Security Basics: Re: PIN security

[B 650 <dunc.on.usenet () googlemail com>]

Comments inline below

----- Original Message ----- 
From: <s0h0us () yahoo com>
To: <security-basics () securityfocus com>
Sent: Friday, January 23, 2009 1:50 PM
Subject: PIN security


> This inquiry is more intended for those of you in the banking industry but 
> I would appreciated everyone's comments.
> I am recommending increasing the number of characters required to create a 
> PIN (this gives access to both phone and Internet Banking). Transactions 
> allowed over these means are limited. The risk here is associated with 
> possible identity theft but more so insider fraud.(creating bogus accounts 
> and internally transferring funds from compromised accounts)
How will increasing the number of characters in PIN reduce insider fraud? 
How will increasing the number of characters in the PIN reduce identity 
theft?
> I am also recommending that accounts that have not been electronically 
> accessed during the past 12 months(phone or internet) using a PIN, should 
> be disabled and require a re-PINning at next login.
Why?

> I'm looking for comments regarding this topic of PIN security:
> Should users be require to rePIN every x amount of months?
No - Unless a PIN is compromised, it is secure.  If it is compromised, I 
seriously doubt that a "bad guy" will wait X months before accessing the 
account, they will use it ASAP to get as much funds as possible before there 
is the chance for the owner to a) realise it's compromised or b) change the 
PIN for another reason.
> Is requiring that dormant accounts be disabled reasonable?
I don't see the logic.

> What about actual account numbers? should they contain a certain number 
> characters (min. 8)?
Account numbers are not secret information.  You give them out to all sorts 
of companies, so there are potentially thousands of employees of those 
companies with access to that information.  Making them longer doesn't make 
any sense.
> Part of the authenticating process also requires providing answers to 
> chanllenge questions, should these be updates every so often?
See point above re: PIN

> Part of my recommendations need to take into the consideration the impact 
> on the customers and the financial institution itself.
Huge customer impact (having to change regularly will mean you *will* forget 
it, which will undoubtably happen when you need to access the account 
urgently...).  Remeber that most banks etc will reset your PIN and *mail* 
you a replacement, meaning at least 2-3 days without access to your account. 
Huge financial institution overhead resetting forgotten PINs, and securely 
communicating them to the user.
> Thanks is advance for your thoughts and comments