Dictionary attack against 4-digit PIN


#1

Hi RW folks,

Thanks for implementing a PIN to help prevent unauthorized porting out / account hijacking. I noticed that the PIN must be exactly 4 digits, which gives a hacker a 1 in 10,000 chance of guessing it. Can you please confirm that Republic Wireless does something to prevent a hacker from quickly trying all combinations until he guesses the PIN? (E.g. block porting for some time after several failed guesses; contact the customer to alert them to the problem, etc.)

Also, could you please consider allowing longer PINs to make guessing more difficult?

Sorry for my paranoia. An increasing number of financial institutions rely on text messaging as a step in proving identity. This is problematic for various reasons, one of them being how easy it might be for hackers to port a number. With the Equifax hack making the news today, I’m feeling extra paranoid…

Thanks!
Jason


#2

PINs are PINs and not passwords. PINs are four digits.


#3

Yes, that is true. What I am asking for is reassurance from the RW team that they have implemented something that prevents someone from cycling through all 10,000 combinations of those four digits until they discover the PIN. Kind of like a bank does for ATM cards: if you input the wrong PIN too many times, the bank will block the card until you contact them, prove your identity, and ask them to unblock it.

Further, I am asking RW to consider increasing the number of digits. This is to prevent a lucky hacker from guessing the PIN on the first few tries and take over your phone number. The chances of this might be only several in 10,000 but when your phone number is used to prove your identity to financial institutions (via text messaging, for example) then you might want the odds to be lower than that. Having a longer PIN would lower the odds.


#4

Hi @Jason,

Thank you for your feedback and concern.

I did hear an interesting conversation in the office the other day about the decision to use 4-digit PINs. It seems if you ask for a 5-digit PIN, people tend to use their zip code, which we’d rather avoid. Six and up, people tend to forget… (I know…)

As we are still in the initial stages of rolling out some account updates, I don’t know that we’re ready to spell out what precautions may be in place, as doing so sometimes helps the attackers as much as it assures the users. I will, however, ask the team responsible for communication about this implementation to consider including some discussion of security measures as they continue to update our members on this topic.


#5

@southpaw thank you for bringing this to the team. I am concerned about porting attacks such as those described in this article https://mobile.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html. In the anecdotes there, it sounds hackers had less success trying to guess a four digit PIN than calling the phone company back repeatedly until they got an agent who agreed to proceed without the PIN. That gives some confidence that the four digit PIN approach might be ok.

But consider this from another perspective: nobody would use a four digit numeric password on important accounts such as email, a retirement account, etc. It just seems “too risky” that someone could guess that number and take over the account. Phone numbers can be pretty important. Securing the ability to port a phone number with a four digit PIN seems similarly risky, IMHO. Thanks again for your consideration.


#6

Most people would gladly use a four digit PIN to access their important account but are prevented from doing so by the security experts…


#7

That’s ironic and true. After 26 years using the same 4 letter password for my Juno account, I finally changed it to a longer password. I have to change the password on my GMail and Yahoo accounts just about every year.


#8

Out of curiosity, how long is the PIN on your ATM card? Mine is 4 digits, and that’s all that the bank allows.

In any case, which Republic may have some protections, which they rightfully won’t detail, also remember that each port attempt has to be submitted by a gaining carrier. I can’t imagine there are many carriers that would submit the request 10,000 times, each with a different PIN.


#9

Just in the last couple of weeks, I’ve come across 2 people whose cell phones have been hijacked and the bad guy started withdrawing their funds from financial institutions.

Will RW be putting in a more secure manner for cell phone # porting?


#10

Hi @elizabethb.tr7aqx,

At this time we are still supporting only the 4-digit PIN. I will make sure to bring your concerns to the right team, though.


#11

Are you saying that these people had PINs with their carriers and the bad guy was able to submit the thousands of port attempts that would be required to dictionary attack a 4 digit PIN?


#12

Louisdi:
I would like the answer to that one too! Hopefully after about 5 attempts to port, they would lock down our account!


#13

Republic sends an email notification every time a port is attempted with an incorrect PIN. Simply responding to that email would be the prudent course of action. No need to wait for more than one attempt.