In message
, Andy
writes

I know that the PIN is held by the bank, otherwise it would be
very hard for a reminder to be sent.

I don't think that even the PIN is held directly by the bank. They will
have a record of the underlying security number of the card, which is
not revealed to the customer and can never be changed.

When a new PIN is selected, an offset generated by a complex hash is
recorded, and the bank will have a record of this offset. This allows
them to issue a PIN reminder without the necessity of storing a
vulnerable list of PIN numbers.
--
Paul Terry

On Sep 2, 6:46*pm, Paul Terry wrote:
In message
, Andy
writes

I know that the PIN is held by the bank, otherwise it would be
very hard for a reminder to be sent.

I don't think that even the PIN is held directly by the bank. They will
have a record of the underlying security number of the card, which is
not revealed to the customer and can never be changed.

When a new PIN is selected, an offset generated by a complex hash is
recorded, and the bank will have a record of this offset. This allows
them to issue a PIN reminder without the necessity of storing a
vulnerable list of PIN numbers.

Might be true, but the bank can still access the PINs, otherwise the
reminder that you sometimes get with a replacement card, or upon
request, would have to be a new number rather than the advice of the
existing one. So someone with the correct access can still get hold of
your PIN. Some banks (MBNA for the Virgin Credit card is one) even
allow you to get your PIN displayed online, which seems to me to be a
very bad idea.

In article ,
lid (Mark Bestley) wrote:

wrote:

On Wed, 2 Sep 2009 07:16:02 -0700 (PDT)
Andy wrote:
Oh and to reinforce the point, if you are undertaking a 'customer
present' transaction, the PIN number is validated directly against
the card and not sent to any server. The card holds the PIN, not the
bank.

If your card has a magnetic stripe on the back then your bank is
probably well aware of your PIN otherwise you'd never be able to use
it in non chip-and-pin cash machines in other countries.

When you get a new card the bank sends you the pin (and if a renewal
debit at least says it is the same as your current one)

My credit and debit card PINs have stayed the same through card changes,
including account number changes in the case of credit cards. The PIN
relates to the card.

--
Colin Rosenstiel

On Sep 2, 9:19*pm, Andy wrote:

On Sep 2, 6:46*pm, Paul Terry wrote:

In message
, Andy
writes

I know that the PIN is held by the bank, otherwise it would be
very hard for a reminder to be sent.

I don't think that even the PIN is held directly by the bank. They will
have a record of the underlying security number of the card, which is
not revealed to the customer and can never be changed.

When a new PIN is selected, an offset generated by a complex hash is
recorded, and the bank will have a record of this offset. This allows
them to issue a PIN reminder without the necessity of storing a
vulnerable list of PIN numbers.

Might be true, but the bank can still access the PINs, otherwise the
reminder that you sometimes get with a replacement card, or upon
request, would have to be a new number rather than the advice of the
existing one. So someone with the correct access can still get hold of
your PIN. Some banks (MBNA for the Virgin Credit card is one) even
allow you to get your PIN displayed online, which seems to me to be a
very bad idea.

Indeed, that sounds like a spectacularly bad idea!

I don't recall ever getting a reminder of my PIN when a replacement
card came through - the PIN simply remained the same. I think I
remember requesting a reminder from what credit card company or
another in years gone by, and them sending me a brand new PIN.

On 2 Sep, 21:59, Mizter T wrote:
On Sep 2, 9:19*pm, Andy wrote:





On Sep 2, 6:46*pm, Paul Terry wrote:

In message
, Andy
writes

I know that the PIN is held by the bank, otherwise it would be
very hard for a reminder to be sent.

I don't think that even the PIN is held directly by the bank. They will
have a record of the underlying security number of the card, which is
not revealed to the customer and can never be changed.

When a new PIN is selected, an offset generated by a complex hash is
recorded, and the bank will have a record of this offset. This allows
them to issue a PIN reminder without the necessity of storing a
vulnerable list of PIN numbers.

