Idiot millennials are saving credit card PINs on their mobile phones More than one in five 18-24 year olds (21 per cent) store PINs for credit or debit cards on their smartphones, tablets or laptops, according to research conducted by Equifax in conjunction with Gorkana. In the same survey of 500 people across all ages more than a third of young adults (38 per cent) said they also use their …
No mention however if these were stored in the clear or encrypted using something like Keypass. I keep mine on my phone using Keypass. Getting my .kdbx file won't be of much use to you without my key.txt file (on USB stick) and long, complicated but memorable password. BTW I'm 54.
It's the only practical option. It is impractical for most users to remember all the details required. One bank I use requires all of: A user ID number; an online password; an online PIN; a telephone banking PIN; a password for using the debit card online; and finally a debit card PIN. This is separate from the sort code and account number, or the debit card number, all of which I must already remember.
Each of these six additional security items must be either remembered, or documented. Like many consumers, I have several bank accounts with multiple cards, and each of these has a similarly long list of details required. I have seven accounts with banks or credit cards. If each require at least four security values that is already twenty-eight separate items, on top of the card numbers and account numbers which many users will already remember as a matter of course.
And it is not just banking: even transactions which did not previously involve any self-service access or any password now generally do. Examples include electricity or gas accounts, car or home insurance, airlines, railways or TfL, Uber, or any number of things.
I do work hard to remember things and set proper passwords, but a few years ago the volume of passwords and ID numbers required made it no longer possible for me to do so without writing them down. There may be people who are able to remember the fifty or a hundred passwords needed regularly without writing them down, but I think most people are simply not able to remember a very large number of separate passwords.
The realistic options are either:
- to use the same password and PIN everywhere.
- to write the passwords and PINs on a piece of paper.
- to store them on a mobile device or computer.
The third option is not perfect but it is much better than the two alternatives. It is, at least, encrypted. An end user must take some responsibility for security of a system and this is by far the best option of the three.
I wonder what the article's author suggests as a better option?
There is always the option of writing security details down in lemon juice invisible ink and then revealing the writing later by holding it near a candle. But you may not always have a candle (or lemon) to hand when out and about.
Back in the old paper days, your bank account number and sort code was printed in the corner of every cheque. The cheque system itself was ridiculously insecure: a piece of paper granting easy access to any sume of money in your bank account at any time. People stored cheques at home in ridiculously insecure conditions (e.g. in an unlocked drawer).
Keeping your PIN safe is common sense; but it's hard to do any damage with your bank account and sort code. Jeremy Clarkson proved this in 2008 by publishing his bank details. The worst that happened was someone signed him up for a direct debit to a charity, which he was able to cancel immediately under the Direct Debit Guarantee.
"Who bothers to store a 4 digit pin?"
Anybody who has to remember too many of them.
Anybody with an account they don't access via PIN regularly.
Anybody who doesn't have a perfect memory.
Anybody who is mortal and might want to leave their account details to whomever might have to take them over. Especially if they become disabled but not dead. Like, you know, growing old.
"become disabled but not dead"
Lasting power of attorney (or whatever it's called) might suit your needs better.
We set this up on behalf of a relative last year; haven't had cause to use it yet.
More reliable than knowing a password which might change, and has the advantage of being legal!
But reportedly beyond the comprehension of many bank staff.
Reminds me of the nice people in Yorkshire Bank, Sheffield. We had PoA over my father in law and there was a problem which needed me to ring them up.
"Could your father-in-law pop into the branch?"
"No, he's in a nursing home in Gwynedd and won't be able to hear you and if he could he won't understand you which is why I have this PoA arrangement."
"Could you get him onto a bus to come to Fargate?"
"From North Wales? "
"Why? Is that far?"
sigh.
What would be useful is a device with guaranteed no network connectivity and a secure O/S designed specifically to store such stuff, much like a PDA. People use phones because they are convenient.
If you had something like a PSION Revo, or other PDA with removable storage (like an SD card) on which was stored an encrypted database, then you could take a copy of the database for backup - just plug it into a new device if the old one breaks or is lost, and by only needing to remember one password for the device itself, have secure storage for all your PINs, passwords, and other items.
Ideally, it would be open hardware, with no binary blobs/drivers etc. banks should really sponsor the development of something like this in addition to the PIN validation cards (CAP readers).
