5

I have signed up with a new current account in the UK for day-to-day transactions. The account comes with a payment (debit) card. The banking institution's security handling of PINs for payment cards is something that I think would be interesting for an audience of security professionals, and I wonder if it is not good enough.

Here is the instructions that accompany the card sent via postal mail:

How to activate your card

  1. When you receive your digipass [electronic OTP code generator] and digipass PIN, log onto your internet banking

  2. To retrieve your six digit access code click on 'Account Management' and then the 'Cards' tab

  3. Using your mobile number you provided in your application, text '{BANKNAME} PINACT' followed by your access code, followed by the last four digits of your card number (e.g. {BANKNAME} PINACT 123456 7890) to {SMS number}

  4. You'll be sent your debit card PIN via text

  5. You're ready to use your card (remember to sign the back). The first time you use it you will need to enter your PIN - at an ATM or within a store

I went through the instructions, and received this SMS:

Your card is active and the PIN for your {bankname} Bank Debit Card ending with XXXX is YYYY. Please delete this message after reading.

I take the view that security is a balance between convenience versus the attractiveness of a target. In this case, the target is a supply of PIN codes for payment cards, for presumably tens of thousands of customers, sent in an unencrypted channel over the public telephony system. I note also there are no encouragements that PINs should be changed when they are received.

Moreover, it seem strange that one obtains a one-time security code from an internet banking site (secure and encrypted) in order to obtain a permanent PIN code via SMS (interceptable). Should that not have been the other way around?

In the UK it is common practice for customers to be told not to reveal their payment card PINs to "anyone, not even the police". And yet this bank has provided PIN codes for all of their customer's payment cards over a plaintext comms channel (and thus, by extension, the police, who have realtime access to all unencrypted comms in the UK).

There are three mitigating reasons the bank may have:

  1. PINs are useless without a physical card, and they are not used for "cardholder not present" transactions
  2. Most card providers support PIN changing at ATMs
  3. Tens or hundreds of thousands of UK customers have been served their PINs in this fashion, and none of them have been defrauded as a result of SMS interception

However, I am still not certain good practices have been followed here. Am I right in believing this security could be improved, and would my suggestion of using SMS for one-time codes and the (HTTPS) banking web app to show PINs, offer better overall security?

I don't actually know this, I am just guessing what the bank might claim.

halfer
  • 821
  • 1
  • 7
  • 12
  • Weird that this hasn't been definitively answered yet, but I'm curious about this: "*...and thus, by extension, the police, who have realtime access to all unencrypted comms in the UK.*" Is there a source for this claim? – Hashim Aziz Jul 15 '20 at 16:46
  • @Prometheus: I didn't have a source for this when I wrote it, though I still believe it to be true. [This reference](https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016#Provisions_of_the_Act) indicates the provisions of one of the pieces of legislation (see in particular "bulk collection"), and [see here](https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016#Authorities_allowed_to_access_Internet_connection_records) for the government departments that may access internet history without a warrant. – halfer Jul 15 '20 at 18:28
  • [This story](https://www.helpnetsecurity.com/2017/05/05/uk-govt-wants-real-time-communication-surveillance-powers/) mentions the "real-time" nature of the legislation, though this was written before that section of the law reached the statue books. There was some discussion at the time that this was just retrospectively authorising a practice that was ongoing anyway. I dare say examining the text of the various bills would reveal more, but it'd take a patient person to wade through them all. – halfer Jul 15 '20 at 18:30
  • [This story](https://www.theguardian.com/world/2016/nov/19/extreme-surveillance-becomes-uk-law-with-barely-a-whimper) is also interesting, and mentions the legalisation of state-sponsored hacking (which previously would have been categorised as Computer Misuse under another Act). – halfer Jul 15 '20 at 18:35

4 Answers4

2

Am I right in believing this security could be improved, and would my suggestion of >using SMS for one-time codes and the (HTTPS) banking web app to show PINs, offer better >overall security?

