Hacker News new | past | comments | ask | show | jobs | submit login

Because people struggle to remember even one PIN, especially if it's needed infrequently or in a stressful situation. I'm not being snarky here, it's happened to me. Could not remember my one, main PIN on one particularly stressful day. Went home, slept, and no problem the next day.

So remembering a PIN that most people will never need to use in a stressful situation? Unlikely to be useful for the majority of people.




I think this could be solved by having the duress code be as simple as entering your PIN backwards


Way easier, just have a set of 9 icons (flower, sun, etc) shown after every pin entry. Your "true" icon will proceed, all other icons will trigger duress and proceed.


Way easier, just have a set of 9 icons (flower, sun, etc) shown after every pin entry. Your "true" icon will proceed, all other icons will trigger duress and proceed.

This is familiar.

I had a bank that, when you set up your PIN, required you to also pick an icon. There was a flower, and a cat, and a dog, and some other generic pictures.

When you put your card in the ATM and entered your PIN, you also had to pick the right icon.

I wonder if this was the start of a duress system the bank was setting up. The bank ended up getting eaten by another bank and then another bank, and the icon selection system went away.


Did MSN/Microsoft maybe do this many years ago?

For some reason I don't associate it with a bank (they have a personal phrase they include in official messages), but do with one of the SSO accounts I had, and feel pretty confident it wasn't Google.

Maybe Yahoo?


The pictures are to prevent account compromise via keylogger. Even if they get your login and password, they can't get into the account.


This is brilliant. Can you offer any more insight or background to this? Is there a name for this technique?


No, it is an obvious solution to anyone who wants to solve the problem, and have never seen this in the wild (probably because I live in a relatively safe country where you don't have to fear to get mugged at an ATM).

EDIT: This should be coupled with a "secret" icon that is shown (or a specific order of the 9 icons you have to chose from) to prevent MITM/Phishing attacks. If you realize the icon/order is not the one you are used to, you are being phished.


Wouldn't people just wait till you step away from the ATM then?


This was patented over 35 years ago but not implemented, and only spread as a good hoax. https://en.wikipedia.org/wiki/ATM_SafetyPIN_software?wprov=s...


How would it know if you entered it backwards if it was 1221, for example?


Well the obvious solution if one was to use this scheme (which I'm not saying is good or bad) would be, at PIN creation time, to disable palindrome.


which removes a lot of possible pins, thus reducing the actual security of pins.


Exactly 1% of 4-digit pins are palindromes so that is very acceptable.


Alternatively: same PIN/password as normal, but alter the last character. Better if it’s any incorrect last character. That allows you to stick close to your normal routine while in a stressful situation.


Remembering this seems hard. And doing it under pressure seems very hard. I’ve forgotten my own zip code at a gas station before.


That eliminates all palindrome numbers as possible pins, which is bad for security.


At 4 digits, with a 10 character alphabet, you are looking at a 1% reduction in pin space. Contrast this with the 90% reduction in pin-space you get by not using a 5th digit.


Because it reduces the number of possible combinations? Good reason to keep moving from 4 digits to at least 6 digits.


Found the person with a palindrome pin


No, only the reverse of my PIN is a palindrome.


Still it could be very useful for those of us that can remember it and do care.


Implementations I’ve seen are a modification of your main PIN. Add 1 to each number, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: