3

What is the risk in the following scenario:

  1. A bank wants to use an ATM pin (debit card and/or credit card) as an additional form of authentication after the customer logs in to her online/mobile banking platform
  2. As the bank owns the cards, it may select to use the ATM pin in whichever way it wants, so it does not violate any compliance requirement
  3. Also, assume that all the cards use EMV i.e., chip and pin

If criminals steal all of the ATM pins, what can they possibly do with it? What is the risk exposure to the bank in this scenario?

RavingCheetah
  • 31
  • 2
  • You may want to have a look at postfinance's solution with their card reader: https://www.postfinance.ch/en/private/products/digital-banking/e-finance/login-procedures.html For the customer, the procedure requires the card reader, the physical card (with chip) and the knowledge of the PIN. Since the challenge is a nonce, the PIN never travels in cleartext, not even on the client browser. – Marcel Feb 15 '18 at 10:01
  • 1
    That's why all online banking must use secondary authentication code that is not changeable by user. – mootmoot May 16 '18 at 10:47

1 Answers1

1

Intercepting the pin on the internet, and knowing it's the same as the card PIN would leave you more susceptible of a targeted attack aiming at procuring the card.

Granted that if the PIN can be intercepted, then most likely the other credentials are as well, and the attacker could perform an attack on the banking site.

Bottom line, don't put user at physical risk.

M'vy
  • 13,033
  • 3
  • 47
  • 69