Might be true, but the bank can still access the PINs, otherwise the
reminder that you sometimes get with a replacement card, or upon
request, would have to be a new number rather than the advice of the
existing one. So someone with the correct access can still get hold of
your PIN. Some banks (MBNA for the Virgin Credit card is one) even
allow you to get your PIN displayed online, which seems to me to be a
very bad idea.

Indeed, that sounds like a spectacularly bad idea!

I don't recall ever getting a reminder of my PIN when a replacement
card came through - the PIN simply remained the same. I think I
remember requesting a reminder from what credit card company or
another in years gone by, and them sending me a brand new PIN.- Hide quoted text -

- Show quoted text -

My bank uses a PIN-like four-digit code* plus some security questions,
and I bet that a lot of people will set it to be the same as their PIN
so it's easier to remember. So anyone intercepting the communications
would effectively get a lot of PINs.


*and annoyingly forces you to select them from drop-downs, so that
anyone looking at the screen can see what number you are scrolling to,
although it becomes a * once selected.

On Thu, 3 Sep 2009 08:54:21 +0100
Ian Jelf wrote:
The problem I'm starting to find now is that a lot of shops simply don't
have the range of things I want. For some reason, I've particularly
noticed that with books where I think the wind of Amazon really is
starting to blow.

Next time you're down in London visit Foyles in Charing Cross Road. It really
is the most superb (and large) bookshop and unless what you're after is
really obscure they're pretty likely to have it. Failing that the Waterstones
off piccadilly is apparently the largest bookshop in britain though there
does seem to be a lot of wasted space there so I'm not sure if the actual
number of books they have is as much as Foyles which tends to pack things
in pretty tight.

B2003

On Wed, 2 Sep 2009 18:46:39 +0100
Paul Terry wrote:
When a new PIN is selected, an offset generated by a complex hash is
recorded, and the bank will have a record of this offset. This allows
them to issue a PIN reminder without the necessity of storing a
vulnerable list of PIN numbers.

If the PIN can easily be recreated just using a formula then its just as
vulnerable as if they stored it directly.

B2003

On Thu, 3 Sep 2009 08:54:21 +0100
Ian Jelf wrote:
Post Office stuff isn't too much of a problem for us, as the Delivery
Office is quite nearby and I can usually arrange to get things due to my
varied working hours.

The post delivery office is a bit more convenient for me but even then their
hours are unhelpful. Also most companies seem to be obsessed with using
next day delivery courier companies which only seem to delivery when people
are at work. You'd think there'd be a market for companies that would
deliver in the evening or weekends.

B2003

On 3 Sep 2009 09:15:57 GMT
Huge wrote:
On 2009-09-03, Ian Jelf wrote:
In message , writes
On Thu, 3 Sep 2009 08:54:21 +0100
Ian Jelf wrote:
The problem I'm starting to find now is that a lot of shops simply don't
have the range of things I want. For some reason, I've particularly
noticed that with books where I think the wind of Amazon really is
starting to blow.

Next time you're down in London visit Foyles in Charing Cross Road.

Oh I've certainly done that! Indeed, I recently had quite a spending
spree in there, ostensibly buying a couple of books for SWMBO's birthday
but ended up buying a bit of stuff for myself, too!

It really
is the most superb (and large) bookshop

Foyles? Superb? Have they stopped indexing the books by publisher, got some
helpful assistants and refurbished the place, then?

Yes, about 10 years ago.

B2003

In message , writes

If the PIN can easily be recreated just using a formula then its just as
vulnerable as if they stored it directly.

No, there is no simple formula involved. The data is strongly encrypted
using three independent keys and the PIN can only be regenerated by a
specialist machine that decrypts both the original security number and
the offset used by the customer. It then outputs the PIN to a security
envelope. The only way for a member of the bank staff to see the PIN is
to open the envelope before it is posted, which is why customers are
always warned to check that the envelope has not been tampered with
before using their PIN.

--
Paul Terry