I thought this was normal? They'd have two separate mailings sent from two locations such that they would only meet at the destination's mailbox on separate days. Then, after receiving the card, it'd have to be activated by calling an 800 number and giving some information, at which point they might also force a PIN change.

Also, he worries about the PIN being stored somewhere in plain text. If one-way hashes were used, anyone obtaining the hash would only need to test it against 10k possible values to get the original.

They should at the very least generate a new pin when it needs to be sent in the post though? Don't just send out the old one. I bet loads of people reuse them across cards. Just don't do it. Never send out credentials that aren't freshly generated.

That would be fine if activation required calling that number and providing a token that wasn't transmitted via the same channel as the card. One way to activate though is by simply using the ATM and entering your PIN... not good.

Hashing doesn't have much of a use when there are only 10k possible inputs.

Even using bcrypt set to take 1 second to verify a hash wouldn't be great -- it'd take about two hours and 45 minutes to break a PIN. And yes, while this is significantly better than not hashing at all (where it takes no time to get a pin) it would be trivial to target specific people to get their pin's given the hashed database.

Sure, you could make it take 10 seconds to verify a hash, but now all you've done is make me take a day to break the pin.

My BofA PIN is 6 digits, so you'd need to hash a million values.

Still a pretty small rainbow table, I guess.

Use HMAC and not plain hashes.

HMAC's verify the integrity of a message; they don't have any use in this setting.

If the attacker doesn't have the key, he will have to bruteforce the full hash and not just 9999 values. Or what is the different use here? The root post was referring to storing hashes and not passwords (better to store HMACs and not hashes).

There is a difference between a HMAC and encrypting a hash, or a HMAC and a salted a hash.

HMAC means Hash based Message Authentication Code.

http://en.wikipedia.org/wiki/HMAC

I thought HMAC was equivalent to an encrypted hash.

From that link:

HMAC(K,m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m)).

Why would HMAC be inappropriate in this case (of storing user credentials)? Is there a vulnerability?

HMAC(key, password) instead of hash(password) or hash(salt+password)

I don't know of any attack. However, my point is just that HMAC means using hashing for a message authentication code. Encrypting hashes makes more sense as to what's going on.

Where else would you like them to send it?

Yeah, good question. Guys, not everything that B of A does is evil, just sayin'.

Next hyperbolic headline: B OF A TRACKS YOUR ACCOUNT BALANCE AND RECORDS EVERY PURCHASE!

To take this joke and place it right back into reality:

Holy fuck, if a bank were to actually track every purchase I make, I'd freak out and switch banks. I always keep a bit of cash on hand so I have the freedom of buying something that isn't tracked by anyone. It's nice to be able to buy a beer without your bank knowing about it, you know?

I really really hope no bank every tries to pull anything like that. Even those of you who use cards for everything must appreciate the idea that you're able to buy things without your bank knowing what you bought, or even that you bought anything at all?

I actually use cash as often as possible, but not out of paranoia or privacy concerns. You can't avoid being a drop in the sea of data collected nowadays, and it's awfully self-centered to think that a for-profit corporation gives a rat's ass that you bought a beer. Using that information to determine my insurance premium? Yeah, that would be a problem.

I tend to use cash simply because I'd rather have more of the money I spend go to the actual retailer (especially if it's a small business) than the bank. As a former retail business owner, I know how oppressive transaction fees are... yes, even debit card purchases.

As the article says: Nowhere? There was no need to send it anywhere.

His real problem seems to be they sent him his PIN when he didn't ask for it.

As for sending the PIN in the mail, sometimes people forget their PIN. He lists three forms of communication he claims are more secure: voice, fax & inbox on the https site. Banks can more easily verify the mailing address because it's easier. At least with that you've got a mailman checking that the name matches the address. I realize that's not foolproof, but what is? It's easier than trying to verify a phone or fax number actually belongs to the right person. And with https, not everyone owns a computer, but it's rare for a bank opening an account for someone without a fixed address. Even when account statements are sent to a P.O. Box, they generally ask for a physical address for their records.

All three can be secure if there's proper authentification, but again, if he didn't need or ask for it in the first place then that's the real problem.

Edit: another problem with voice is the the bank employee on the other end of the line has to be able to see the plaintext PIN to speak it. Banks I have worked at strictly limited the number of people with access to that info, you couldn't just walk up to a teller and have them look up your PIN, for example.

Re: Stored hashes - they can be stored encrypted while the company can still retain the ability to decrypt them. This is how you store credit card numbers.

They may have generated a new PIN and it just happened to be his old one? Could be.

Do they send it registered mail? What would happen if someoene did get to your mail before you - could they use the card? what would the bank do when informed of it?

Whwther or not it's bad for you, the consumer, depends on all these things.

Agreed that it's not the best solution, but it is what every bank (at least here in the UK, and from the sounds of it, in America too) does.

As to storing the PIN in plaintext, that's not even the bank's decision, a single bank can't decide to go against the entire chip+pin system.

Side question: AFAIK, chip+pin is far less common in America than in UK/Europe, with many people still using magnetic+signiture. Am I out of date, or is this still the case?

I live in the US, and I don't think I've ever seen a chip+pin card.

Most stores will take ATM/debit cards (using PIN) as an alternative to credit cards (using signature), but the ATM/debit cards use magnetic stripe like the credit cards.

I initially rolled my eyes at the rant, but he does make some good points.

I've never thought about it before, but a bank really has to reason no send your pin number to you in print, or store it in a form that they could access.

Or do they?

Every bank I've ever had done this.

It's nice to see an example of real life security holes instead of software security holes

I don't know. It's basically software with a sneakernet last hop and mtr would take forever! If by "real life" security, you mean "physical" security, I don't see any physical security issue. Even in the military, this sort of stuff would be handled by crypto guys, not masters-at-arms. As far as physical security of the mail, FWIW, you can ship Top Secret through the US Mail. Just double-envelope it and send it registered.