a PIN for card access.
 
Stephan van Hulst
Saloon Keeper
Posts: 13067
281
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
PINs are not exclusively used for card access. I suppose they chose the PIN format because you can enter those on old clunky cell phones.

I imagine that they will lock you out after a few failed attempts, so six digits might actually be enough. You should not think of this the same way as accessing a web site with a password. Are you required to enter the number using a registered device, or can you access it from any machine? If the latter, I would be more worried about denial of service attacks because people can lock other people or of their accounts.
 
Marshal
Posts: 26697
81
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
At my bank I have a separate PIN for telephone banking, or at least I use that PIN when I have to telephone them for support. (Which happened last month when I forgot what I told them my "favourite magazine subscription" was and so I was locked out of on-line access to my account.)

But a 6-character password for all access? That does sound a bit like it's driven by an old back-end system to me too.
 
Marshal
Posts: 8011
563
Mac OS X VI Editor BSD Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, but then what you can do with that online banking system?

Quite a few systems I know, let's say you want to transfer money from account A to account B, would require to know: [1] your card pin code [2] have portable physical device to read card and issue special one off code [3] have your debit/credit card physically with you - in that sense, short pin is ok, not much you can do anyway with it without having [1][2][3], yeah - check balance, transfer money between your personal accounts, but that's not much useful for a fraudster.

I use phone app to accomplish my banking operations, and i use 6 digit pass code too. But in order to obtain that, I had to go through certain process which required also [1][2][3]. After connecting I can transfer money only to the accounts I configured in my full online banking account (via web, to connect [1][2][3] is needed). In case I want to do transfer (via phone app) to account which is unknown to my banking system, I need to do [1][2][3] again.

BUT, if after all your system requires only 6-digit pass code and then you can do pretty much everything from there without anything else, then it is time to reconsider bank you are using. Such system would sound like -10 years in technology.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic