

BofA mails your PIN to the same address as the card it unlocks - scrollinondubs
http://www.scrollinondubs.com/2011/01/25/bofa-pin-security/

======
beoba
I thought this was normal? They'd have two separate mailings sent from two
locations such that they would only meet at the destination's mailbox on
separate days. Then, after receiving the card, it'd have to be activated by
calling an 800 number and giving some information, at which point they might
also force a PIN change.

Also, he worries about the PIN being stored somewhere in plain text. If one-
way hashes were used, anyone obtaining the hash would only need to test it
against 10k possible values to get the original.

~~~
iwwr
Use HMAC and not plain hashes.

~~~
Xk
HMAC's verify the integrity of a message; they don't have any use in this
setting.

~~~
iwwr
If the attacker doesn't have the key, he will have to bruteforce the full hash
and not just 9999 values. Or what is the different use here? The root post was
referring to storing hashes and not passwords (better to store HMACs and not
hashes).

~~~
Xk
There is a difference between a HMAC and encrypting a hash, or a HMAC and a
salted a hash.

HMAC means Hash based Message Authentication Code.

<http://en.wikipedia.org/wiki/HMAC>

~~~
iwwr
I thought HMAC was equivalent to an encrypted hash.

~~~
Xk
From that link:

HMAC(K,m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m)).

~~~
iwwr
Why would HMAC be inappropriate in this case (of storing user credentials)? Is
there a vulnerability?

HMAC(key, password) instead of hash(password) or hash(salt+password)

~~~
Xk
I don't know of any attack. However, my point is just that HMAC means using
hashing for a message authentication code. Encrypting hashes makes more sense
as to what's going on.

------
d2viant
Where else would you like them to send it?

~~~
baggachipz
Yeah, good question. Guys, not _everything_ that B of A does is evil, just
sayin'.

Next hyperbolic headline: B OF A TRACKS YOUR ACCOUNT BALANCE AND RECORDS EVERY
PURCHASE!

~~~
cryptoz
To take this joke and place it right back into reality:

Holy fuck, if a bank were to actually track _every_ purchase I make, I'd freak
out and switch banks. I always keep a bit of cash on hand so I have the
freedom of buying something that isn't tracked by anyone. It's nice to be able
to buy a beer without your bank knowing about it, you know?

I really really hope no bank every tries to pull anything like that. Even
those of you who use cards for everything must appreciate the _idea_ that
you're able to buy things without your bank knowing what you bought, or even
that you bought anything at all?

~~~
baggachipz
I actually use cash as often as possible, but not out of paranoia or privacy
concerns. You can't avoid being a drop in the sea of data collected nowadays,
and it's awfully self-centered to think that a for-profit corporation gives a
rat's ass that you bought a beer. Using that information to determine my
insurance premium? Yeah, that would be a problem.

I tend to use cash simply because I'd rather have more of the money I spend go
to the actual retailer (especially if it's a small business) than the bank. As
a former retail business owner, I know how oppressive transaction fees are...
yes, even debit card purchases.

------
isleyaardvark
His real problem seems to be they sent him his PIN when he didn't ask for it.

As for sending the PIN in the mail, sometimes people forget their PIN. He
lists three forms of communication he claims are more secure: voice, fax &
inbox on the https site. Banks can more easily verify the mailing address
because it's easier. At least with that you've got a mailman checking that the
name matches the address. I realize that's not foolproof, but what is? It's
easier than trying to verify a phone or fax number actually belongs to the
right person. And with https, not everyone owns a computer, but it's rare for
a bank opening an account for someone without a fixed address. Even when
account statements are sent to a P.O. Box, they generally ask for a physical
address for their records.

All three can be secure if there's proper authentification, but again, if he
didn't need or ask for it in the first place then that's the real problem.

Edit: another problem with voice is the the bank employee on the other end of
the line has to be able to see the plaintext PIN to speak it. Banks I have
worked at strictly limited the number of people with access to that info, you
couldn't just walk up to a teller and have them look up your PIN, for example.

------
dedward
Re: Stored hashes - they can be stored encrypted while the company can still
retain the ability to decrypt them. This is how you store credit card numbers.

They may have generated a new PIN and it just happened to be his old one?
Could be.

Do they send it registered mail? What would happen if someoene did get to your
mail before you - could they use the card? what would the bank do when
informed of it?

Whwther or not it's bad for you, the consumer, depends on all these things.

------
corin_
Agreed that it's not the best solution, but it is what every bank (at least
here in the UK, and from the sounds of it, in America too) does.

As to storing the PIN in plaintext, that's not even the bank's decision, a
single bank can't decide to go against the entire chip+pin system.

Side question: AFAIK, chip+pin is far less common in America than in
UK/Europe, with many people still using magnetic+signiture. Am I out of date,
or is this still the case?

~~~
Zaak
I live in the US, and I don't think I've ever seen a chip+pin card.

Most stores will take ATM/debit cards (using PIN) as an alternative to credit
cards (using signature), but the ATM/debit cards use magnetic stripe like the
credit cards.

------
trustfundbaby
I initially rolled my eyes at the rant, but he does make some good points.

I've never thought about it before, but a bank really has to reason no send
your pin number to you in print, or store it in a form that they could access.

Or do they?

------
drgath
Every bank I've ever had done this.

------
Khao
It's nice to see an example of real life security holes instead of software
security holes

~~~
niels_olson
I don't know. It's basically software with a sneakernet last hop and mtr would
take _forever_! If by "real life" security, you mean "physical" security, I
don't see any physical security issue. Even in the military, this sort of
stuff would be handled by crypto guys, not masters-at-arms. As far as physical
security of the mail, FWIW, you can ship Top Secret through the US Mail. Just
double-envelope it and send it registered.

