Ask HN: My bank stores PIN as plain text, should I be worried?
Hello HN,
I received my new credit card with a reminder of my current PIN. I'm not sure how that could be possible without having a database of their customer names, addresses and secret PINs as plain text somewhere.
Shouldn't it be common sense to salt and hash them like any other stored password?
4-digits PINs are also used for other systems like SIM cards or ID cards in Europe, and I guess people often use the same code. Malicious employees could get access to bank accounts or smartphones of their relatives.
And If a leak happens, PINs will be on the wild with names and addresses attached to them, couldn't it be dangerous?
Do I take PIN way too seriously? Should I contact someone about this? You are taking PIN security too seriously, yes. Your bank doesn't store them in the clear, they store them in an encrypted form, but they are able to decrypt them. There is a huge legacy of old hardware and software in banks. Much of the PIN issue has to do with maintaining backwards compatibility with cards without chips (magnetic strips), and readers that can only read those cards. I've encountered cash machines which didn't prompt for my pin code until after my card had been returned. Don't sweat it. This is the least of your concerns. Thank you! I didn't know PIN were also used for the magnetic strips (we never use them in Europe, or at least in Belgium). The legacy software could explain it. But the difference of processes between my main bank (random temporary PIN obtained with 2-factor authentication: postal letter with code to send back using smartphone) and my credit card company (bank card mailed to my address with current PIN) was weirding me out. In Europe, most banks already assume in their threat model that your PIN may be already in the hands of criminals.
That’s why you need a second factor for most bank interactions: a physical card, a smartphone/smartwatch, or a token generator. At the same time, why should a bank even include a large-scale leak in their threat model? If a leak happens, the bank is doomed no matter what. No one is going to trust them with their money ever again. So from the bank’s point of view, any post-exposure mitigation, such as hashing a PIN, would likely be a waste of money. Also, most customers are ok with their account being temporarily locked down in case someone enters a wrong PIN more than a few times. No other business gets away with doing that. I suspect those are two of the reasons why brute force attacks aren’t at the top of your bank’s threat list, which is probably why they get away with four-digit PINs in 2021 and still sleep at night. As others pointed out, it doesn't make much sense to hash PINs due to the small space that they cover. Using salts or additional information for hashing would only need further plaintext information to be stored and wouldn't solve the problem. However, as soon as the magnetic strop is completely replaced, wouldn't it make sense to store a more complex secret on the chip of the card that will then be transmitted upon entering the correct pin? That would be proper 2FA, I would say. Of course the chip would have to lock down after multiple attempts (brute force) and it should be non-trivial to access the memory of the chip from the outside, which is already the case I assume? (looking at experts) > However, as soon as the magnetic strip is completely replaced, wouldn't it make sense to store a more complex secret on the chip of the card that will then be transmitted upon entering the correct pin? That would be proper 2FA, I would say. A more complex secret is stored on the chip. The PIN is used along with some input, the chip uses the PIN to unlock the internal secret, it signs (or hashes, whatever) the input with the secret and returns the result. Decent chip & PIN devices are even tamper proof to prevent the PIN from being intercepted in the input phase. Note that the PIN is not limited to 4 digits. It's only 4 digits when dealing with legacy hardware (and magnetic strips). The PIN on my CC is 6 digits. The length epends on the country I guess. I haven't seen anything longer than 4 digits in Germany whereas in Italy longer PINs were more common. If the magnetic strip with a 4 digit PIN is still on there, the advanced security of the chip won't help much though. Break the chip and force every system to use the strip and you're done (again, I assume that because there is no unaccessible memory on the strip, anything on there can be easily brute forced so I further assume the information on the strip is not encoded with the PIN at all but then the PIN equals the default authentication method on the bank side, not the more complex secret on the chip) There are so few pins that even when hashed it would probably be easy to crack That's something that crossed my mind, a 4-digits PIN is a weak password by definition. But hashing them with the customer ID, date of birth, or something else, and using bcrypt to slow bruteforce down could already be an improvement. bcrypt already includes salt [1] to prevent the use of rainbow tables. Adding more things is probably not very useful. Anyway, a 4 digits pin numbers have only 10000 combinations, that can be bruteforced almost instantly. (On the other hand, sending it by email is not a good idea.) But there’s no point in doing that. After a leak, you can assume the attacker already knows customer ID and date of birth along with the hypothetically hashed PIN.
Brute-forcing the real PIN would take a few microseconds. So why even bother? With only 4 digits, 10,000 possible choices, it would take a computer a short time to determine your pin, assuming they knew the salt. If they did not know the salt, I assume it would be slightly longer depending on how big the salt was. I had not really thought about this problem, of the PIN being so short, but I assume they work on the idea of: some thing you own (the card), and something you know (the PIN) to provide security. I think that it should be allowed to define a longer password if wanted; I think four digits is too short. (Last time I asked at a library, they said that I was allowed to define a password up to ten digits long (minimum four digits).) But, I agree I think that it would probably be better to salt and hash the password like other systems do. (I don't have a credit card though; I prefer to pay in cash. But if I did, one of the things that I would probably want is a longer password.)