76

My new girocard did not reach me. I wanted to call the bank to block the old and get a new one. So I checked my online banking and found a phone number ("Block card: girocard or visa card lost? Call 04106-...). I called said number, and I talked to a real person. So far, so good. The person wanted my Online-Banking PIN, through the phone, before doing anything.

Is this normal and safe operation, or was I correct to politely end the conversation?

What happens if my card is misused after tomorrow? I called their hotline to get it blocked, but they didn't want to do anything without my online banking PIN.

FooBar
  • 103
  • 2
Alexander
  • 2,143
  • 2
  • 17
  • 22
  • 19
    Imagine the potential for malicious reporting, if the bank cut off credit cards without verifying the caller. – Criggie Jan 15 '18 at 21:22
  • 96
    @Criggie And, utilizing the same PIN used to access funds is NOT the proper way to validate a caller - ever. – maplemale Jan 15 '18 at 21:27
  • 2
    @maplemale agreed - multiple questions of "what was the last transaction on the card" or "what is your credit limit?" or similar. Many T&C will have a line like "do not disclose your PIN to anyone" and that's pretty clear. – Criggie Jan 15 '18 at 21:30
  • GiroCards are usually Visa or Master card aren't they? Couldn't you call Visa / Master instead and report it lost or stolen that way? – maplemale Jan 15 '18 at 21:32
  • 3
    some banks do have legitimate way for this, computer answers and offers login using pin then connects you to customer service. however you should not give out your pin if person asks or you dont have docs for phone login system – Sampo Sarrala - codidact.org Jan 15 '18 at 21:36
  • 1
    @SampoSarrala True... but there are specific rules put in place by the various processors (such as Visa/Master) which banks have to abide by. Validation of PII/PCI data are part of those rules aren't they? When I worked in this industry, I specifically remember the PIN validation being one of those rules and a very adamant statement of - "Memorize these rules, or the little Visa sign on our cards could disappear some day." – maplemale Jan 15 '18 at 21:43
  • 20
    Is the "Online Banking PIN" distinct from the PIN on the card? I would never give my card PIN over the phone, but if my bank had some other PIN-style verification code that they used for my online account, that is a different question. – Baracus Jan 15 '18 at 21:44
  • 1
    @Baracus it should be. you should never ever give your card pin to anyone except verified atm or electronic card reader payment system, these should also be checked for validity – Sampo Sarrala - codidact.org Jan 15 '18 at 21:51
  • Note that this is distinct from your bank's automated phone system asking for your pin (which you dial in), which is how some banks in Canada work. – Schism Jan 15 '18 at 22:44
  • 12
    It would help to know your bank, e.g. Deutsche Bank in Germany has a separate phone banking PIN, they wouldn't ask for your online banking PIN. – Joni Jan 15 '18 at 23:01
  • 11
    Did they want you to **tell** the code or **type** into the phone? If latter, it is possible that the system verifies the PIN and only displays the result of verification to the operator: **Verified** / **Not verified**. – VL-80 Jan 16 '18 at 01:16
  • 1
    Similar to what Baracus has indicated, my bank has a PIN which is solely used for authenticating myself to other humans. It's not my online password, and related to my bank account, not the card. This kind of PIN is a pretty good idea IMO. – Nathan Merrill Jan 16 '18 at 04:53
  • 2
    Banks in Germany typically have a dedicated phone banking PIN, but for blocking (without reissuance), no PIN is required. – pmf Jan 16 '18 at 08:21
  • @maplemale "*And, utilizing the same PIN used to access funds is NOT the proper way to validate a caller*" - which is not what happened, so calm down. – FooBar Jan 17 '18 at 08:16
  • Posting here because I don't have enough rep to post in answer form. In Spain it is routine to authenticate oneself by *typing* one's PIN code into the phone's keyboard, to a system that (presumably) only returns *Verified / Not verified* to the operator you were talking to. Other systems require you to type your ID Document Number and then your PIN; afterwards, you're handed off to an operator who already has your credentials. For further authorization of transactions we have a code card, with typically 100 4-digit codes. Each op will require 1 randomly chosen code. – Nubarke Jan 17 '18 at 12:58
  • Every answer and comment here shows that no one understands how atm cards + PIN works. People are confusing the PIN with a password which it is not. Passwords do not get stored (traditionally) in databases because it is the result of the algorithm that is stored, you enter the same PW+algorithm matches stored result-PW = good. for ATM cards it is cards code + PIN + private key found in the atm machine that allows it to proceed. So the PIN is 4 characters of a 1000 character password if you want to see it that way. that being said, humans need to be comforted that a PIN is to remain secret – Frank Cedeno Jan 17 '18 at 13:25
  • The bank is probably [comdirect](https://www.comdirect.de/). The support q&a doesn't really mention a dedicated phone banking PIN but an online banking PIN (which isn't related to the card PIN). – klanomath Jan 17 '18 at 14:50
  • Did you call the phone number that was on your bank paperwork? Or did you call some number you found on Google search? Because gaming search engine algos to present wrong results for #1 is not that hard. – Harper - Reinstate Monica Jan 18 '18 at 22:59
  • As per [c343810](https://security.stackexchange.com/questions/177654/bank-wants-my-online-banking-pin-through-the-telephone#comment343810_177675), it's not clear what you're referring to by the "online-banking PIN". Could you elaborate? Is it the only PIN? Is it digits or letters? What does the agreement with the bank say about its purpose? Without this info, it's impossible to give a definitive answer. – ivan_pozdeev Jan 19 '18 at 22:56
  • It's bad enough when a bank phones a customer and asks them security questions. They called me, and I know who I am. – Jon Hanna Jan 19 '18 at 23:09
  • I thought the standard procedure was to ask for three randomly selected digits/letters from a PIN/password, so that the full value is never disclosed. Nobody asks for the whole thing these days. – William Robertson Jan 21 '18 at 10:52

