MBNA Compromises Your PIN Number(s)

SlyOne_2

youknowwho wrote: »

yes, i understand that, it was his "secret PIN" that noone knows. The question is, how would he like to receive it? As it said in thefirst quote, he wasnt happy with it coming thru standard royal mail.

That's precisely the point. He doesn't want to receive it by any means whatsoever since this is his "personalised" secret PIN, to which he always changes his cards to. I don't think the OP would have a problem had it been a reset PIN or a new one that they send with any new card.

johnmoney05

Well, MBNA should have resetted the pin and sent it out, of course given some warning as well.
I received a pin reminder as well, but that was Conran card with MBNA, which they already told me that they were going to change it. Then I received a new card after a few days.
I have changed all card pins now, not a big issue, after all, I do want to change the pin after a while.
But I would rather they told me my pin would be the same I have been using.

PropertyGuru

there's nothing bad about MBNA on the http://www.factlocker.com

youknowwho

Yes, i understand that its his secret pin, and he never wanted it sent out in the first place. But the same could be sent for the statemnet or the card itself coming thru the post, someone could intercept that, and then they would have the card number, and even the CVV2 number. If someone intercepts the PIN, then its absolutley useless without the card! So, know do we have to tell the card companies to not send us statemnts or new cards because it could be intercepted?I just feel that it was a complete over reaction on his/her part, i understand that he never asked for it, but its probably a marketing tool, just to get u using the card if you weren't already. And they shoudn't have the same PIN number for all the cards.

Meatballs

youknowwho wrote: »

yes, i understand that, it was his "secret PIN" that noone knows. The question is, how would he like to receive it? As it said in thefirst quote, he wasnt happy with it coming thru standard royal mail.

Banks through to webpages shouldn't post out people's chosen passwords EVER. The original password/pin should be encrypted and thus completely unavailable to everyone (including any automated computer that print out PIN letters) unless they know the password - ie only the customer.

If the customer forgets. a new random password should be generated, which the customer should change when they receive it.

That way if the mail gets intercepted it can only be used on that one individual card as people do use the same PINs/Passwords for other services (they theoretically shouldn't but I cant remember 50 different passwords!).

Banks shouldn't send out unsolicited PIN reminders unless people request them to reduce the chance of interception. You dont need someone to send you your PIN when you recieve a replacement card, they could just send a letter saying your PIN will remain the same! :mad:

Meatballs

youknowwho wrote: »

But the same could be sent for the statemnet or the card itself coming thru the post, someone could intercept that, and then they would have the card number, and even the CVV2 number. If someone intercepts the PIN, then its absolutley useless without the card!

If they intercept your statement they don't have your CV2 or your expiry date. So they shouldn't be able to do card not present transactions (phone/internet shopping).

If they intercept your card, they will have your CV2 and expiry date. But to authorise the card they have to give your registered address. Invoices should then be sent to your home address so you should recieve invoices for any fradulent activity on your card. They would also have to send it on to you to activate it - unless they knew your DOB or security questions. Their delivery address/phone/internet would help to lead a paper trail.

If they intercept your PIN, they do need your card (or to clone it). But then they can take out cash at an ATM, and go straight into a shop and buy something then disappear without a trace.

It's all about minimising the risks - and sending someone's original PIN through the post is completely unnecessary.

jonesMUFCforever

Meatballs wrote: »

It's all about minimising the risks - and sending someone's original PIN through the post is completely unnecessary.

How does one get a PIN if they do not use the internet?

Karl.H_2

I am no expert, but my card PIN (not credit card) came by post; however, the PIN was covered by paper which – once remove – tore so that you knew it was tampered with. If you feel it's a problem simply change the PIN.

keithy1

The WHOLE point of having a pin in the first place is that it is secret. It is not supposed to be posted, via any insecure medium whatsoever.

When I run a web-site, any website no matter how trivial it may be, users entrust me with their passwords. It is good practice never to store those passwords in a non-encrypted form. In fact it is considered best practice to use a method where no-one else except for the person with the account can read the password. I am only able to reset it, I cant read the unencrypted password.

If I EVER emailed password reminders, which I cant (see above) I would expect a barrage of emails from people complaining that I had compromised their security. Since emails can be snooped by anyone else on the network, or on any segment of the network between you and the sender.

If a utility company leaves its web servers open to be hacked and makes everyone's credit card numbers visible this makes national headlines.

What MBNA is doing is sending pin numbers through the post, and since they informed me that they do not reset them, or randomly generate new pin numbers on old accounts this means that every MBNA customer who does not use their card for a period, will at some point have their PIN number sent through the post!

Since I am surely not the only MBNA customer (or hopefully ex-customer) Anyone in shared accomodation, students, lodgers, etc, knowing this can simply wait patiently and KNOW that a WORKING pin number is on its way, and the card is likely to follow shortly. If the Landlord is away, or has let the decorators in for a spell, the lodger/decorator can use these cards, or perhaps any others that they may "stumble upon" undetected.

Yes I am scaremongering: this happened to a friend of mine.

So, now that MBNA is known to be sending out working, already in use pin numbers, all of a sudden it becomes very worthwhile for every petty-criminal/gambling addict to rifle as many mail boxes as possible, just in case they get lucky.

best regards

Keith

Karl.H_2

keithy1 wrote: »

If I EVER emailed password reminders, which I cant (see above) I would expect a barrage of emails from people complaining that I had compromised their security. Since emails can be snooped by anyone else on the network, or on any segment of the network between you and the sender.

I agree, when I receive e-mails clearly showing my passwords I get annoyed; if I requested it, however, that's okay because I simply delete it afterwards.

keithy1 wrote: »

If the Landlord is away, or has let the decorators in for a spell, the lodger/decorator can use these cards, or perhaps any others that they may "stumble upon" undetected.

Obviously that wouldn't be an issue for home owners. Lets say a PIN reminder is posted to you and someone steals it, what can they do without your card, unless your card number is posted on the letter.

With any financial information you want it to be secure, so if moving company will make you feel secure surely it's a good thing.

Will you be moving?