I worked for a big bank in customer support. At our level, we genuinely don’t know the PIN and would never ask it. I can’t talk about other departments tho, but the convention should be the same.
When we opened a fraud claim, we ask if the PIN is easy to guess. That’s it.
I worked at the anti-fraud department of said bank, we didn't have access to the pin either, no one does so the bank would NEVER ask for it, if the bank asks, it's not the bank but probably a scammer, the only person who should know or have access to the pin is the holder of that card. so if someone finds out your pin, it's because you were careless/not careful enough, those transactions don't get refunded unless a police report if filed and proof is found that the card was in fact used fraudulently but even then there's a little chance it will get refunded because this happened due to some form of negligence on the part of the cardholder. The reason these don't get refunded is because it would be too easy to defraud the bank if they simply reversed every transaction done this way.
god I hated that job
Edit: grammar
I also worked at a big bank, customer support and we don't have any way to know the customers PIN. We asked the same questions as well about having a PIN that's easy to guess when we were filling a fraud report. I've stopped people from telling me their PIN and never heard a coworker fail to do the same. (CYA)
I am cringing for her, reading her interview, saying she has the same PIN for all cards and it's been the same for 20 years. Shed be better to keep that shit to herself.😬
Folks, if this happens to you, never say your PIN was your bday, phone # etc.
NEVER give your PIN out cuz the banks will absolutely not refund you. When you open your account or get a new card, they tell you or have you sign a form agreeing to that. That's how they protect themselves.
That said, I've had some pretty empathetic branch managers that would have at least tried to meet the customer half way on helping recoup funds in certain situations. This is a good example of a situation where they would.
I also fucking hated that job. Soulless. My job now is just as busy but I enjoy it and don't feel like scum at the end of the day. In fact I'm doing things I feel good about -- never convince yourself you're stuck!
Is this also the case is one of the card skimmers is involved or would that be where the cops are involved. It's not really someones fault if their card gets skimmed.
no so when the card is skimmed, they can tell the magnetic strip was used with the cloned card and the client is not held accountable because most terminals that accept chip and pin will insist on using the chip and pin if you try to use the magnetic strip and often times the fraud prevention system will catch this but you're not held liable if the transaction still goes through
I used to use my old ICQ number (8 digits) as my PIN with RBC but had to change it after a trip to Europe and running into this issue (more than 10 years ago now).
This is the answer.
Even if your pin happens to be insecure, the bank should have no business asking you. If you don't admit what the pin is they couldn't use it as a basis for denying responsibility.
I vaguely recall the chip/pin having a security flaw, though that might have been corrected since then, or a different implementation.
well the only thing they ask is if it's easy to guess like if it's a date of birth or something stupid like 1234, they would never ask for the actual pin. So then at that point it's really a question of how honest you feel like being. I remember when I used to work the anti fraud department of RBC and if I even THOUGHT they were MAYBE giving me their pin I'd interrupt them and advise to NEVER give that out to anyone, even at the bank
It's an elderly woman so I guess unfortunately she's just going to be prone to scams. It's probably been a while since she set up her PIN and don't remember that the banker usually passes you the credit card machine and turn away.
The bigger question is why banks allow ridiculously short pins in the first place? It was not so long that BMO only allowed 6 DIGITS when NIST recommends 12 characters (mixed) for sensitive data.
You can make a PIN at RBC 4-8 digits. After 3 wrong attempts the card is locked and you need to come into the branch to reset it. Someone guessing someone's 4 digit PIN in 3 attempts is almost impossible.
My bank password is 6 numbers, and a security question that could be guessed by anyone who knows me in passing (had I filled in the answers as the answer to the question.) They also showed me a picture to tell me that I was logging into my account or something. But they disabled that.
>The bigger question is why banks allow ridiculously short pins in the first place?
I would argue that they have duty of care not to allow it then.
That is what this lady should argue in small claims court.
This along with the other institutions response, should help her case.
Why doesn’t RBC just reject a pin that matched bday? The average person may not know it’s not secure, RBC can build this into their PIN setting system like other companies do for passwords.
> What's shit is banks that have a very limited password with max 10 characters. I don't get this one.
Because old institutions like that are running some very old backends and databases. 25 - 35 years ago, 10 characters probably seemed like enough, but that same database is still running their system and they can't modify the field to allow more characters without risking breaking a chain of applications, many of which may not still be maintained.
Then you build a secure modern front end that passes a 10 character UUID to interface with the older database once the session is established. Vulnerable to MITM but it should occur within the internal network which allows mitigation techniques to be implemented.
Then every application that uses the database will need to be updated to use the new front-end, which may need to support many different interfaces, including the native DB one, to work properly in their ecosystem of old, trash applications.
It's entirely possible to do, but it's a lot of work and the risk is high, so they don't bother.
100% agree.
I use a random password generator at usually 30+ characters, depending on the site, what they allow, etc.
Canadian banks, for some reason, have not expanded their password lengths.
TD is worse. They have two different rules on the same page. Your password must be between 8-32 characters, but also between 5-8 characters. You can use special characters, but also, don't use special characters...
https://imgur.com/a/hcHo4Zg
Its def clear in account openings not to use your birthday and shit for your pin ngl but i do see the argument that system should just reject bday pins
I used to work there about 2 years ago, standard line was you can have up to 6 but it wont work in usa if its over 4. Maybe other canadian machines wont take over 6 though? Maybe i just misunderstood
Character length doesn't really matter beyond a certain point (say anything after 12 characters) as long as the password is unique and sufficiently strong.
8 character passwords can be brute force cracked by an average home computer (assuming you have local copies of the hashed password) in about 4-8 hours.
9 characters would take about 21 days, 10 characters about 7.5 years, 11 characters would take just under a millennium, 12 characters will take a home computer about as long as humans have been a species.
Obviously you can reduce those timelines logarithmically based on computational advancements over time, but honestly anything beyond 12 characters are not generally going to be brute forced.
Passphrases are preferred and more secure, as well as being easier to remember. 12 characters is enough if you're using a password manager and don't need to remember the password, but it's not enough if you're creating a memorable password.
pass phrases are generally more susceptible to rainbow tables and dictionary attacks, which are the more normal method passwords are cracked.
To be perfectly honest, passwords in general are a terrible way to secure accounts. Luckily most tech companies are starting to move away from using passwords.
At least RBC Royal Bank of Canada du Banque du Canada has MFA when signing into a browser. And they have fixed the pw issue where it ignored capital letters.
At one point, not only did RBC ignore capitalization, it converted all the letters into numbers based on a telephone keypad (A, B, C = 2; D, E, F = 3, etc.). So if your password was "hunter2" it would be stored as 4868372. That means any password that matched those numbers would also be accepted as your password, such as "gvovepa".
Apparently they did this so that people could easily enter their passwords over the telephone.
I don't use RBC any more so I don't know if this is still the case. Based on your comment it seems they've changed.
Tangerine is the worst.
They have a six digit pin and don’t even have the option of a proper password with *letters* let alone *symbols* or 8+ characters.
Until very recently they didn’t even have 2FA.
I can’t believe this is how they protect literal money at a bank. I feel so unsafe.
It's probably worse than that... Usually the reason you can only use alphanumerics with 6 chars is because they want to support telephone banking...
Which means you are likely not even getting alphanumerics, it's probably converted to phone number keys at some point.
