It’s time to call time on the static PIN. We forget them too easily, they are too simple to guess, and – most importantly – they don’t really provide the security that both banks and customers need.
First, on average people forget their PINs every three months (source: 2012, A birthday present every eleven wallets? The security of customer-chosen banking PINs, University of Cambridge) – and given that some people never forget, it must be much more frequent
in some cases.
Secondly, many people use “obvious” PINs, for example 1234 or the year they were born. They also change their various PINs so they are all the same. That’s far from secure and once compromised, the customer has a nightmare on their hands.
So far, so bad. But this is going to become much more important once the mobile wallet really catches on, as I fully expect it to do. Do most customers want to rely on a statis PIN to make significant money transfers from their mobile phone? And do banks
want them to? Its likely that “full” PINs will be requested on devices that could well contain Trojans such as Zitmo.
For me, the most exciting thing about the new technology in this field is that we just don’t need static PINs any more. We can make mobile payments faster and safer without relying on a four-digit code that lots of people have written on a post-it note in
their wallet, purse or on their desk.
The best authentication takes multiple, non-correlated data points, and puts them together almost instantaneously to prove, for example, that it is you accessing your bank account. Where your phone is (or is not) at that moment; the fact that it is
your mobile phone; a memorable word or phrase; and, most excitingly, your own voice – each element adds another element of security, and taken together, they provide a far stronger method of real-time authentication than the humble PIN.
So yes, I look forward to a time when the PIN sounds as out of date as the cheque guarantee card.