# Why do banks allow you change your PIN number?



## Brendan Burgess (9 Feb 2013)

I heard a guy on BBC's Money Box programme complaining that the bank refused to give him a refund after his CC was stolen and used fraudulently. 

He had left his wallet behind in a house in which he was working - he was an electrician. 
He had his driving license in the wallet.
His PIN number was his date of birth. 

In my mind, he did not deserve a refund. 

There are many other cases where people have guessable pins e.g. 6789. 

Why don't the CC companies simply issue people random pins and don't allow them to change them? 

Or make it difficult for people to change their PIN number and if they do, they lose protection against mis-use. 

Brendan


----------



## Jim2007 (9 Feb 2013)

Brendan Burgess said:


> Why don't the CC companies simply issue people random pins and don't allow them to change them?



Because more people will write it down, stick it on the bathroom mirror, put it in their handbag or whatever....

I once did a security review for a Japanese company, who prided itself on how strong the passwords were that they were issuing for the users.  However on the floor, the users were having difficulty remember them so they were doing things like stick it on the back of the keyboard, under the monitor, on the underside of the desk and what not...

No matter what system you come up with there will be some breaches and the more complex you make it the more breaches you will have!


----------



## Brendan Burgess (9 Feb 2013)

OK, that makes some sense. 

Brendan


----------



## murphaph (30 Mar 2013)

Most German banks do it that way Brendan. You get issued your pins for cards, Internet banking etc and you just have to learn them. Neither of my 2 banks allows you to change pins for cards. One of the two allows you to change login details for Internet banking though.

I see the point about making it too complex but people can fairly quickly learn a four digit random pin tbh and won't write it down. Internet banking codes are another matter however.


----------



## dub_nerd (30 Mar 2013)

Jim2007 said:


> Because more people will write it down, stick it on the bathroom mirror, put it in their handbag or whatever....


 
+1. It's nuts. I worked for a company that made you change each of your half dozen passwords every ninety days. An extra security feature was that you couldn't make new passwords that were variations on old ones -- you had to have completely new passwords each time. Needless to say, writing passwords down was commonplace.

I don't write my banking pins down anywhere because I've only had _one_ for many years. Same pin for all cards. I have another different pin for all telephone-related things ... SIM unlock code, voice-mail(s), telephone top-ups etc. If I wasn't allowed change all these things, I'd have a donzen different pins, which would all have to be written down somewhere, much less securely.


----------



## MrEarl (31 Mar 2013)

dub_nerd said:


> +1. It's nuts. I worked for a company that made you change each of your half dozen passwords every ninety days. An extra security feature was that you couldn't make new passwords that were variations on old ones -- you had to have completely new passwords each time. Needless to say, writing passwords down was commonplace.....



Hi,

I think a lot of large companies do this now and to be honest, in my own experience, it's once a month we have to change the various passwords ...

quite honest, it's doing nothing only increasing the risk of people writting down the various passwords, as they simply cannot remember all of them.

There are other forms of security, which could be used rather than passwords, but clearly it's not as cheap as just forcing a person to keep changing their passwords - hence we all have to continue to tolerate it, just so our I.T. Departments can claim we have an acceptable level of security for our computers, our Bank can claim the same etc.

It's time for the likes of electronic finger prints to be used, in conjunction with photos etc - if it's good enough for US Immigration, then it's good enough for me 

Getting back to pin numbers, by virtue of the fact that they are only four digits, they can be easily "cracked" regardless, imho. Six or Eight digits, would be more secure ....

Regards

Mr. Earl.


----------



## mathepac (1 Apr 2013)

MrEarl said:


> ...  Getting back to pin numbers, by virtue of the fact that they are only four digits, they can be easily "cracked" regardless, imho. Six or Eight digits, would be more secure ....


What increases the security of a 4-digit PIN is *not* the 5,040 different combinations you can have (tiny in security terms), it's the fact that you only have at most 3 attempts to get it right before the card is suspended or retained in the ATM. This is why ATM thieves employ ATM skimmers with pin-hole cameras or shoulder-surfers to memorise PINs

Increasing the digits to six for example will give 151,200 unique combinations, but will probably increase the temptation for people to write the PIN down somewhere.

If we stick with a 4 character PIC (personal identification code, as it's no longer a number), but include upper and lower-case letters as well as digits, we probably won't increase the temptation to write the PIC down, but the number of unique combinations increases to 13,388,280 or by 2,656 times in comparison to a 4 digit PIN.

In order to accommodate this however, the banks would need to install "full-sized" keyboards  like a mobile phone's on the ATMs and that probably won't happen any time soon, given the massive hard-ware and soft-ware costs associated with the changes needed.

The real reason we are left with user-changeable 4-digit PINs in Ireland IMO is so the banks can shovel the blame onto the customer for any losses associated with lost cards or intercepted PINs. In other words, the bankers are really saying "chip 'n pin is not really secure as we pretended, but that's your fault Mr & Mrs Customer; you simply can't be trusted to keep secrets securely".

For online banking I like the little Enigma-machines that AIB issued a while ago (the belated PostBank also used them) which creates a once-off code for the transaction. Using these at ATMs in their current form is impractical, but there is I believe scope for some smart development in this area.


----------



## Mrs Vimes (1 Apr 2013)

mathepac said:


> What increases the security of a 4-digit PIN is *not* the 5,040 different combinations
> 
> Increasing the digits to six for example will give 151,200 unique combinations,



A 4 digit number gives 10,000 combinations
A 6 digit number gives 1,000,000 combinations.