Wouldn't you need online access to sync things between devices? Otherwise, what happens when you add or change an entry, forget about it then change another entry on another device, creating a mess of out-of-sync copies? Then you find you need the updated code from device A but all you have is device C and it's five minutes to close before a three-day weekend and the bills are due (and yes, I have actually, personally seen someone that damn desperate)?
You'd be surprised just how many people today have poor recall. A lot of it is due to information overload. How is a person expected to be able to quickly recall hundreds of bits of random information, at random, every day. No amount of mnemonics can help in this kind of situation as the human brain wasn't built for stuff like that. Eventually, even the best among us mixes up "correcthorsebatterystaple" with "paperclipdonkeyreactorwrong".
Maybe I've misunderstood, but aren't you advocating carrying another device in addition to your phone in order to manage passwords?
Pretty secure as you have outlined it, but prone to failure (in the sense that there are now more devices - and not just passwords - to forget/lose etc....)
Provided the number is suitably obfuscated, I don't see any undue risk in storing a PIN in a device (or anywhere else).
For example, the contacts section of my old Filofax used to include a phone number for "C Barclay", which looked like a regular phone number but the last 4 digits were my PIN (with some jiggery-pokery, like the digits were in reverse order).
Forgetting for a sec if it's millenials or pre-millenials, how clever are you, exactly, if the supreme effort of remembering a 4 digit pin overwhelms the ol' noggin?
Let's not stray into the complexities of passwords to X accounts and Y banks. Stick to just your main CC and debit cards. Can you really not be bothered to remember 2-3 somethings you use daily? And which protect your $? Apologies in advance to people with actual mental disabilities, it's not you I am making fun of.
Idiocracy FTW.
Do you think this might have anything to do with Males, knowing (the concept of) good security have different passwords / PINs for everything, and therefore need to have a note of some of the less frequently used ones, where as females not caring so much because being hacked is something that happens to other people, only have one password and one PIN that they use for everything, and therefore have no need to write them down.
I only say this because I was having a similar conversation with a female friend of mine recently, and she was quite adamant that her one password was fine, and didn't want any advice on creating easy(ish) to remember, but much more secure passwords. Where as I (being of the male persuasion) have a variety of (what I consider) to be fairly secure passwords, but like many others have mentioned here, have some of the less frequently used ones stored in various (reasonably) secure ways.
"Don't you need a sample of 1500 to get a +-3% standard deviation of accuracy?"
Do you mean confidence interval? And it would depend on confidence level. For instance, with a population of 10,000,000, you would need a sample of (from memory) just over 1,000 to get a 95% confidence level of a 3 point confidence interval. But I think you need nearly twice that to get a 99% confidence level on the same interval.
change all my payment card PINs to the same, and keep that one in my head
keep my passwords in LastPass, yes it's on my phone but encrypted and the app is protected by a different PIN
phone itself, and SIM, locked with another PIN, plus full device encryption with a password
2FA where possible
The problem is not the millennials the problem is widespread passwords. What is needed is password generating software. So a password application that you install locally with one password for you to access it and it generated the passwords used to access other services. So a password is requested, you use to generate and enter that password by inputting your password to activate it.
When it comes to accesing that site again the request is sent to your password generating app, a request for you password is requested and once entered the site password is sent (you do not even need to know those passwords).
You need to be able to install the app on mulitple devices, so as to connect to the stored services and be able to harmonise those passwords, although it would be better if the services in question would accept more than one password per person, so your multiple device supply different passwords, you just need to access that permission via your originating password app.
Turns out that the FBI can't get in to recent iPhones and even older ones require significant effort. Therefore this seems to be a perfect place to store your PINs
.
Also, the article says "The habit leaves young adults more exposed to online scams in cases where their devices are stolen or hacked.
Once a device is breached, fraudsters can use data stored on it to access accounts, and also use a combination of data found to try to steal an individual’s identity."
Your PIN is only of use if the attacker physically has your card so it's of no use if the device is hacked remotely. It's also of no use in the case of identity theft, your bank staff don't know your PIN so an attacker knowing it doesn't give them any advantage in stealing your identity.
Now the other data on your phone is obviously hugely useful in stealing your identity, mostly your email account which is invariably the key to everything else. But what should we do differently? Not have email access or any other personal information on our smartphones? That kind of defeats the point of them.
Now I think about it, it would be very useful to have one email address for password recovery (which you don't leave logged in) and another one for correspondence (which you have to leave logged in to get notifications). Most accounts don't support that though.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