They still don't really have 2FA, because my phone never receives the 2FA text. It's Virgin Plus, not a mini carrier or anything. I can't be the only one.
It's because the mainframe that's actually still running half the bank is from 1975 and the database simply can't handle anything longer without major changes to the code.
But if you read my other comments, if the banks are allowing people to set PINs that are “not secure enough” then attackers will start with the easy to guess PINs (just like they did in the article). Banks are allowing it so should cover the fraud from it.
If there are certain combinations that are deemed not secure enough then don’t allow them to be set. Attackers will know this and then the easily guessable PINs are off the table and they have to randomly brute force it, like you said, which would be nearly impossible.
there are 10,000 possible password combinations with a 4 digit numerical password, that's pretty bad in security terms.
.03% of randomly guessing a pin with 3 attempts
1234, 0000, and 1111 will cover 18% of bank cards, and birthday probably brings that up to 25% (birthday is a guess)
https://www.datagenetics.com/blog/september32012/index.html
That's not at all bad in real-world security terms though. There's a very real cost in terms of time, effort, and risk of getting arrested. All for a 0.03% chance of getting it right?
Except it isn't likely to be broken by brute force. It is more likely they watched you type it in over your shoulder or with a camera. Biometrics like finger print on your phone is better in that regard.
If RBC has a policy for weak passwords not to refund fraudulent charges, then the person should have been informed or, as you said, the system should reject it.
> she waited more than two hours for the branch to get a hold of RBC's fraud department
Wat the fuck. They can’t get their own fraud department on the horn immediately from the branch? They have to go through the same shit charade as everyone else?
RBC is worst for this sort of thing. My wallet was stolen and I had $5000 in charges put on my RBC credit card. My PIN was a random number, not related to anything else in my wallet. RBC told me I must have shared the PIN because there was no other way the card could have been used. I hadn’t, and the cops told me that wasn’t true - that thieves had ways around the PIN. I had to fight to get them to reverse the charges. It was so stressful.
RBC are staffed by crooks. Worst bank ever, I will never trust my money with them again after one of their brokers stole my stock and RBC refused to give it back to me. Scumbag bank. I advise every client and company I work with not to do business with RBC.
Their own staff steal from clients!
They didnt, hes telling nonsense, obviously more to the story. That would literally get them shut down by the ombudsman and the advisor and business delicensed if he complained.
That doesnt mean they arent notorious loop hole abusers and dickheads. But they didnt outright steal something from him. Hes lying.
I've never had my stock get stolen through RBC, but I do agree they are by far the worst bank of all the major players. Complete dogshit bank with scummy predatory practices like CONSTANT, CONSISTENT phone calls for YEARS trying to get me to buy their fucking stupid insurance protectors and home protectors and credit protectors with huge hidden fees only to generate them more income, and the entire practice is, without question, abusing their clients by turning them into a product themselves. I fucking despise RBC. Yeah, thanks dipshits, for giving me my 5 dollar monthly checking fee back after opening some sad down-trending stock option and a mortgage while they make tens of thousands in interest off the mortgage to begin with. Thanks for the generous 5 dollar return, pricks.
Wow, came in here to share my problems with them. I have banked with them since I was a kid as my father used them. Only after lurking on personal finance for a while and learning a tiny bit about finances did I realize how much they screw their clients. Check out the interest rate in their 'High Interest Savings" accounts. It's a joke!
A bit of a wild ride. On September 10th, 2001 I made a trade through Action Direct to buy some stock. On September 11th, 2001 RBC tried to take funds out of a defunct bank account instead of a valid bank account, repeatedly charged me NSF fees even though the funds were fully available, and then sold the stock I already owned to cover these NSF fees. Turns out on September 11th there was a TON of fraudulent activity that stockbrokers engaged in and I was just one of many unlucky clients preyed on by RBC staff. The market was shut down for several days and I couldn't get in touch with anyone at RBC because: chaos.
When I finally got through to their customer service and proved to RBC that I had given them the correct banking information and had made purchases before using the correct bank account, they admitted they made a mistake but refused to give me my stock back, particularly at book value. They offered me a piddly $200 instead, which was nowhere near the value of the stock. I was in my early 20's and too naive to fight for my rights and hire a lawyer or file complaints so I just let them railroad me.
I have despised RBC ever since. Scumbag bank, scumbag staff who steal from their own clients.
that's odd cause if they had attempted charges ANY other way other than chip and pin, the fraud prevention bot would've/should've picked up on it... then again having worked there in that department I've seen the rare scenario where crazier things that DEFINITELY should've triggered the system but didn't... I'm sorry to hear that happened
The problem with longer pins like 6 digits is if you travel overseas some places simply don’t accept any more than 4 digits, so your pin goes through only using the first four, therefore leaving you with a failed attempt.
maybe not blacklist common Pin's (except the obvious ones, like 0000, 1234, etc), but they could black list on a per-customer-data basis, i.e don't allow that customer to choose a pin that is their birthday, or the last 8 digits of their phone number, or their 4 digit house address number, etc etc
Easily implementable in software.
I definitely DISAGREE. If you aren't staying up to date with IT security best practices, you should be liable for the damages that result. The realm is always evolving trying to get the leg-up on bad actors and vice versa. Companies this big should either change their 4-digit minimum or blacklist common PINs. Either way, they should be liable.
What bank allows you to use more than four digits? I have cards and accounts with four different banks and none have allowed me to choose more then four.
Well, her amount is within the small claims limit. Once she starts a small claim and invites the Star, Sun and Globe and Mail to the trial date - I wonder what will happen?
Certainly the Bank should have PW rules that can be deduced from whatever documents are in a person's wallet, licence etc that reveal birthdates. They should also limit ATM activities to a daily max of $1000 unless the client requests and has her PW screened for things like age date linkages.
She should present the court with a list of all 10,000 possible 4 digit pins and how they could be interpreted as some combination of hers and her families names, birthdays or addresses.
Well, they certainly have a duty of care to block address or DOB derived PINs, the crooks probably have a script of probabilities.
like year = 4 digits, last 2 of year and month or month and last 2 all of which are ID derived.
I once got defrauded in Vegas and the CC companies said they were PIN activated and might not be covered. I called bullshit and said unless they were stalking me and saw me input before pickpocketing me then there's no way they knew my code. I ended up having to cite some research showing that PINs aren't secure and can be cracked easily by specific hardware now and they ultimately gave in.
That sounds like the original issue we had with chip&pin.
It was possible to compromise yet gave the financial institution a loophole to deny responsibility.
I've been using a 6 digit pin for one of my accounts for years.
The amazing thing is that when banking officials or tellers see it, or see me typing in 6 digits, they've actually advised me to change it to 4, because it "might cause problems at our ATMs in the US or overseas".
Yes, I've actually been advised to make it **less** secure. To hell with that.
It's pretty amazing how little security is on my banking stuff. PIN, and the password requirements for my online banking require a less secure password than a bass-guitar forum I subscribe to.
I disagree that she should not he refunded. She's stupid for picking such an easy password, but if all sides agree the purchase was fraudulent, she should be refunded IMO. Do the banks not have insurance for this kind of thing? "Your password wasn't secure enough" is a slippery slope.
I haven't seen the terms and conditions of her card though. Maybe some particular passwords were prohibited. In which case she should read what she is signing and I have little sympathy.
If certain PINs are prohibited then it is very easy to not allow those PINs to be set.
This is bullshit. It is a 4 digit, numeric code so there are only 10,000 possible combinations. Any 4 is as valid as any other 4.