----------



## ajapale (1 Apr 2013)

mathepac said:


> The real reason we are left with user-changeable 4-digit PINs in Ireland IMO is_* so the banks can shovel the blame onto the customer for any losses*_ associated with lost cards or intercepted PINs. In other words, the bankers are really saying "chip 'n pin is not really secure as we pretended, but that's your fault Mr & Mrs Customer; you simply can't be trusted to keep secrets securely".



Yes, that appears to be the case.

The digits dont have to be unique. So the higher number of combinations as per Mrs Vimes would seem to be the figure.

Is a pin number with repeated digits worse than one with unique numbers? 0000 or 7777 would stike me as pretty dumb!


----------



## ontour (1 Apr 2013)

Mrs Vimes said:


> A 4 digit number gives 10,000 combinations
> A 6 digit number gives 1,000,000 combinations.



The number of combinations does not reflect user behaviour as the top 10 most frequently used 4-digit codes would account for approximately 25% of pin numbers.  Even if you go to 6 digits, many users will follow predictable patterns with a very high percentage going for their date of birth.

A bank can easily assess whether your selected PIN number is weak or strong and should tell you.


----------



## ajapale (1 Apr 2013)

ontour said:


> A bank van..


Whats a bank van?

[broken link removed]


----------



## Time (1 Apr 2013)

The Irish PIN is 4 digits by default but you can change it to 6 digits for some cards at an ATM.


----------



## DrMoriarty (1 Apr 2013)

ontour said:


> Even if you go to 6 digits, many users will follow predictable patterns with a very high percentage going for their date of birth.
> 
> A bank can easily assess whether your selected PIN number is weak or strong and should tell you.


When I registered for online banking with Ulster Bank, _they _issued _me _a user login consisting of my d.o.b. (DD/MM/YY) with four extra digits tacked on, the first two of which were zeros. They issued my wife a number with her d.o.b. plus four digits identical to mine +1, i.e. the next in the series — say '0042' and '0043'.

I agree with mathepac's assessment that this is about shifting liability off the bank and onto the customer. Ditto for the introduction of (now effectively mandatory) chip-and-pin cards.


----------



## mathepac (1 Apr 2013)

Mrs Vimes said:


> A 4 digit number gives 10,000 combinations
> A 6 digit number gives 1,000,000 combinations.



If you have 10 digits,  0 to 9,  and want to calculate the number of 4-digit combinations you can have,  the calculation is 10x9x8x7 = 5,040

If you have 10 digits,  0 to 9,  and want to calculate the number of 6-digit combinations you can have,  the calculation is 10x9x8x7x6x5 = 151,200 

or has my maths failed me again?


----------



## Joe_90 (1 Apr 2013)

Yes that would be true if the first number could not be repeated like in the lotto.
But you could go 0000 to 9999


----------



## Berni (1 Apr 2013)

edit: what Joe said


----------



## antonios (1 Apr 2013)

mathepac said:


> If you have 10 digits,  0 to 9,  and want to calculate the number of 4-digit combinations you can have,  the calculation is 10x9x8x7 = 5,040
> 
> If you have 10 digits,  0 to 9,  and want to calculate the number of 6-digit combinations you can have,  the calculation is 10x9x8x7x6x5 = 151,200
> 
> or has my maths failed me again?



According to the multiplication principle, if an event occurs n times and another independent event occurs m times, then the two events can occur in n x m different ways. 

In the PIN case, you have to select 4 digits, i.e, 4 different independent events. 
For each digit, you have 10 options (1 to 9 plus 0). so the total number of combinations would be 10 x 10 x 10 x 10 = 10000.


----------



## Jim2007 (1 Apr 2013)

ontour said:


> The number of combinations does not reflect user behaviour as the top 10 most frequently used 4-digit codes would account for approximately 25% of pin numbers.  Even if you go to 6 digits, many users will follow predictable patterns with a very high percentage going for their date of birth.
> 
> A bank can easily assess whether your selected PIN number is weak or strong and should tell you.



In theory the bank could warn you that a number may be weak, but as you say human behaviour is the most important aspect of security.  Even if people pick 4 digits at random, the chance are that they will use the same 4 digits as a password on many other systems as well, so the numbers are likely to become known or are collectable....


----------



## jhegarty (1 Apr 2013)

Each extra digit multiples the possible combinations by 10.

1 Digit : 10
2 Digits : 100
3 Digits : 1000
4 Digits : 10000 (as worked out by antonios above)
5 Digits : 100000
6 Digits : 1000000

etc...


----------



## DrMoriarty (1 Apr 2013)

Jim2007 said:


> ...human behaviour is the most important aspect of security.  Even if people pick 4 digits at random, the chance are that they will use the same 4 digits as a password on many other systems as well, so the numbers are likely to become known or are collectable....


True...

[broken link removed]


----------



## dub_nerd (1 Apr 2013)

antonios said:


> According to the multiplication principle, if an event occurs n times and another independent event occurs m times, then the two events can occur in n x m different ways.
> 
> In the PIN case, you have to select 4 digits, i.e, 4 different independent events.
> For each digit, you have 10 options (1 to 9 plus 0). so the total number of combinations would be 10 x 10 x 10 x 10 = 10000.


 
That's a kind of complicated way of saying that are 10^n different n-digit numbers. 

Or, if you don't want to restrict yourself to base 10, there are b^n n-digit numbers in base b.


----------



## ajapale (1 Apr 2013)

ajapale said:


> The digits dont have to be unique. So the higher number of combinations as per Mrs Vimes would seem to be the figure.
> 
> Is a pin number with repeated digits worse than one with unique numbers? 0000 or 7777 would stike me as pretty dumb!



If you insist on unique digits then you get the lower number of combinations  151,200. If you allow digits numbers such as 1122, 0000, etc then you get the 10,000 combinations.


----------