10 Answers10

90

It is becoming quite commonplace in the US. Many banks and other financial institutions require the caller to provide an identification number that has been set up beforehand to verify they are indeed talking to an authorized user of the account.

They used to ask personal information - social security number, old addresses, security questions, etc. Those have begun to fall out of favor.

The 'telephone PIN' or user PIN, is not the same PIN as your debit or credit card nor online account password. It can also be used as a secondary verification method when logging in online or when retrieving or resetting the online password.

So, no, it is not a sign of phishing necessarily and it is good that you found it suspicious and ended the conversation instead of blindly giving someone your PIN.

Tracy Cramer
  • 853
  • 5
  • 10
  • 6
    Shouldn't the TPIN be entered into an IVRS of some sort and not verbally told to a human? – muru Jan 16 '18 at 07:13
  • 5
    I once forgot my online banking password and wanted it reset, but didn't know my latest balance to identify myself. I called again five minutes later and just asked for my balance. That only required my birth date and address as verification. And then I called again to reset the password. A reset password (where the new is sent per post) is not too bad, but I was a bit shocked how easy that was. So a telephone PIN definitely seems like a good idea. – lucidbrot Jan 16 '18 at 09:57
  • @lucidbrot Wouldn't it be easy for phising to just list their own number and request the pin and "transfer" you and possibly disconnect you? I would personally rather be locked out than risk losing funds through phising. But an one time pin authenticator app could solve this issue. – Nightwolf Jan 16 '18 at 12:15
  • 3
    @Nightwolf yes, but it's better than just asking for some other verification which can also be captured by the fishers but is easier to get – lucidbrot Jan 16 '18 at 12:58
  • 1
    @TracyCramer The OP clearly stated, that the agent at the end of the line asked for his/her "Online-Banking PIN". – Tom K. Jan 16 '18 at 12:59
  • At least here in Russia, a password for telephone requests is not called a "PIN" but rather a "codeword". So, it's not clear what the OP is referring to. – ivan_pozdeev Jan 19 '18 at 22:52
81

In my opinion, you did the right thing. There is no situation in which you should ever be required to give up a PIN either over the phone or in person, with the exception of typing it into the (HTTPS) bank's website to login to your account or on a physical banking terminal such as an ATM.