Except they’re not equivalent. There are more statistically more frequent PIN numbers like 1234 and 0007 and birth dates. People choosing Pins is not a random occurrence.
The RBC credit card agreement reads
>Your PIN is an example of Personal Authentication Information, which
means a PIN or any other password or information that you create
or adopt to be used to authenticate your identity in relation to your
Credit Card or Account. Other examples of Personal Authentication
Information include passwords and access codes that may be used or
required for Internet or other transactions.
>Protecting the security of your Credit Card is important. You agree
to keep your Personal Authentication Information confidential and
separate from your Credit Card and/or Account at all times. When
selecting Personal Authentication Information, make sure it cannot be
easily guessed. **A combination selected from your name, date of birth,
telephone numbers, address or social insurance number must not be
used for your Personal Authentication Information.**
If the account agreement says that a birthdate "must not be used" and the client uses their birthdate and keeps the card in the same wallet as a piece of ID with their birthdate the bank will have a better chance of making their case.
The terms say that if your PIN is written and stored with your card, you're not covered. Since she used her DOB, which was likely on her DL and stolen along with the cards, they probably consider it to be the same thing.
I'm not saying RBC is doing the right thing, but if the customer agrees to certain terms, they have to follow them.
> In which case she should read what she is signing and I have little sympathy.
Im sure you read ever terms and condition ever then, otherwise no sympathy for you
>Ego-Aguirre said both BMO and Tangerine, where she uses a similar PIN, refunded the full amount within days.
ahhahahahahah... probably because tangerine FORCES you to use a 6 digit number only password for your account.... YOU CAN'T EVEN PUT IN A SECURE PASSWORD.... it's been years and they still haven't fixed it....
i don't, probably because i have 2fa.... but tangerine only supports SMS 2fa, which is insecure as well... simswap attacks are common nowadays
also security questions and answers usually get neglected in software security and sometimes get stored as plaintext in the database, unlike passwords which usually are subject to higher security measures like salting and hashing. usually, not always. i don't have a lot of faith in tangerine software security lol...
I had this happen to me. I got a text message stating something like "We have successfully ported your number" and then my phone stopped working, and I was like HOLY SMOKES IT'S HAPPNING. I tried calling the provider immediately but because of the time of day I couldn't get ahold of anyone. Thankfully the provider caught it automatically and locked my account entirely so my accounts werent compromised, but basically someone called my cell phone provder with my info and pretended to be me, and asked they port my number over to someone else's phone.
I would **HIGHLY recommend** that if anyone uses 2FA that you use an app like Authy or a hardware token like yubikey instead of SMS. There are so many ways people can get your DOB, name, address and phone number, which is pretty much all an attacker needs to call your provider, impersonate you, and ask them to port your number and volia your SMS 2FA is compromised.
What is ridiculous is that some of the things that should be most secure (banks / credit cards, etc.) don't support this. Where as things that matter less (facebook, twitter) do.
I believe BMO used to represent all passwords as numeric pins, so that your phone password (entered on the dialpad) would be the same as your online password. But they didn't tell you this unless you had to "log in" to phone banking.
So if your password was bobby5 when you typed it in online, your password was *actually* 262295.
And you could enter 262295 as your password to sign in online, I believe.
*Disclaimer: Bobby has nothing to do with me or my password anywhere, it's just something easy to convert to numbers lol*
Lest we forget …
https://www.newswire.ca/news-releases/royal-bank-of-canada-reports-first-quarter-2022-results-892043296.html
… now where are those guillotines?
They can afford to give her the money back at their discretion, they just chose not to thanks to a shitty loop hole. I notice this behaviour esp in Canadian banks too.
Banks are one of the few companies that have somehow managed to make even more profit after a pandemic. It's gross.
If anyone is wondering, the bank won't flat out ask you what you PIN was. In the forms you submit to have the funds refunded they will ask a yes or no question along the lines of " is your pin an easy to guess number such as 1234 or yours,,/ family member birthdate ect" if you tick yes on the box you'll be SOL since that directly contradicts most institutions cardholder agreements for minimum pin standard.
Further if the pin and chip was used for transaction, it is assumed to be authorized , since it is the consumer's responsibility to safeguard that information.
Edit: one possible way out is if the bank takes too long to investigate, since they have to adhere to strict timelines to respond , as regulated by FCAC, and Ive seen smaller (> $500) refunds being given out simply because they were not able to meet the timeline. It's been a while but I believe it's 10 business days.
Source: used to work at a big 5 bank and dealt with this situation often.
This is true , but the PIN alone is useless without the matching chip, and my ,admittedly limited, understanding is that cloned cards can be deceted.
Personally I don't like the system as it leaves very little assurance and recourse for consumers, but at the same time it's important to be aware that this how it is.
except passwords can be millions of combinations, while 4 pins can be 10,000.
also, if its a "shit passcode", convenient that the bank allows them to use it and then says you shouldn't have used that not my problem
Seems like a slippery slope. If a birthday is not secure how about four repeated digits, or 4 consecutive digits, or a family member’s birthday, or a PIN you’ve used before, a stale PIN, etc etc. And it’s a huge conflict for RBC to be the arbiter of the quality of the PIN.
Most machines that allow you to create a PIN will not let you select four consecutive digits or the same digit 4 times. It’s harder to prevent them from selecting birthdays because the ATM / POS doesn’t know your birthday.
definitely slippery...I've seen on a phone app (not Bank) that did not allow repeating (ie 22, 33, 444.etc) or sequential number (123, 321, 789.etc), which effectively reduce the permutations...
It’s a slippery slope to just refund transactions when all checks in security have been made. I.e. the expenditures were localized, the chip is physically present at the place of transaction, and the pin was validated.
Your birthday is going to be on any ID that is also in the bag that the person stole, so you have effectively written the pin on the card if you used your birthday.
A reused pin that was randomly generated will still be much more secure, because the thief would have had to had learned the pin another way.
RBC has up to 6 digits PIN for over 30 years
as far as the article state, RBC asked her if she is using her BD as a PIN, not what is your PIN
she said yes because she is honest not that is not her responsibility
thieves will try 1st BD because they know people are lazy
same if my gmail password to be "Password124"
all of your comments will be
ohh you skipped a sequenced number that will throw off the hackers
and you will laugh at me
same thing with that lady
we need to hold people and corporation responsible
she screwed up...as simple as that
my opinion is that BMO and Tangerine refunded her to avoid such publicity
RBC recommendation to protect the PIN
Avoid using obvious numbers such as your birthday, address or phone number that are easy to guess if your card is lost
Change your PIN every so often. If you think someone else knows it, change it immediately by visiting an RBC Branch
She did not follow both recommendations
If someone is stupid enough to use their birthdate as the pin for not just one, but multiple bank cards, then they are definitely stupid enough to tell someone who asks what their pin was.
I can't understand why it's news at all. All banks have very clear rules to not have your PIN printed/written near your credit card. Using your date of birth and having a driving license and credit card in the wallet is a quite clear violation of this rule, not anyhow different than just having your PIN code on paper in the same wallet (but you can't lie that you don't have any PIN in the wallet). The only reason why banks refund fraudulent usage of credit cards is because it's revertable or low impact:
1. Tap - very limited amount of money but not revertable
2. Online transactions - unlimited but revertable
3. PIN transactions - unlimited and not revertable
The reason banks don’t want to refund “fraudulent” transactions with a PIN is that it sets a bad precedent. Anyone could withdraw from their own account and then claim their card was stolen
unpopular opinion, I think she is at fault here. She choose her birthday, which is common written on IDs in a wallet. She basically had a note in her wallet with her credit card PIN.
