from Hacker News

Ask HN: My bank stores PIN as plain text, should I be worried?

by MichaelHoste on 5/9/21, 7:54 PM with 12 comments

• by elric on 5/9/21, 7:59 PM

  You are taking PIN security too seriously, yes. Your bank doesn't store them in the clear, they store them in an encrypted form, but they are able to decrypt them. There is a huge legacy of old hardware and software in banks. Much of the PIN issue has to do with maintaining backwards compatibility with cards without chips (magnetic strips), and readers that can only read those cards. I've encountered cash machines which didn't prompt for my pin code until after my card had been returned.

  Don't sweat it. This is the least of your concerns.

• by Hackbraten on 5/9/21, 9:10 PM

  In Europe, most banks already assume in their threat model that your PIN may be already in the hands of criminals. That’s why you need a second factor for most bank interactions: a physical card, a smartphone/smartwatch, or a token generator.

  At the same time, why should a bank even include a large-scale leak in their threat model? If a leak happens, the bank is doomed no matter what. No one is going to trust them with their money ever again. So from the bank’s point of view, any post-exposure mitigation, such as hashing a PIN, would likely be a waste of money.

  Also, most customers are ok with their account being temporarily locked down in case someone enters a wrong PIN more than a few times. No other business gets away with doing that.

  I suspect those are two of the reasons why brute force attacks aren’t at the top of your bank’s threat list, which is probably why they get away with four-digit PINs in 2021 and still sleep at night.

• by eloeffler on 5/10/21, 9:15 AM

  As others pointed out, it doesn't make much sense to hash PINs due to the small space that they cover. Using salts or additional information for hashing would only need further plaintext information to be stored and wouldn't solve the problem.

  However, as soon as the magnetic strop is completely replaced, wouldn't it make sense to store a more complex secret on the chip of the card that will then be transmitted upon entering the correct pin? That would be proper 2FA, I would say.

  Of course the chip would have to lock down after multiple attempts (brute force) and it should be non-trivial to access the memory of the chip from the outside, which is already the case I assume? (looking at experts)

• by VStrike on 5/9/21, 7:59 PM

  There are so few pins that even when hashed it would probably be easy to crack

• by sloaken on 5/10/21, 10:05 AM

  With only 4 digits, 10,000 possible choices, it would take a computer a short time to determine your pin, assuming they knew the salt. If they did not know the salt, I assume it would be slightly longer depending on how big the salt was.

  I had not really thought about this problem, of the PIN being so short, but I assume they work on the idea of: some thing you own (the card), and something you know (the PIN) to provide security.

• by zzo38computer on 5/10/21, 1:14 AM

  I think that it should be allowed to define a longer password if wanted; I think four digits is too short. (Last time I asked at a library, they said that I was allowed to define a password up to ten digits long (minimum four digits).)

  But, I agree I think that it would probably be better to salt and hash the password like other systems do.

  (I don't have a credit card though; I prefer to pay in cash. But if I did, one of the things that I would probably want is a longer password.)