New Card, old PIN?

(Adam) #1

Is there any plans to be able to send a new card without having to get a new PIN with the CA?
I know the new PIN is sent quickly via SMS, its just annoying having to go to an ATM to change it ‘back’.

Understand in some circumstances where the card is already produced and its a ‘fast swap’ such as an event and Monzo are there its not possible, but for routine card changes (expiring card) the PIN should remain the same.

Just an idea :bulb:

(Rika Raybould) #2

There are a couple of ideas around PINs at the moment, including possibly allowing you to set your own PIN before the card is sent out to avoid having to go to an ATM. :atm:

For reference, the reason we can’t do this with the Beta cards and the nameless debit cards is because the PIN needs to be set on the card chip and right now, that happens before we even get the cards to send out. :postbox:

With the second generation debit cards that have your name on them, we gain the technical ability to set the PIN when the card is personalised. While we probably won’t offer it immediately and it’s not on the roadmap yet, it’s something we’re looking at!

(Stephen Early) #3

Would it be possible to implement PIN change through the Monzo app on phones that have appropriate NFC hardware? (Presumably using some protocol private to Monzo and its cards, not plain EMV?) Or does the magstripe have to be updated to set the PIN as well?

(Adam) #4

PIN data is stored on the chip rather than the magstripe… As ‘all’ Monzo transactions are online, there is nothing to stop the PIN being change in app then updating the card on the first online transaction (first PIN entry will fail, but subsequent attempts should work)

(Terry) #5

I love this idea :slight_smile: It would be great to be able to set the PIN when a new card is ordered :slight_smile:

(Rika Raybould) #6

Offline transactions would also fail until the card went online to receive the PIN change script or you knew to use the old PIN. It’s a little bit of a confusing process to the end user and it becomes less reliable as you go abroad.

(Adam) #7

My point about the PIN update was on the premise that

I guess it could be confusing for some users :see_no_evil:

(Jolin) #8

Does Monzo ‘know’ what our PIN is? When I was new to banking, I naively assumed that the PIN was my secret (the bank only holding a one-way encrypted version). But when banks send out replacement cards, they have my old PIN. This is convenient, but that clearly means the bank ‘knows’ my PIN so they can program the card. Is this true for Monzo as well? I don’t mind either way, just curious.

(Caspar Aremi) #9

Presumably, as you can change it at an ATM and then it displays in the app.

I remember legacy banks always saying not to tell anyone your PIN, not even bank staff, I assumed it was just something encrypted on the card, but I guess not.

(Adam) #10

Bank do know what the PIN are and can see it

(Marta) #11

@walderston Hmm, are you sure? I thought that HSMs are used for storing PINs. When bank person ‘does’ something to reveal your pin, they don’t actually see it, they just enter a command that triggers a message to be sent, or machine thing to read it out loud on a phone call (without employee listening in).

So human has ‘rights’ (password) to order HSM to reveal data, but it would be unnecessary risk to allow bank employee to learn about the PIN, and without any benefits.

I might totally wrong here, but I’d love to know how it actually works. :smiley:

(Adam) #12

I used to work with a RBS/NatWest credit card system and was able to find any PIN I wanted. It wasn’t on the ‘normal’ account pages, but if you know where to go it was easy to find. Different users had different access levels so not everyone would be able to see it.

Idea of that system was to allow for changes of the PIN however that rarely happened on consumer accounts unless for a VIP

(Marta) #13

Thaaanks, now I’m kinda scared! :smiley: Bank employee can easily access my address, steal my card AND get PIN.

(Adam) #14

They’d either have to change your address (leaving a trail) or stand outside it and wait for the postman to deliver it. :snail::email:️ - very unlikely to happen

It would be easier for them to steal your card, change the PIN on the system and visit an ATM, the card would update the PIN on the first online transaction (ATMs always online) - less of an audit trail than actually viewing the PIN. Not sure how Monzo do it but it’s very unlikely to happen

(Sy) #15

…and perhaps see your National Insurance number or PAYE Tax Code from any benefits or salary, and your car registration from any DVLA car tax direct debit…

(Andre Borie) #16

This would be awesome.

(Hugh) #17

On this track, I do wonder about the COPs (with all due respect) having access to my records in their own home. I know this might sound horrible but say they left the terminal unattended to open the door or boil the kettle, and someone else took a sneak peak at all my details. What procedures are in place to limit this? (bearing in mind the “always lock your computer when unattended” edict has failed in every corporate setting I’ve ever visited)

(Andre Borie) #18

What’s the kind of damage you’re worried about? If someone were to get access to an employee’s laptop they’d just see your account among everyone else - they don’t even know nor care about you…

(George) #19

Hey Hugh!

My name is George and I work overnight customer support for Monzo :+1:

I absolutely understand your concern. I live in a shared house with 3 of my pals so this could of course be an issue. For me, I have enabled hot corners so a quick swipe to the bottom left of my screen does the job. If any of the boys want to come into the office room for a chat, again, hot corners are the way forward as not only am I protecting sensitive material, I find it rude to be handling important queries whilst nattering at the same time.

Let me know if you have any more questions surrounding this as this can be a worrying subject!

Monzo Nightman :crescent_moon:

(Hugh) #20

That’s not a helpful, or sensible approach to infosec. That’s the approach that lands companies with huge fines from the ICO…

Thanks @GeorgeNightman for the great response :+1: