5

I recently applied for a second credit card for my partner to use on my account and was surprised when her preset PIN number turned out to be the same as mine.

Coming from a development background I assumed PINS were hashed somehow.

It seems very unlikely this is a coincidence, why are credit card PINs not stored hashed rather than (hopefully) encrypted and why not generate a new one for the second card?

Liath
  • 153
  • 1
  • 6

4 Answers4

8

What's the use of hashing a 4 digit PIN? You only need 10.000 rounds to get the PIN back, even if each PIN has its own salt. They are probably stored encrypted, for local employees etc, but for an engineer working there it won't be a big problem to get the PIN out of the database.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • 1
    There are no `PIN` records stored in any database, hence the above mentioned scenario is never possible. The only place where PIN records are stored is HSM. – SajjadHashmi Jul 07 '14 at 08:37
  • What is HSM? Can you give a link to support your claim? – SPRBRN Jul 07 '14 at 08:53
  • 2
    [HSM: Hardware security module](http://en.wikipedia.org/wiki/Hardware_security_module) "a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing." – SajjadHashmi Jul 07 '14 at 09:05
  • Can you explain a bit more how this works? You mean a bank has such a device with all PIN records in it? How is that not a database? It still needs to be queried to verify a PIN. – SPRBRN Jul 07 '14 at 09:08
  • 1
    Yes, a device with all the PIN records but there is no such `database` in it. It stores information in the form in raw data object inside it. As HSMs are also used to store database keys itself, so if itself is using a database than it would be like killing its own purpose. – SajjadHashmi Jul 07 '14 at 09:38
  • 1
    Overall working flow of an HSM highly depends over its manufacture and configuration. In general it receives a set of information such as encrypted PIN, account number and few more things, based over it decrypts the PIN and check against the one stored in it and in return just send back a response object telling whether validation was successful or not. – SajjadHashmi Jul 07 '14 at 09:39
2

I've seen this happen to a former colleague: he complained that when he asked his bank for a new card, he got one with the same PIN number.

Possible explanations:

  • PINs are generated randomly, but stored "in the clear" somehow; when you request a new card it gets primed with the stored pin
  • A strike of good luck
  • PINs are not random, but depend on the combination (card number + expiration date + holder name). Which would be a MAJOR issue so I'd rather not even think about it.

By saying "in the clear" I mean it's stored in a way that is readable by a machine - it could be an encrypted database with the key stored in a secure location. It does not necessarily mean it's in plaintext on a post-it.

lorenzog
  • 1,911
  • 11
  • 18
0

My best guess is that you were actually lucky to get the same PIN. In the end, it's only 4 digits, and 1/10000 chance to get the same one. Miracles happen every day.

To test this, you could open another bank account and do the same. The likelihood of this happening twice will be quite smaller. :-)

  • 4
    The likelihood of it happening again, **now that it has happened once already**, will be precisely the same. – Hennes Jul 07 '14 at 18:10
0

All kinds of PINs be it, TPINS (used to mobile/telecom based transactions) or FPIN (usually used over E-Banking) are generated by HSMs.

HSMs generates a PINs by applying cryptographic operations (details of this depends over the manufacturer and type of HSM) over the information provided to them such as PAN, Account numbers etc. In short a PIN is a Zipped format of all the above information enclosed in 4 digits.

To have unique PINs it is necessary to at least have one unique entity in the set of information provided to HSM for this purpose for e.g. like Customers national Id number. But if the PIN is being repeated it means your banks doesn't have a unique entity in the set they are using information like PAN, account numbers etc. which are same for both of you in this case hence same PIN.

However, this could be called a configuration mistake but again can't be a security flaw, because you always have to change you initial PIN before you can start using that card anyways.

SajjadHashmi
  • 111
  • 2