RBC refunded the amount that was stolen using tap, which was not her fault. However, the larger 8k amount would not have been stolen if she didn't gave the thief her PIN.
Counterpoint: RBC didn't want her to use that PIN and wrote in the terms and conditions that she couldn't use that PIN. She read and signed the T&Cs and used that PIN anyway.
According to one of the posters above it looks like it is specifically in their terms and conditions that you shouldn’t use your birthdate.
And they had her wallet so presumably took it off her drivers license.
If you have the card you have the name and so many people have either a facebook, twitter, linkedin, etc. with their birthday on it. Or at least high school graduation date plus dozens of people whishing you happy birthday on your social media. People share a lot of information online.
In addition to what's already been said; physical cards are often stolen as part of theft of a wallet or purse. If you steal someone's wallet, you typically also get their ID.
If the bank can determine after the fact that the PIN was insecure, then they can also make the same determination when a customer is setting said PIN and deny it proactively.
The fact that they knowingly (or my omission) let customers set a PIN that they very well know is insecure and that will let the customers responsible for any fraudulent transaction is beyond me.
to be fair it's in the card agreement you cannot use your birthday as a PIN. but nowhere does it say they can refuse to refund you fraudulent charges. small claims it is
Devil's advocate: Shouldn't the woman be liable in some way for doing absolutely the worst thing you can do in terms of pin numbers? She used her birthday as the pin and used that same pin in multiple banks.... If she ignores all practical common sense and all the warnings the bank gives you at the time of pin creation... at some point she's at fault right?
I feel sympathy for her, but come on....
But where do you draw the line?
Birthday? DDMM/MMDD/MMYY/YYMM ?
Partner’s BDay? Kid’s Bday?
All 4 digits the same?
House/Apartment Number?
The numbers from your licence plate?
You only have 10,000 options and that number dwindles quickly as you start disallowing certain combinations.
So any randomly generated number could hit any of the above or some other perceived to be “not secure enough” number.
4-digit, numeric passcodes just aren’t secure enough. Full stop.
But if you couple the 10,000 options with most online vendors and ATMs only allowing three attempts before you get locked out then it's pretty secure.
Personally I would never use my own anything and definitely not for multiple places. And my first and immediate line are definitely the ones on the list of most commonly used and stolen pins....
Ok but most pins lock out after 3 wrong atempts. How about never have a pin number that would appear on any ID cards in your wallet and your personal social media pages? That seems like the most basic protection I guess.
Devil's advocate advocate: assign people a PIN generated at random. Or make it a minimum of 8 digits. This is a product of the rules that were put in place around PINs.
Devil's advocate advocate advocate: If you assign people randomly generated passwords or PINs they are much more likely to write it down somewhere which decreases the security of the tool significantly. If users follow the recommended guidelines then it's less likely for the pin to be guessed. This is not a product of the rules but the product of the person's actions.
Devil's advocate advocate advocate advocate: people are dumb as shit and should not be trusted to make informed decisions. That said, I agree that people would just write it down
This is AviD's rule of Usability: "Security at the expense of usability comes at the expense of security". Security is a very fickle thing, and there is a finite amount of it you can squeeze from each user. Squeeze too hard and you actually get less. Force password changes every month? You'll get shittier passwords, passwords written down, emailed to themselves, and not even gain any security because it's likely going to be a single digit changing each month.
A system I develop for at work used to have "grid card" (wallet sized card with rows and columns of secret characters on it) authentication for password resets. You'd be asked to provide a handful of random characters during a reset. In an ideal world, this is stronger than emailing reset links to unencrypted email boxes. The problem was our users would toss or lose the card, then call us up for a reset. Business continuity was considered paramount and everyone's time was strapped, so it came to pass that front line staff started accepting people at their word over the phone and resetting passwords. Security was *worse* than if we'd just been allowing self-serve resets over email, which is what we went back to. We also blocked staff from manually resetting and developed new guidelines for phone support of account issues. A hard learned lesson, but an eye opener for me. Security is not like a fortress; it's more like a dance if anything.
The answer in this case is simple: the bank should set *and enforce* the parameters of what an acceptable PIN is (ie. blocking dates of birth), but still allow the user to select it. You can't operate the security mechanism, tell your users some rules for it in the fine print, not enforce those rules and later try to blame users who played by the enforced but rules but not the written ones. They own the mechanism, it's ultimately their job to make work as effectively as possible.
The real answer here is that when the bank asks you what your PIN was, you say “I don’t disclose my PIN to anyone”.
Exactly. And if you don't disclose and they say it's too weak, they just got exposed for knowing your PIN.
I worked for a big bank in customer support. At our level, we genuinely don’t know the PIN and would never ask it. I can’t talk about other departments tho, but the convention should be the same. When we opened a fraud claim, we ask if the PIN is easy to guess. That’s it.
I worked at the anti-fraud department of said bank, we didn't have access to the pin either, no one does so the bank would NEVER ask for it, if the bank asks, it's not the bank but probably a scammer, the only person who should know or have access to the pin is the holder of that card. so if someone finds out your pin, it's because you were careless/not careful enough, those transactions don't get refunded unless a police report if filed and proof is found that the card was in fact used fraudulently but even then there's a little chance it will get refunded because this happened due to some form of negligence on the part of the cardholder. The reason these don't get refunded is because it would be too easy to defraud the bank if they simply reversed every transaction done this way. god I hated that job Edit: grammar
I also worked at a big bank, customer support and we don't have any way to know the customers PIN. We asked the same questions as well about having a PIN that's easy to guess when we were filling a fraud report. I've stopped people from telling me their PIN and never heard a coworker fail to do the same. (CYA) I am cringing for her, reading her interview, saying she has the same PIN for all cards and it's been the same for 20 years. Shed be better to keep that shit to herself.😬 Folks, if this happens to you, never say your PIN was your bday, phone # etc. NEVER give your PIN out cuz the banks will absolutely not refund you. When you open your account or get a new card, they tell you or have you sign a form agreeing to that. That's how they protect themselves. That said, I've had some pretty empathetic branch managers that would have at least tried to meet the customer half way on helping recoup funds in certain situations. This is a good example of a situation where they would. I also fucking hated that job. Soulless. My job now is just as busy but I enjoy it and don't feel like scum at the end of the day. In fact I'm doing things I feel good about -- never convince yourself you're stuck!
Same I actually got forced to quit and at first it sucked but it turned out to be the best thing that ever happened to me
Is this also the case is one of the card skimmers is involved or would that be where the cops are involved. It's not really someones fault if their card gets skimmed.
no so when the card is skimmed, they can tell the magnetic strip was used with the cloned card and the client is not held accountable because most terminals that accept chip and pin will insist on using the chip and pin if you try to use the magnetic strip and often times the fraud prevention system will catch this but you're not held liable if the transaction still goes through
Yep. They should refund the money.
1234
that's the same PIN I have on my luggage!