The entire purpose of a personal-identification-number (PIN) is to be a unique number that you and only you know, allowing you to authenticate yourself.

I would recommend finding a physical banking location where you can go in person and talk to a person about your experience and the issue you were having that lead to you making that phone call.

It is entirely possible the phone number was for the real banking institution and the phone operator was new or inexperienced and made a massive mistake, but there is no good reason for a person to give up a PIN to another person.

Hope it helps!

dFrancisco
  • 2,731
  • 2
  • 13
  • 27
  • 44
    Downvoted: Today most banking customers have several PINs. One for withdrawing money from an ATM, another for online banking and sometimes a third for phone banking. OP is clearly not talking about the PIN that is connected to his card, but about his "Online-Banking PIN" which are two different things. A PIN for online banking is used for authentication for - you guessed it - online and in some cases telephone banking. So it is *intended* to be typed into your phone (and sometimes even given to a person, but this isn't good practice). – Tom K. Jan 16 '18 at 10:31
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/71906/discussion-on-answer-by-dfrancisco-bank-wants-my-online-banking-pin-through-the). – Rory Alsop Jan 19 '18 at 07:32
  • 1
    @tom It might be country-dependant. Here in Italy many banks and credit card issuers mail their clients about best practices to avoid phishing and tell them explicitly NOT to reveal any password or PIN numbers by phone or mail because their true employees will never ask for them. I know of at least one online banking system which requires both a password and a 10 char alphanumeric PIN to access the site, and the PIN is never typed in its entirety: only 2 out of 10 chars, in specified random positions, are requested at each access. So asking for the online PIN might actually be suspicious. – Lorenzo Donati support Ukraine Jan 22 '18 at 06:34
  • Upvoted, an "Online Banking" pin should never be known to bank staff, that have access to logon ids. They will sell it. This does happen. That PIN should not be the same as the one used for phone banking, and the password for call centre contact should be different again. Typing into an IVR/VRU systtem is reasonably safe, but the tones can be recorded and decoded (if using a hotel PABX say). Most banks have extra protections on IVR/VRU activity nowadays such as low transfer limits between accounts. – mckenzm Dec 26 '18 at 19:42
28

As there has been some confusion here, I wanted to add another (and hopefully last) answer to consolidate all the information that is flying around.


First of all, what kind of PINs are there in today's banking world?

Cardholder PINs:

This is the PIN that belongs to your debit or credit card. Unsurprisingly, there's also an ISO norm on how to manage PINs like this. So this will be pretty routin to nearly all banks. There are a lot of instances whre you will have to give your cardholder PIN to a machine. That is when you are paying for something or withdrawing money.
No serious bank will ever ask you for that number, if somebody does, it's probably a scam.

PINs for phone banking:

Most banks (that I came across at least) have a separate PIN for phone banking. This is a PIN that you can authenticate yourself with over the phone towards an agent or an automated system (see similar questions here, here and especially here). Take a look at these, they will answer most of the surrounding questions you might have.

PINs for online banking:

This is the PIN that you use for all your online banking needs. To be frank, your PIN for online banking is pretty much a password for logging into your online banking account. Some banks do wonky stuff with your online banking PIN, but most banks don't. What they will do is pretty routine and exactly what you would expect from normal behavior around managing sensitive passwords. Most banks use this PIN only for online banking. BUT some banks do use this PIN for phone banking as well (it was news to me at first too).

What's the big difference here?

A cardholder PIN is used to directly access your funds (while in possession of your card). That makes it much more valuable than the other two. Why? Because with PINs for online and phone banking, you access a system to manage your funds. If these systems are well designed, you will need a second factor to authorize any changes that are made. Be it transferring money, establishing a banker's order or changing your address. So theoretically an adversary has taken a big step towards gaining control of your bank account, when he/she steals one of the latter PINs, but can't really do much, without also having control over whatever supplies your second factor.


