The current Chip and PIN ads in the newspapers are giving us this piece of advice:
Keep forgetting you PIN?
It’s easy to change with chip and PIN.
To something more memorable like a birthday or your lucky numbers. You can change your PIN at the cash machine. Easily. Or by simply contacting your card issuer.
Right, so when the thief steals my wallet, the first PIN combination they are going to try is DDMM or MMYY of my birthday, which is on my driving license and they are now also telling us that we can change our PIN by phone!
Why do you keep your drivers license with you? Are you American or something?
Not just Americans keep their drivers license with them in this world. It’s a conveinent place to keep it and provide when requested by law enforcement. You may keep it in your car but what happens if you drive more than one car ?
I believe that marketing people have become involved here without consultation of security professionals. PINs have very strict requirements surrounding their entry into approved devices and marketing don’t realise this.
In the UK there is no requirement to produce your driving license on demand to the police, but rather you can request to produce it at a nominated police station within 5 days. In fact, when stopped in your car, even if you have ID on you, you are better off taking the police station option.
The matter of whether you have the license or not is irrelevant. The issue is “make it easy” marketers determining a security procedure. Not their job, but I’m sure the top bosses are imagining the piles of euros they’ll reap from being user-friendly.
As Schneier says, “Who makes the decision, and what is their agenda?”
It says “a” birthday anyway not your birthday.
And I don’t carry a drivers licence because I’m not from the US
so therfore don’t have a drivers licence
Missing the point slightly about driving licences – your date of birth is easily available knowledge, and could be obtained by a wide variety of social engineering hacks – how many agencies record your DOB? Does your credit/store card have that information? Thats in your wallet….. American or otherwise!
Yeah it does say “a birthday” not “your” birthday. It could be the birthday of a famous person, family member or friend. You can’t change your PIN by phone either, only at a cash machine by selecting the PIN Services option. It tells you to contact your card issuer so that they can provide the details on how you can change your PIN. 😉
hard to remember all your pin numbers ???
I had the same trouble until ;
http://www.pinpal.com.au
Chip and PIN’s own website has a PDF guide on remembering PINs, and says:
“* To remember a new PIN, you could use an anniversary or friend’s birthday. Use a combination of day and month, or month and year, whichever is easiest to remember – but don’t use numbers that are easily associated with you, like your own date of birth”.
So: your birthday — bad. Someone else’s — good.
This is a good tip:
“Rather than learn a PIN digit by digit, learn the pattern that you need to trace on the keypad with your fingers”
One of the worst thing about Chip and PINs is that the machines are so rubbish. Many times I’ve seen people type PINs into a machine held over a pub bar by the barstaff. I think I should just go up to the and tell them their number out loud.