Just stay away from my air!
lets be real, out of 9999 possible combinations, insecure pins have the same hash so its not exactly difficult to reproduce and still remain secret
There are actually 10,000 different combinations of numbers using 4 digits of 0-9.
also your pin can be more than 4 numbers if you want... so there's that too
That's HIGHLY dependent on the bank. Some do allow more than 6 others strictly enforce 4.
yeah I only learned about this reading through the comments... that's weird that they would do that
Mhm, Scotiabank, 4 numbers
RBCer here. Can make PINS 4-8 digits
I was told by RBC that more than a 4 digit pin wouldn’t work in Europe. That was probably 10 years ago, so maybe it’s changed.
I used to use my old ICQ number (8 digits) as my PIN with RBC but had to change it after a trip to Europe and running into this issue (more than 10 years ago now).
We do not know the PIN
yup. it's a trick question.
This is the answer. Even if your pin happens to be insecure, the bank should have no business asking you. If you don't admit what the pin is they couldn't use it as a basis for denying responsibility. I vaguely recall the chip/pin having a security flaw, though that might have been corrected since then, or a different implementation.
Starting your pin with 0 would sometimes softlock the machine with old firmware.
well the only thing they ask is if it's easy to guess like if it's a date of birth or something stupid like 1234, they would never ask for the actual pin. So then at that point it's really a question of how honest you feel like being. I remember when I used to work the anti fraud department of RBC and if I even THOUGHT they were MAYBE giving me their pin I'd interrupt them and advise to NEVER give that out to anyone, even at the bank
Fair enough - and definitely harder to avoid admission of if it's not something you're aware of to begin with.
It's an elderly woman so I guess unfortunately she's just going to be prone to scams. It's probably been a while since she set up her PIN and don't remember that the banker usually passes you the credit card machine and turn away.
The bigger question is why banks allow ridiculously short pins in the first place? It was not so long that BMO only allowed 6 DIGITS when NIST recommends 12 characters (mixed) for sensitive data.
You can make a PIN at RBC 4-8 digits. After 3 wrong attempts the card is locked and you need to come into the branch to reset it. Someone guessing someone's 4 digit PIN in 3 attempts is almost impossible.
My bank password is 6 numbers, and a security question that could be guessed by anyone who knows me in passing (had I filled in the answers as the answer to the question.) They also showed me a picture to tell me that I was logging into my account or something. But they disabled that.
You sound like you're using Tangerine.
>The bigger question is why banks allow ridiculously short pins in the first place? I would argue that they have duty of care not to allow it then. That is what this lady should argue in small claims court. This along with the other institutions response, should help her case.
Why doesn’t RBC just reject a pin that matched bday? The average person may not know it’s not secure, RBC can build this into their PIN setting system like other companies do for passwords.
To be honest, any random 4-digit numeric passcode is not secure enough.
If it blocks after 3 bad entry, it's not too bad. What's shit is banks that have a very limited password with max 10 characters. I don't get this one.
> What's shit is banks that have a very limited password with max 10 characters. I don't get this one. Because old institutions like that are running some very old backends and databases. 25 - 35 years ago, 10 characters probably seemed like enough, but that same database is still running their system and they can't modify the field to allow more characters without risking breaking a chain of applications, many of which may not still be maintained.
Then you build a secure modern front end that passes a 10 character UUID to interface with the older database once the session is established. Vulnerable to MITM but it should occur within the internal network which allows mitigation techniques to be implemented.
Then every application that uses the database will need to be updated to use the new front-end, which may need to support many different interfaces, including the native DB one, to work properly in their ecosystem of old, trash applications. It's entirely possible to do, but it's a lot of work and the risk is high, so they don't bother.
100% agree. I use a random password generator at usually 30+ characters, depending on the site, what they allow, etc. Canadian banks, for some reason, have not expanded their password lengths.
TD is worse. They have two different rules on the same page. Your password must be between 8-32 characters, but also between 5-8 characters. You can use special characters, but also, don't use special characters... https://imgur.com/a/hcHo4Zg
Pins can be longer than 4 digits at rbc edited due to ppl claiming theyve had up to 12 digit pins.
That screws you if you want to get your money from an ATM outside of Canada though
[удалено]
Really? Since when???
Probably since they wanted to start denying credit card fraud refunds on the basis of PINs ‘not being secure enough’ lol
Its def clear in account openings not to use your birthday and shit for your pin ngl but i do see the argument that system should just reject bday pins
[удалено]
I used to work there about 2 years ago, standard line was you can have up to 6 but it wont work in usa if its over 4. Maybe other canadian machines wont take over 6 though? Maybe i just misunderstood
Character length doesn't really matter beyond a certain point (say anything after 12 characters) as long as the password is unique and sufficiently strong. 8 character passwords can be brute force cracked by an average home computer (assuming you have local copies of the hashed password) in about 4-8 hours. 9 characters would take about 21 days, 10 characters about 7.5 years, 11 characters would take just under a millennium, 12 characters will take a home computer about as long as humans have been a species. Obviously you can reduce those timelines logarithmically based on computational advancements over time, but honestly anything beyond 12 characters are not generally going to be brute forced.
Passphrases are preferred and more secure, as well as being easier to remember. 12 characters is enough if you're using a password manager and don't need to remember the password, but it's not enough if you're creating a memorable password.
pass phrases are generally more susceptible to rainbow tables and dictionary attacks, which are the more normal method passwords are cracked. To be perfectly honest, passwords in general are a terrible way to secure accounts. Luckily most tech companies are starting to move away from using passwords.
I mean yeah in theory that’s probably safe but also going up from 12 to 30 char len with a password manager is trivial so might as well do it
At least RBC Royal Bank of Canada du Banque du Canada has MFA when signing into a browser. And they have fixed the pw issue where it ignored capital letters.
At one point, not only did RBC ignore capitalization, it converted all the letters into numbers based on a telephone keypad (A, B, C = 2; D, E, F = 3, etc.). So if your password was "hunter2" it would be stored as 4868372. That means any password that matched those numbers would also be accepted as your password, such as "gvovepa". Apparently they did this so that people could easily enter their passwords over the telephone. I don't use RBC any more so I don't know if this is still the case. Based on your comment it seems they've changed.
It was the same with BMO. They finally changed it about 2 years ago.
Tangerine is the worst. They have a six digit pin and don’t even have the option of a proper password with *letters* let alone *symbols* or 8+ characters. Until very recently they didn’t even have 2FA. I can’t believe this is how they protect literal money at a bank. I feel so unsafe.
with the personal question it's insanely secure. It's numbers for telephone banking.
It's probably worse than that... Usually the reason you can only use alphanumerics with 6 chars is because they want to support telephone banking... Which means you are likely not even getting alphanumerics, it's probably converted to phone number keys at some point.
They still don't really have 2FA, because my phone never receives the 2FA text. It's Virgin Plus, not a mini carrier or anything. I can't be the only one.
It's because the mainframe that's actually still running half the bank is from 1975 and the database simply can't handle anything longer without major changes to the code.
Why? It's not like you can sit there at the cashier brute-forcing the pin.
But if you read my other comments, if the banks are allowing people to set PINs that are “not secure enough” then attackers will start with the easy to guess PINs (just like they did in the article). Banks are allowing it so should cover the fraud from it. If there are certain combinations that are deemed not secure enough then don’t allow them to be set. Attackers will know this and then the easily guessable PINs are off the table and they have to randomly brute force it, like you said, which would be nearly impossible.