So now what?

Different PINs typically authenticate you against different systems. If a bank uses the same PIN for two different systems, that might be not the best way to do it, but it is a way to do things. If you are uncomfortable with this, ask for another form of authentication. Find out, what the bank's typical form of authentication over the phone is. If there is no information on the interwebz, just call again, wait for another agent and see what kind of credentials he/she wants. If you dont trust a human agent, ask for authentication against an automated system.someone could be listening though

Conclusion:

This is not the worst thing in the world. It is not best practice (from my experience). It is not very reassuring. But this does not mean, that all your funds are gone tomorrow.

If this does not fit your threat model, you can always threaten to leave the bank for another company, if they don't change their policy. Tell them why, maybe they'll do something about it. Leave if they don't. This is especially true if they don't have any form of 2FA within their systems.

Phone banking is always a tad insecure, because other humans are involved. And humans tend to make mistakes and in some case can be criminals.
There is a simple solution for that: stop using phone banking.

Important: Most of the solutions that were mentioned in the comments do not solve this problem. Automated systems can be hacked or be exploited, security questions can be recorded etc. If an agent working in a call center that handles phone banking wants to scam you, he/she probably can - if there are no security controls in place.
The good thing is, most banks do not let that happen, because a lot of smart people work there, that rack their brain about these things.

You know why? We're not the first guys and girls that worry about getting scammed.

Tom K.
  • 7,965
  • 3
  • 30
  • 53
13

I'm not sure about your specific situation. But my bank (in Czech Republic) have provided me with special 10 digit code. This code is called Telebanking PIN as is used a means of verification.

When I call the telebanking hotline the operator will request up to 6 positions of this secret code. The idea is, that only the rightfull owner of the account would have this access code.

This is NOT a pin for my card, it is a special code applicable only for telebanking.

jnovacho
  • 243
  • 1
  • 5
5

I think a lot of people got to the heart of the issue here but I'll chime in. A lot of banks these days do ask for some sort of secondary authentication when doing business over the phone. This may be a phone PIN (separate from your debit card pin) or a word or phrase - such as the make and model of your first car (if you've shared this information with them).

The experience you had does not strike me as strange but I think it was smart of you to end the conversation if you were uncomfortable/unsure. What I would recommend is just reaching out to your banks customer service line and asking their methods for validating identity over the phone. If asking for a phone PIN is a part of it (or if not) that should answer your question right there.

I've also run into instances where I've setup a phone PIN or phrase and promptly forgot it so if you are unsure you can always ask if there is another way to validate your identity - it usually involves answering more questions but at least you wouldn't be giving your PIN up.

To drive one point home, if your bank does use a phone PIN, YOU need to make sure it's different from your debit card PIN. If you chose to re-use your PIN you're heightening the risk of compromise.

  • I don't want to split hairs, but I would assume that - if possible - the bank would check if the PINs are the same. Even if it's not possible to check, the probability for this (let's say your two PINs are numbers between 0000 and 1000) is pretty low. To prevent this from happening altogether one PIN could only consist of numbers, another only of letters and a third of a combination of both. – Tom K. Jan 16 '18 at 17:45
4

If they had called me, I would have adamantly refused to give up my PIN and broken off my relationship with the bank.

Let's look at what a PIN is (no, not a "PIN number"). It's a Personal Identification Number. That's so you and only you can use it for certain personal transactions. There's no reason for the bank to want it.

I would have wanted to talk to a supervisor on the phone. Maybe they wanted to establish your identity so they didn't get someone calling in a spurious card cancellation. If that's the case, however, there's a lot of other info available on your account that can be used. Either way, there's no reason to get your PIN.

