← Back to context

Comment by extraduder_ire

1 year ago

Does that not cause problems on some card machines? I've come across a few that definitely don't let you put in more than four digits.

16 comments

extraduder_ire

Reply
sltkr  1 year ago

Surprisingly, no, or at least it's not common.

I'm from a country that has 6-digit PINs on most cards, and I've traveled to e.g. the United States where people are surprised that credit card PINs can be more than 4 digits, but in my experience, terminals accept them just fine. It seems like they are designed to suggest a PIN is only 4 digits but they will happily accept more. So while you're entering your PIN, the display looks something like:

    [....]
    
    [*...]
    
    [**..]
    
    [***.]
    
    [****]
    
    [*****]
    
    [******]

And then you hit OK and the PIN is accepted.

hakfoo  1 year ago

For some reason, a lot of credit card processing APIs are still oriented around physical card machines, so they have a lot of fields devoted to self-declaration of the available features.

Some of the APIs allow the machine to say "I can accept a PIN up to 12 digits".

However, I don't know if anyone 1) actually delivered on it and 2) how you'd know in advance just poking random devices in stores.

jiggawatts  1 year ago

That provides very valuable information: DO NOT TRUST this machine to be secure!

Similarly, any web site or app that can’t correctly handle a space character at the end of the password should never be trusted with anything of consequence.

  • lxgr  1 year ago

    Why? PINs are limited to 4 digits in many markets, so it's not exactly extreme for a developer to not consider the (to them) edge case of 6 digit PINs on foreign cards.

    Conversely, it seems very possible to support 6 digit PINs and yet still make a ton of horrible implementation mistakes, security and otherwise.

  • lobsterthief  1 year ago

    Why is the space thing inherently insecure? I’m thinking bad form validation could trip it up and be considered “not handled” vs concerns suggesting plaintext storage

  • quietbritishjim  1 year ago

    Are you really worried that a card machine is going to leak your PIN? That doesn't seem to be a common attack vector compared to a third-party skimmer being attached or someone just mugging you and demanding your PIN under threat of physical violence.

    To answer the actual question: I don't know because I left my PIN at 4 digits, despite knowing I could use more, precisely because I didn't think it would really make my life any more secure.

    • jiggawatts  1 year ago

      I'm not worried specifically about the PIN leaking.

      The concern is that a 4-digit max PIN length is certainly implemented by someone who couldn't be bothered to read the spec for secure credit card transaction handling.

      It's the equivalent of the "No brown M&Ms" clause or "Canary in the coal mine" test.

      Nobody actually cares about the M&M color or some dumb bird.

      8 replies →