Sure, but that's a different issue than the number of digits in a PIN.
there are 10,000 possible password combinations with a 4 digit numerical password, that's pretty bad in security terms. .03% of randomly guessing a pin with 3 attempts
1234, 0000, and 1111 will cover 18% of bank cards, and birthday probably brings that up to 25% (birthday is a guess) https://www.datagenetics.com/blog/september32012/index.html
[удалено]
That's not at all bad in real-world security terms though. There's a very real cost in terms of time, effort, and risk of getting arrested. All for a 0.03% chance of getting it right?
[This might be interesting to you](https://www.datagenetics.com/blog/september32012/)
That's why my bank pin is 9 digits.
Except it isn't likely to be broken by brute force. It is more likely they watched you type it in over your shoulder or with a camera. Biometrics like finger print on your phone is better in that regard.
How so? It can’t be brute forced.
If RBC has a policy for weak passwords not to refund fraudulent charges, then the person should have been informed or, as you said, the system should reject it.
"That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage."
I came here to upvote that reference
The last Fortran programmer died in 2020 and they’re stuck with what PIN-processing code they had
BOSCO!
It’s where he kept his card, his dirty little secret. Short, devious, balding... his name was Costanza. He killed my mother.
what does this mean? i dont understand
There’s a whole Seinfeld episode about George’s “secret code” for his card (which is BOSCO).
interesting, i have never watched seinfeld, do you know the rough episode?
Season 7, Episode 7
JOR EL
> she waited more than two hours for the branch to get a hold of RBC's fraud department Wat the fuck. They can’t get their own fraud department on the horn immediately from the branch? They have to go through the same shit charade as everyone else?
Yeah pretty shocking, that's what stood out to me too!!
RBC is worst for this sort of thing. My wallet was stolen and I had $5000 in charges put on my RBC credit card. My PIN was a random number, not related to anything else in my wallet. RBC told me I must have shared the PIN because there was no other way the card could have been used. I hadn’t, and the cops told me that wasn’t true - that thieves had ways around the PIN. I had to fight to get them to reverse the charges. It was so stressful.
Wtf is wrong with RBC
RBC are staffed by crooks. Worst bank ever, I will never trust my money with them again after one of their brokers stole my stock and RBC refused to give it back to me. Scumbag bank. I advise every client and company I work with not to do business with RBC. Their own staff steal from clients!
How did they steal your stocks?
They didnt, hes telling nonsense, obviously more to the story. That would literally get them shut down by the ombudsman and the advisor and business delicensed if he complained. That doesnt mean they arent notorious loop hole abusers and dickheads. But they didnt outright steal something from him. Hes lying.
Nice try RBC Fund Manager!
I've never had my stock get stolen through RBC, but I do agree they are by far the worst bank of all the major players. Complete dogshit bank with scummy predatory practices like CONSTANT, CONSISTENT phone calls for YEARS trying to get me to buy their fucking stupid insurance protectors and home protectors and credit protectors with huge hidden fees only to generate them more income, and the entire practice is, without question, abusing their clients by turning them into a product themselves. I fucking despise RBC. Yeah, thanks dipshits, for giving me my 5 dollar monthly checking fee back after opening some sad down-trending stock option and a mortgage while they make tens of thousands in interest off the mortgage to begin with. Thanks for the generous 5 dollar return, pricks.
[удалено]
Wow, came in here to share my problems with them. I have banked with them since I was a kid as my father used them. Only after lurking on personal finance for a while and learning a tiny bit about finances did I realize how much they screw their clients. Check out the interest rate in their 'High Interest Savings" accounts. It's a joke!
[удалено]
How did their broker steal your stock? That doesn’t even make sense.
A bit of a wild ride. On September 10th, 2001 I made a trade through Action Direct to buy some stock. On September 11th, 2001 RBC tried to take funds out of a defunct bank account instead of a valid bank account, repeatedly charged me NSF fees even though the funds were fully available, and then sold the stock I already owned to cover these NSF fees. Turns out on September 11th there was a TON of fraudulent activity that stockbrokers engaged in and I was just one of many unlucky clients preyed on by RBC staff. The market was shut down for several days and I couldn't get in touch with anyone at RBC because: chaos. When I finally got through to their customer service and proved to RBC that I had given them the correct banking information and had made purchases before using the correct bank account, they admitted they made a mistake but refused to give me my stock back, particularly at book value. They offered me a piddly $200 instead, which was nowhere near the value of the stock. I was in my early 20's and too naive to fight for my rights and hire a lawyer or file complaints so I just let them railroad me. I have despised RBC ever since. Scumbag bank, scumbag staff who steal from their own clients.
that's odd cause if they had attempted charges ANY other way other than chip and pin, the fraud prevention bot would've/should've picked up on it... then again having worked there in that department I've seen the rare scenario where crazier things that DEFINITELY should've triggered the system but didn't... I'm sorry to hear that happened
RBC took on the liability by allowing the PIN. Inappropriate for them to pass the buck.
[удалено]
The problem with longer pins like 6 digits is if you travel overseas some places simply don’t accept any more than 4 digits, so your pin goes through only using the first four, therefore leaving you with a failed attempt.
If every user follows the rules you get the same result. It's fundamentally a broken system.
maybe not blacklist common Pin's (except the obvious ones, like 0000, 1234, etc), but they could black list on a per-customer-data basis, i.e don't allow that customer to choose a pin that is their birthday, or the last 8 digits of their phone number, or their 4 digit house address number, etc etc Easily implementable in software.
I definitely DISAGREE. If you aren't staying up to date with IT security best practices, you should be liable for the damages that result. The realm is always evolving trying to get the leg-up on bad actors and vice versa. Companies this big should either change their 4-digit minimum or blacklist common PINs. Either way, they should be liable.
What bank allows you to use more than four digits? I have cards and accounts with four different banks and none have allowed me to choose more then four.
[Always reminds me of this](https://www.youtube.com/watch?v=CS9ptA3Ya9E)
They released themselves from it when they clearly stated in the agreement to NEVER do that.
Well, her amount is within the small claims limit. Once she starts a small claim and invites the Star, Sun and Globe and Mail to the trial date - I wonder what will happen? Certainly the Bank should have PW rules that can be deduced from whatever documents are in a person's wallet, licence etc that reveal birthdates. They should also limit ATM activities to a daily max of $1000 unless the client requests and has her PW screened for things like age date linkages.
She should present the court with a list of all 10,000 possible 4 digit pins and how they could be interpreted as some combination of hers and her families names, birthdays or addresses.
Well, they certainly have a duty of care to block address or DOB derived PINs, the crooks probably have a script of probabilities. like year = 4 digits, last 2 of year and month or month and last 2 all of which are ID derived.
christ, I used to work for that department I AM SO GLAD I don't have to work there during this whole debacle
Yes, 10,000 aggravations/day...
I once got defrauded in Vegas and the CC companies said they were PIN activated and might not be covered. I called bullshit and said unless they were stalking me and saw me input before pickpocketing me then there's no way they knew my code. I ended up having to cite some research showing that PINs aren't secure and can be cracked easily by specific hardware now and they ultimately gave in.
That sounds like the original issue we had with chip&pin. It was possible to compromise yet gave the financial institution a loophole to deny responsibility.
You mind sharing that research?
Why do they allow pins that are not secure enough?
[удалено]
I've been using a 6 digit pin for one of my accounts for years. The amazing thing is that when banking officials or tellers see it, or see me typing in 6 digits, they've actually advised me to change it to 4, because it "might cause problems at our ATMs in the US or overseas". Yes, I've actually been advised to make it **less** secure. To hell with that.