What happens if the card is misused? It sounds like you're not in the US, so US laws would not apply. I'd suggest looking up your local laws about this - some jurisdictions make you less responsible for fraud than others.

baldPrussian
  • 2,778
  • 2
  • 10
  • 14
  • 7
    The purpose of a PIN is to identify you (the person) to the bank as an authorized user of the card or account. Whether using an ATM, or a website, it is still the bank that receives your PIN and verifies that it is you. Sharing it over the phone is less secure because you cannot easily identify the other party, or guarantee that others aren't listening in. But using a third-party ATM is less secure, because now two banks have to handle your pin (and you assume they are being really careful with it.) – jpaugh Jan 15 '18 at 23:12
  • 6
    This anwer also does not take into account what a phone [banking PIN](https://security.stackexchange.com/questions/177654/bank-wants-my-pin-through-the-telephone#comment343082_177656) is. Also the proposed reaction seems a bit exaggerated. – Tom K. Jan 16 '18 at 10:32
  • 1
    If they call you, the best thing to do is to call them back. It might not have even been them calling in the first place. Would be a shame to do all the work of moving your accounts because you got a phone call from a phisherman. – J... Jan 16 '18 at 12:38
  • There is no reason for a bank to want you to tell them your "online banking PIN"? By its name alone, it would appear to be necessary to give to my bank. And the OP called the bank, not the other way around. – schroeder Jan 17 '18 at 20:30
2

This is indeed a normal procedure for many banks.

However it is to be noted that:

  • You do should NOT disclose the pin to an operator
  • Instead you dial the pin on your phone keyboard, NOT orally, usually BEFORE talking to an operator.
  • This is your banking login PIN and not your credit/debit card PIN
Antzi
  • 1,037
  • 1
  • 6
  • 5
  • What guarantee is there that typing it into a phone is non-accessibale to humans? This is basically no different from just telling a person on the phone. You need to distinguish that the PIN requested is not the same PIN you use on your card. – Octopus Jan 17 '18 at 18:47
  • Without knowing the implementation you don’t. I’m just saying that this is a standard practice, not that it’s a good one. – Antzi Jan 17 '18 at 23:35
2

It's very bank-specific, but for example in Finland that would be unheard of! The banks actually specifically warn that they will under NO CONDITIONS ask for your PIN code, and you should never hand it out or store it together with your card.

Verification happens via one-time-use numbers either from challenge number list you receive from the bank, or more commonly via a bank-provided mobile app with the same principle. And that app is tied to your phone number which you specifically personally authorize in your bank (online, or in person). Equally, you can revoke the number, which immediately prevents the app from being used, even if you know the app PIN code and stole the physical phone.

Juha Untinen
  • 191
  • 1
  • 1
  • 6
0

It sounds strange if you have to provide your PIN to a person, but it is of course possible they just wanted to identify you. Where I live (Finland), for phone banking I have to type my user code (8 numbers) and one-time code (4 numbers) or alternatively instead of the one-time code use my authentication app on my mobile phone. This is commonplace in Finland, and you don't tell the user code and the one-time code to anybody, you type them over the phone to an automatic computer system.

If you feel insecure in providing the PIN, you could of course visit the bank physically instead of using the services over the phone.

They also ask for my social security number very often over the phone. This I don't type, I tell it to the other person on the phone.

It is very unlikely that your phone conversation will be covertly listened. In theory, somebody could block the 3G frequencies with a jammer, forcing the phone to use 2G, and use an IMSI catcher and crack the encryption keys (which should be doable for the poor GSM ciphers in a reasonable amount of time). The chances of this happening are so low that I wouldn't worry about it.

juhist
  • 273
  • 1
  • 6
  • "This call may be monitored for training and quality purposes." Not "covert", but who knows how long (or how far) those recordings go. – schroeder Jan 17 '18 at 20:21
-4

Your online banking PIN is not the same PIN you use with your card in a machine nor is it the passcode you use to access your funds and do transfers. It is simply a code that identifies you as the authorized caller. There seems to be much confusion about this matter.

Your online banking PIN is used merely as a means to identify you, it cannot ever be used to access your account's funds or perform transfers.

If you just happen to be using the same PIN for both then you need to change it!

Octopus
  • 257
  • 1
  • 2
  • 9