Wednesday, 7 March 2007

"I forgot the PIN of my card" and what results from that

I forgot the PIN of my card recently, I dug into the "safe place where the PIN is written" and found that ... (let's say) I don't have it there anymore.

I went to the bank determined to reset my PIN and go on with my life. Here is a short version of the dialog:

- Hello. Your ATM has blocked my card. I would like it back.
- Ok, here you have it, but first, please tell my the secret word you wrote on the form when you made the card.
- Of course... [blabla]
- Ok. The card is unblocked, you will be able to use it in about 15 min.
- Well, yes. I would like to reset my PIN number since I forgot it.
- What kind of card do you have?
- Maestro
- I am sorry, for this type of card, we can't reset the PIN number. We will have to make another card.
- I am sorry, I think there is a misunderstanding here. Are you telling me that I have to make another card just because I want to reset my PIN?
- Yes, for this type of card is not possible to reset the PIN. We have to make another one. We don't have the list of PIN numbers for this kind of cards, so we can't reset the PIN.

[That sounds like "for other types of cards, we have the PIN numbers for every card out there listed on a tally sheet, but we don't for the type of card you have", put in another form. Spooky, huh?]

... If you had the PIN you could change it at the ATM, but we can't do that since we don't have the PIN number.

- Didn't you think that resetting the PIN is a feature useful enough to have?
- [here the broken recorder model enters the scene] For your type of card we can't reset he PIN, we will have to....

[more question from my side trying to understand why is it not possible to just ignore the old PIN and overwrite the information on the card were, of course, fruitless]

[after some time, I gave up]
- OK, how much will it take for the new card to be created?
- Two weeks.
- What? Anyway... how much will that cost?
- 7 RON (approx. 2€ or 2.5$)
- OK. Can I withdraw now money from my account?
- Yes
- OK, good, at least that. I would like 500RON. Also, I would like to start the card change procedure.
- Of course.
[The guy gives me the money and starts to look into the system to start the "new card" procedure. Before giving me the money, I asked if he needed my ID or something, but I am not sure if he would have had asked me by himself, if I didn't...]
- There is a small problem...
- Oh, really? Let me guess, it is not possible to start the procedure from this sales point and I will have to go to another one...
- Yes. This card was created at the sales point in Calea Dorobanţilor, through a corporate contract and I don't have access to that contract from here... Actually, if I think of it... your employer made that card for you, isn't it?
- Yes.
- In that case you will have to go to your employer and ask for a new card...


On the positive side, at least I can withdraw money from my account... OTOH, I didn't ask if having the card with me would be necessary to withdraw money, so I am not sure if, in the case I will have to give the card to my employer, I will be able to get any cash from the bank...


Ben Hutchings said...

ATM card PINs are not supposed to be stored anywhere. When a PIN is generated it is printed, sealed, and prepared for mailing without human intervention. The same machine will combine your card details with a secret key to produce a second number, and the difference between this and your PIN is an "offset" that can be stored in a database at the bank. It does not reveal your PIN but can be used by that machine to check or reissue your PIN. The system is unfortunately compromised by the use of the same PINs for debit cards at diverse locations and some weaknesses in the encryption used by ATMs. But these restrictions do provide some protection against corrupt bank employees.

Aigarius said...

It is a good thing that they do not store the PIN. The card is after all a chip card - you can not just overwrite the info because the software on the chip will not let you. Also the information that ties the card to your account is stored on that card in the encrypted form - encrypted by that PIN. So it simply is not possible to change a PIN on an existing card without knowing the old PIN.
Which should not be stored anywhere anyway as Ben explained.

So, reissuing the card is the best course of action security-wise. Be happy. It is much worse when any bank-teller can look up and change your PIN in a couple of clicks.

ptifeth said...

Lately I received a new Visa card replacing one that -I feared- had been stolen (actually lost for 48h).

The bank did send the visa card to me but sent the pin code to a former address of mine...

As a consequence they had VISA RE-issue a NEW (another !) pin code for me (and bill me 8€, which I should be refound as soon as I ask for it...).

So I guess that there are several recoverable pin codes for each card (say there are a dozen, that gives you an average of ~1/333 chance to find a code if you try thrice)