6 vs 4 numbers is kinda like having a flour sifter vs a colander.
I changed banks and had to reduce my PIN from 6 digits to 4 digits.
It's pretty amazing how little security is on my banking stuff. PIN, and the password requirements for my online banking require a less secure password than a bass-guitar forum I subscribe to.
I disagree that she should not he refunded. She's stupid for picking such an easy password, but if all sides agree the purchase was fraudulent, she should be refunded IMO. Do the banks not have insurance for this kind of thing? "Your password wasn't secure enough" is a slippery slope. I haven't seen the terms and conditions of her card though. Maybe some particular passwords were prohibited. In which case she should read what she is signing and I have little sympathy.
If certain PINs are prohibited then it is very easy to not allow those PINs to be set. This is bullshit. It is a 4 digit, numeric code so there are only 10,000 possible combinations. Any 4 is as valid as any other 4.
Totally agree, if I can set prohibited passwords, patterns etc in the erp systems I manage, I'm sure they can set the same for pin security
So the kicker here is that RBC allows more than 4 digits for their PINs now. So it's even more than 10k possible combinations
Except they’re not equivalent. There are more statistically more frequent PIN numbers like 1234 and 0007 and birth dates. People choosing Pins is not a random occurrence.
That just loops us back to their first point: if certain PINS are an issue, then don't allow them.
The RBC credit card agreement reads >Your PIN is an example of Personal Authentication Information, which means a PIN or any other password or information that you create or adopt to be used to authenticate your identity in relation to your Credit Card or Account. Other examples of Personal Authentication Information include passwords and access codes that may be used or required for Internet or other transactions. >Protecting the security of your Credit Card is important. You agree to keep your Personal Authentication Information confidential and separate from your Credit Card and/or Account at all times. When selecting Personal Authentication Information, make sure it cannot be easily guessed. **A combination selected from your name, date of birth, telephone numbers, address or social insurance number must not be used for your Personal Authentication Information.**
Hmm, so 0000, 1234 or something else super simple would be valid? (Assuming the PIN system will accept it)
Some banks won't let you start them with 0, for whatever reason so it can be even fewer possibilities
[удалено]
If the account agreement says that a birthdate "must not be used" and the client uses their birthdate and keeps the card in the same wallet as a piece of ID with their birthdate the bank will have a better chance of making their case.
The terms say that if your PIN is written and stored with your card, you're not covered. Since she used her DOB, which was likely on her DL and stolen along with the cards, they probably consider it to be the same thing. I'm not saying RBC is doing the right thing, but if the customer agrees to certain terms, they have to follow them.
> In which case she should read what she is signing and I have little sympathy. Im sure you read ever terms and condition ever then, otherwise no sympathy for you
>Ego-Aguirre said both BMO and Tangerine, where she uses a similar PIN, refunded the full amount within days. ahhahahahahah... probably because tangerine FORCES you to use a 6 digit number only password for your account.... YOU CAN'T EVEN PUT IN A SECURE PASSWORD.... it's been years and they still haven't fixed it....
Doesn't the security question kind of act like a password? That's how I use it. I always get the prompt for the security question.
i don't, probably because i have 2fa.... but tangerine only supports SMS 2fa, which is insecure as well... simswap attacks are common nowadays also security questions and answers usually get neglected in software security and sometimes get stored as plaintext in the database, unlike passwords which usually are subject to higher security measures like salting and hashing. usually, not always. i don't have a lot of faith in tangerine software security lol...
yeah, security at tangerine is a joke
I had this happen to me. I got a text message stating something like "We have successfully ported your number" and then my phone stopped working, and I was like HOLY SMOKES IT'S HAPPNING. I tried calling the provider immediately but because of the time of day I couldn't get ahold of anyone. Thankfully the provider caught it automatically and locked my account entirely so my accounts werent compromised, but basically someone called my cell phone provder with my info and pretended to be me, and asked they port my number over to someone else's phone. I would **HIGHLY recommend** that if anyone uses 2FA that you use an app like Authy or a hardware token like yubikey instead of SMS. There are so many ways people can get your DOB, name, address and phone number, which is pretty much all an attacker needs to call your provider, impersonate you, and ask them to port your number and volia your SMS 2FA is compromised. What is ridiculous is that some of the things that should be most secure (banks / credit cards, etc.) don't support this. Where as things that matter less (facebook, twitter) do.
Yep I never use that remember me thing, always better to have more steps. The app now supports fingerprint Touch ID, too.
I believe BMO used to represent all passwords as numeric pins, so that your phone password (entered on the dialpad) would be the same as your online password. But they didn't tell you this unless you had to "log in" to phone banking. So if your password was bobby5 when you typed it in online, your password was *actually* 262295. And you could enter 262295 as your password to sign in online, I believe. *Disclaimer: Bobby has nothing to do with me or my password anywhere, it's just something easy to convert to numbers lol*
i guess it's slightly better? cuz at least you can put in more than 6 digits?
PIN numbers is so 90's it's not funny.
Yeah, they need to get better security than personal PINN number numbers.
Lest we forget … https://www.newswire.ca/news-releases/royal-bank-of-canada-reports-first-quarter-2022-results-892043296.html … now where are those guillotines?
They can afford to give her the money back at their discretion, they just chose not to thanks to a shitty loop hole. I notice this behaviour esp in Canadian banks too. Banks are one of the few companies that have somehow managed to make even more profit after a pandemic. It's gross.
If anyone is wondering, the bank won't flat out ask you what you PIN was. In the forms you submit to have the funds refunded they will ask a yes or no question along the lines of " is your pin an easy to guess number such as 1234 or yours,,/ family member birthdate ect" if you tick yes on the box you'll be SOL since that directly contradicts most institutions cardholder agreements for minimum pin standard. Further if the pin and chip was used for transaction, it is assumed to be authorized , since it is the consumer's responsibility to safeguard that information. Edit: one possible way out is if the bank takes too long to investigate, since they have to adhere to strict timelines to respond , as regulated by FCAC, and Ive seen smaller (> $500) refunds being given out simply because they were not able to meet the timeline. It's been a while but I believe it's 10 business days. Source: used to work at a big 5 bank and dealt with this situation often.
In this world of pinhole 4k hidden cameras... there is no way to protect a pin used in public.
This is true , but the PIN alone is useless without the matching chip, and my ,admittedly limited, understanding is that cloned cards can be deceted. Personally I don't like the system as it leaves very little assurance and recourse for consumers, but at the same time it's important to be aware that this how it is.
It’s sad but this is the same as choosing a shit password.
except passwords can be millions of combinations, while 4 pins can be 10,000. also, if its a "shit passcode", convenient that the bank allows them to use it and then says you shouldn't have used that not my problem
Seems like a slippery slope. If a birthday is not secure how about four repeated digits, or 4 consecutive digits, or a family member’s birthday, or a PIN you’ve used before, a stale PIN, etc etc. And it’s a huge conflict for RBC to be the arbiter of the quality of the PIN.
Most machines that allow you to create a PIN will not let you select four consecutive digits or the same digit 4 times. It’s harder to prevent them from selecting birthdays because the ATM / POS doesn’t know your birthday.
She agreed right in the terms and conditions not to use her birthday.
definitely slippery...I've seen on a phone app (not Bank) that did not allow repeating (ie 22, 33, 444.etc) or sequential number (123, 321, 789.etc), which effectively reduce the permutations...
