Wow so here comes a rant (and somebody call me on this if I’m way off) but I gotta throw a penalty flag on BofA. They just mailed my PIN number to the mailing address where my replacement debit card was sent. Does that seem hugely flawed to anyone else? They should perhaps consider changing their name because this security practice has more holes in it than a block of baby swiss. Let’s count them:
- I know what my PIN is, I’m the one who set it.
- The fact that they can even output my PIN number (which I don’t need because I already know) is not good. That means it exists in cleartext somewhere. Unless different password physics apply in the world of ATM’s and banking vs. web sites, it’s never a good idea to store a password in a form where it can be read by a human. You should only ever store a derivation and compare the hashes to one another.
- The fact they would then print this number (which they shouldn’t see and which I didn’t ask for) and put it in the postal mail seems pretty silly. They have no less than three alternate truly secure channels via which to send me this type sensitive info (voice, fax & inbox on the https site). You could argue they need a lowest common denominator means by which to reach everyone but in that case why not mail a note saying “stop by a branch store to set your PIN” instead?
- And here’s the final clincher: not only do they send a number they shouldn’t see and that I don’t need via a decidedly less-secure medium but they send it to the same destination where the asset that it unlocks is headed… really BofA That’s like mailing house keys to the street address of the house they unlock. What the heck are they thinking? I suppose they get a D- instead of a flat-out F for at least separating them into individual envelopes.
I would try calling and offering this input to their IT security folks but but frankly after navigating their hamstermaze of an IVR tree to cancel the stolen card, it takes less time for me to write this blog post and will probably reach that person faster.
BofA- not that I had a great deal of confidence in you before today but this practice is asinine. If you were an important web publishing company like Gizmodo with access to sensitive info like say… emails, you’d be no doubt skewered publicly over this. But alas you’re merely one of the largest financial institutions securing trillions of dollars of people’s money so this level of security is acceptable. Jeesh.
Can someone with a better security background chime in and critique this practice? Is it as flawed as it seems or am I overreacting here?
In the UK and in Spain they do the same thing. The only alternative it to collect them from your bank. However they also require you active the card via the phone or via internet banking before it becomes active. This second phase requires additional knowledge not in the public domain.
[…] This post was mentioned on Twitter by marcelobernard, News Bloom and steve sanderson, Top Technology News. Top Technology News said: BofA mails your PIN to the same address as the card it unlocks http://goo.gl/fb/rylxg […]
Your PIN is not stored in clear text, it's stored encrypted, they can then decrypt the password using their key management system and send it on it's way to you. I'm not saying it's good they send your PIN via mail to the same address as your card, but your PIN is not stored in clear text.
it is printed in clear text ;)
C_T – thx for the clarification. I'm admittedly not a security expert but it seems like the fact they can even generate your PIN and give it to you is problematic. In web apps at least my understanding has been that the right way to do it is to store only a one-way hash of the password and compare the user-submitted pwd against that each time. That way I couldn't get your original password even if I wanted to.
I think the author was complaining that the PIN is even stored (encrypted).
The most secure way would be to just store a hash of the PIN, and the hashing would be one-way (ie you can only verify, when given the PIN, that it is real. The actual PIN should never be stored.
That said, my local bank does this as well. ING Direct can't look up the card PIN, but does mail you a new one (in cleartext) when you claim you've lost it. At least they stagger the arrival dates.
Your pin number is not much security to begin with. Storing a hash of your pin is not very useful since there are only 10k distinct values and a brute force on such a hash is trivial. The bigger issue is mailing the debit card itself (activation is little protection from someone who already has access to your mail). In most cases, they act as credit cards and can be used at countless locations throughout the country without need for identification.
FWIW- I had my debit card *number* stolen and somehow the person also knew my pin. All of the charges they placed on the card (even debit) were promptly refunded to me by BofA. Many of the charges failed because the activity was inconsistent with my own purchasing.
In Canada, I just received my new chip enabled CIBC Mastercard. They then sent me a PIN and it was my old PIN. Therefore, it also exists in a clear database. They have explained to me that they need the PIN number in order to check my PIN number to see if it is correct. Of course we know that is nonesense.
These people are designing security systems for banks. There is something very sickly wrong here.
Further, the banks consider the PIN number as a signature, but if they do not keep it secure, how is that reasonable? They should be liable for failures in PIN system.
Further to my last comment, I have spent a few hours on the phone with the bank.
They found a document that said that they DO NOT STORE THE PIN NUMBERS ANYWHERE IN THE SYSTEM.
Then, how did they send me my old PIN number? They are lying, and they are responsible for financial security. shocking….
Same in Switzerland (otherwise great banks … !): I get my old PIN 'reminded', complained and got a written response "Your PIN-code is in no database and in no file saved as clear-text, neither encrypted nor unencrypted" (i.e, in German: "Ihr PIN-Code wird in keiner Datenbank und in keinem File im Klartext gespeichert, egal ob verschlüsselt oder nicht").
I had complained because I got a PIN reminder AND I provided in my original mail a link to this blog, so they could have seen Jack's comment; yet they gave the same obviously wrong answer. Amazing.