Yes, I believe you're right on. A better schema would be to send a one-time-code via SMS and to reveal the PIN via HTTPS (or even better, not reveal the PIN at all once it has been set). As well, the bank should recommend that users change their PIN upon receipt.

ghrs
  • 71
  • 1
  • Thanks for your answer. We are in agreement; however, to play Devil's Advocate for a bit, isn't security about achieving tangible results? In other words, if tens/hundreds of thousands of customers have not experienced a financial breach as a result of this data leakage, there isn't a problem? Or might they say that the only people who have blanket access to SMS messages via surveillance protocols are not the kind of people who engage in financial fraud? – halfer Apr 18 '20 at 16:56
  • Yep, we agree. In general, just because something bad hasn't happened _yet_ doesn't mean that there isn't a problem. As well, it is important to consider whether stealing a PIN via SMS is really the lowest barrier of entry. – ghrs Apr 18 '20 at 17:05
  • "Or might they say that the only people who have blanket access to SMS messages via surveillance protocols are not the kind of people who engage in financial fraud?" Beware of blindly trusting "people". – ghrs Apr 18 '20 at 17:09
  • Oh yes, one would not be wearing a security hat if one thought the various institutions of power within the establishment did not need security mitigation! – halfer Apr 18 '20 at 17:42
  • 1
    @halfer Every virtual mobile network operator has access to SMS messages. I don't know how hard it is to access a non-customer's messages without being detected. But that's a much bigger attack surface than just your cell phone provider and your country's police. Alternatively, the attacker can trick your operator to get them access to your number (pretending you're changing operators or that you've lost your SIM). SMS is significantly less secure than physical mail. – Gilles 'SO- stop being evil' May 26 '21 at 16:21
2

The relevant security standard is the Payment Card Industry Digital Security Standard ("PCI-DSS"). Your financial institution likely has or could be audited under this standard. I took a quick look to see if there's anything in there about not using SMS, or how to handle PINs.

3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.

I suppose they're technically covered because they told you to delete the message. This one gets a "lol".

4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).

PANs are the full card number, so this is close but not quite right.

... that's all I found. There are lots of explicit rules about protecting PANs (the full card number), "only display the last 4 digits", "store it encrypted", "never send it over an unencrypted network", etc. But there's surprisingly little about protecting PINs. So while I agree that it seems a bit sketchy, I think it's technically not a violation of the security standard.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    Good thoughts, thanks Mike. I wonder if 4.2 might need updating in light of WhatsApp and Signal etc - I presume given their focus on E2E encryption that it would be safe to send PANs in this fashion. – halfer Feb 13 '21 at 10:01
  • DSS is not the only PCI standard, although it is usually the most important for _merchants_ (i.e. payment receivers). _Card issuers_ which is the case here are subject to several other requirements as well, that only appear when you select nondefault 'filters' in the document library. – dave_thompson_085 May 27 '21 at 01:17
2

There is also the PCI PIN Security Requirements where it states in control objective 1

Requirement 1: All cardholder-entered PINs must be processed in equipment that conforms to the requirements for secure cryptographic devices (SCDs). PINs must never appear in the clear outside of an SCD.

So if this correct, I would presume that PINS should not be sent over private messaging in the clear.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user257948
  • 21
  • 1
  • Do you have a link to this requirement for reference? – schroeder May 26 '21 at 15:28
  • schroeder: I don't think there's a way to link directly to PCI documents because of their licensing, but you go to https://www.pcisecuritystandards.org/document_library and select PIN in the 'filter by' pulldown, click on the document in the list, and accept their terms. – dave_thompson_085 May 27 '21 at 01:13
1

I agree that showing the PIN on https (when logged in to the bank site) would be preferable. Actually that's what Amex was doing in my (non-UK) country a few years ago. It was a strange Javascript widget where you could unmask only one digit at a time on screen.

Sending a PIN by SMS does not strike me as a safe or good practice.

The only valid reason I can see here is spreading the risk. Someone who has your banking credentials + Digipass + your bank card (stolen from the mailbox) cannot get the PIN without access to your mobile phone.

Unless they carry out a SIM swap attack (obtaining a new SIM card in your name with your number).

Kate
  • 6,967
  • 20
  • 23