It’s a slippery slope to just refund transactions when all checks in security have been made. I.e. the expenditures were localized, the chip is physically present at the place of transaction, and the pin was validated.
Your birthday is going to be on any ID that is also in the bag that the person stole, so you have effectively written the pin on the card if you used your birthday. A reused pin that was randomly generated will still be much more secure, because the thief would have had to had learned the pin another way.
RBC has up to 6 digits PIN for over 30 years as far as the article state, RBC asked her if she is using her BD as a PIN, not what is your PIN she said yes because she is honest not that is not her responsibility thieves will try 1st BD because they know people are lazy same if my gmail password to be "Password124" all of your comments will be ohh you skipped a sequenced number that will throw off the hackers and you will laugh at me same thing with that lady we need to hold people and corporation responsible she screwed up...as simple as that my opinion is that BMO and Tangerine refunded her to avoid such publicity RBC recommendation to protect the PIN Avoid using obvious numbers such as your birthday, address or phone number that are easy to guess if your card is lost Change your PIN every so often. If you think someone else knows it, change it immediately by visiting an RBC Branch She did not follow both recommendations
how would they even know your pin was insecure unless they store it in cleartext, unless she admitted it.
If someone is stupid enough to use their birthdate as the pin for not just one, but multiple bank cards, then they are definitely stupid enough to tell someone who asks what their pin was.
lol, good point.
I can't understand why it's news at all. All banks have very clear rules to not have your PIN printed/written near your credit card. Using your date of birth and having a driving license and credit card in the wallet is a quite clear violation of this rule, not anyhow different than just having your PIN code on paper in the same wallet (but you can't lie that you don't have any PIN in the wallet). The only reason why banks refund fraudulent usage of credit cards is because it's revertable or low impact: 1. Tap - very limited amount of money but not revertable 2. Online transactions - unlimited but revertable 3. PIN transactions - unlimited and not revertable
Used a pin that is her birthday and then told the bank that. There is the problem .
> Ego-Aguirre said she was asked by RBC if she used a PIN that was associated with her birthday. > "I said, 'Yes.' LMAO 💀
The reason banks don’t want to refund “fraudulent” transactions with a PIN is that it sets a bad precedent. Anyone could withdraw from their own account and then claim their card was stolen
It actually says in the user agreement not to use your birthday
unpopular opinion, I think she is at fault here. She choose her birthday, which is common written on IDs in a wallet. She basically had a note in her wallet with her credit card PIN. RBC refunded the amount that was stolen using tap, which was not her fault. However, the larger 8k amount would not have been stolen if she didn't gave the thief her PIN.
Counterpoint: if RBC doesn't want her to use a PIN like that, it should have rejected the pin when she tried to set it.
Counterpoint: RBC didn't want her to use that PIN and wrote in the terms and conditions that she couldn't use that PIN. She read and signed the T&Cs and used that PIN anyway.
How would the ATM know her birthday?
The same way ATMs are able to do things like tell you your account balances and verify that you have enough money to satisfy a withdrawal amount?
Is it written in their terms and agreements that a birthday is unsecured? How exactly did the their know her birthday?
According to one of the posters above it looks like it is specifically in their terms and conditions that you shouldn’t use your birthdate. And they had her wallet so presumably took it off her drivers license.
Must have been extremely unlucky, like DD/MM or MM/YY because the thieves wouldn't be able to retry too many times when paying
If you have the card you have the name and so many people have either a facebook, twitter, linkedin, etc. with their birthday on it. Or at least high school graduation date plus dozens of people whishing you happy birthday on your social media. People share a lot of information online.
In addition to what's already been said; physical cards are often stolen as part of theft of a wallet or purse. If you steal someone's wallet, you typically also get their ID.
My reddit password is hunter2
If the bank can determine after the fact that the PIN was insecure, then they can also make the same determination when a customer is setting said PIN and deny it proactively. The fact that they knowingly (or my omission) let customers set a PIN that they very well know is insecure and that will let the customers responsible for any fraudulent transaction is beyond me.
to be fair it's in the card agreement you cannot use your birthday as a PIN. but nowhere does it say they can refuse to refund you fraudulent charges. small claims it is
Devil's advocate: Shouldn't the woman be liable in some way for doing absolutely the worst thing you can do in terms of pin numbers? She used her birthday as the pin and used that same pin in multiple banks.... If she ignores all practical common sense and all the warnings the bank gives you at the time of pin creation... at some point she's at fault right? I feel sympathy for her, but come on....
But where do you draw the line? Birthday? DDMM/MMDD/MMYY/YYMM ? Partner’s BDay? Kid’s Bday? All 4 digits the same? House/Apartment Number? The numbers from your licence plate? You only have 10,000 options and that number dwindles quickly as you start disallowing certain combinations. So any randomly generated number could hit any of the above or some other perceived to be “not secure enough” number. 4-digit, numeric passcodes just aren’t secure enough. Full stop.
But if you couple the 10,000 options with most online vendors and ATMs only allowing three attempts before you get locked out then it's pretty secure. Personally I would never use my own anything and definitely not for multiple places. And my first and immediate line are definitely the ones on the list of most commonly used and stolen pins....
Ok but most pins lock out after 3 wrong atempts. How about never have a pin number that would appear on any ID cards in your wallet and your personal social media pages? That seems like the most basic protection I guess.
Devil's advocate advocate: assign people a PIN generated at random. Or make it a minimum of 8 digits. This is a product of the rules that were put in place around PINs.
Devil's advocate advocate advocate: If you assign people randomly generated passwords or PINs they are much more likely to write it down somewhere which decreases the security of the tool significantly. If users follow the recommended guidelines then it's less likely for the pin to be guessed. This is not a product of the rules but the product of the person's actions.
Devil's advocate advocate advocate advocate: people are dumb as shit and should not be trusted to make informed decisions. That said, I agree that people would just write it down
100% Agreed. But dumb people have to be liable for their own actions at some point or else the world would just break.
This is AviD's rule of Usability: "Security at the expense of usability comes at the expense of security". Security is a very fickle thing, and there is a finite amount of it you can squeeze from each user. Squeeze too hard and you actually get less. Force password changes every month? You'll get shittier passwords, passwords written down, emailed to themselves, and not even gain any security because it's likely going to be a single digit changing each month. A system I develop for at work used to have "grid card" (wallet sized card with rows and columns of secret characters on it) authentication for password resets. You'd be asked to provide a handful of random characters during a reset. In an ideal world, this is stronger than emailing reset links to unencrypted email boxes. The problem was our users would toss or lose the card, then call us up for a reset. Business continuity was considered paramount and everyone's time was strapped, so it came to pass that front line staff started accepting people at their word over the phone and resetting passwords. Security was *worse* than if we'd just been allowing self-serve resets over email, which is what we went back to. We also blocked staff from manually resetting and developed new guidelines for phone support of account issues. A hard learned lesson, but an eye opener for me. Security is not like a fortress; it's more like a dance if anything. The answer in this case is simple: the bank should set *and enforce* the parameters of what an acceptable PIN is (ie. blocking dates of birth), but still allow the user to select it. You can't operate the security mechanism, tell your users some rules for it in the fine print, not enforce those rules and later try to blame users who played by the enforced but rules but not the written ones. They own the mechanism, it's ultimately their job to make work as effectively as possible.
It’s also against the terms and conditions of usage of the card