In-App Random Number Generator for PINs


(Max Schneid) #1

Hi All,

I hope you are well.

Suggestion
My suggestion is to improve the security of the Monzo service via the integration of a Random Number Generator (technically, you might be able to use a sudo-random number generator) in the App to generate truly random PINs.

Background
Although I like the idea that you are able to change your PIN at an ATM, which I did, I am a bit sceptical with regards to the randomness of PINs we users chose and whether there might be a systemic security flaw in this approach because card owners do not use the full spectrum of available PIN combinations (see below examples). For this reason, you might want to add a simple Random Number Generator that generates PINs for users to the app. This would allow everybody to create a truly random PIN for their cards and could help increasing the security of the Monzo Banking solution.

Examples

  1. I am pretty sure a lot of “nerdier” cardholders selected “1337” as their PIN;

  2. Thinking along similar lines, I would suspect that many of us used meaningful dates, e.g., birth dates, as their PIN. This could mean that (i) the number combinations “01”-“31” (for days in a month) as the first two digits, and (ii) the number combinations “01”- “12” (JAN-DEC) as the third and fourth digit, have statistically a higher probability of being used in a given Monzo PIN.

  3. Probably you will also find some cards with a PIN set to “1234” or “1111” etc. (If this allowed by the system)

  4. Users might use their Smart-Phone-Screenlock PIN as a PIN for the Monzo Card; i.e., hacking the smartphone lock screen key could hand a hacker your Card PIN.

That’s it; appreaciate our feedback and comments.

Kind regards,
Max


#2

If someone wants to have a random PIN would it not be easier to just use the one provided when the card is activated?


(Max Schneid) #3

Hi Bob,

Thanks for your feedback.

Fundamentally, you are right, but the PIN you receive from Monzo via SMS can easily be obtained by others: Everybody who looks into your SMS will find it.

That’s also why the Monzo staff is advising you to change the PIN and delete the SMS with the initial one.

Hope this helps.

Thanks.


(Marta) #4

Interesting! How I perceive this:

  • Users who care about security will not choose rubbish PIN, regardless if in-app PIN generator will be available or not.
  • Users who perceive PIN security as less of a threat, will choose not to use in-app PIN generator to generate their PIN. They might try, but seeing less memorable pin like 9527 might put them off and they will set their own (weak) PIN anyway.

So the trick is - how to get less caring users to use PIN generator? Simply having it there has a low chance to make any impact, right?

Now to give a bit of personal aspect. I use fairly secure pins for all of my cards. PINs to my cards are linked in mysterious way so I can memorize them well, but without knowing the method even getting one PIN doesn’t endanger other cards (security through obscurity, in a good way I think!). Obviously, I keep this method hidden and it’s a bit more advanced than having pins 1234, 2341, 3412. :slight_smile:
Even if there was a PIN generator in the app, I wouldn’t use it because obviously it wouldn’t generate a PIN that matches my PIN-pattern.


(Sam) #5

The security conscious aren’t going to trust a generated PIN, the ignorant are going to do whatever they normally do.
It’s “just” a pin and only 4-digits anyway. Guessing <9999 times wouldn’t take very long if I didn’t have to worry about lockouts.

If someone guesses my pin (“secure” or not) on their first attempt, I’m sorry but it’s not my problem… just an inconvenience until my bank refunds me (and comes up with a better solution/stronger default).


(Danny) #6

My pin number is my birthday 2703 :eyes:


#7

If your PIN is something like a birthday, that is a random number to everyone except people who know you.

You only get three guesses before the card will be blocked. So even if I’ve maybe gone through someone’s bin to find out all their details, I’ve only got three goes to get it right. What might they have picked? Their birth year? Their day and month? But in what order? Month first? What if their birthday is in the first 9 days of the first 9 months? Have they just put zeroes in front? Maybe I’ve found loads of gaming stuff in the rubbish so their PIN could be 1337? Maybe it’s just the last four digits of their card? You’d have to be pretty sure before you make those three attempts.

To everyone apart from people you know, your PIN is a random number. Fraudsters often get your PIN by watching you enter it, either with a person watching or a camera above a compromised ATM/terminal with a card skimmer attached too. Then in this case it’s irrelevant if your PIN is your dog’s birthday or a number a computer threw at you.

How much bank fraud is through the use of PINs compared to the likes of just doing an online transaction that doesn’t require a PIN or old fashioned signature transactions? And of the fraud that has used a PIN, how much of that came from the card being skimmed and a camera watching the person type the PIN and a new card made? In which case your PIN being random or not is irrelevant.