undefined | Better HN

0 pointsjoshvm4y ago0 comments

Rate limiting can be practically strong for everyday use. Bank PINs are commonly 4 digits, though the chip+PIN system allows up to at least 6. Three attempts and the card is locked. Provided you stop users from picking obvious numbers like birthdays, it's pretty effective at preventing card fraud.

Weak passwords can be fine, provided rate limiting is extremely aggressive. You can adjust this based on access e.g. your admin account might be locked under stricter heuristics like a single attempted login outside your geographic region (Live mail does this to me sometimes). In this case the user might even have the correct password, but if something else doesn't add up then you can block.

0 comments

iudqnolq4y ago

But if you actually tried to use 6 digits you'll discover most layers never tested it, including some of the most common point-of-sale systems and many ATMs not operated by your bank. Plus, tellers at your bank won't believe you.

joshvmOP4y ago

My debit card in Switzerland came with a six digit pin - which was a surprise coming from the UK - and it works fine in other countries (Germany and Italy at least). But chip and pin is well known established in Europe so that's not too surprising.

iudqnolq4y ago

Interesting - I should have qualified all that as US specific, I (stupidly) forgot you have debit card pins as well.

j / k navigate · click thread line to collapse

0 comments

iudqnolq4y ago

joshvmOP4y ago

iudqnolq4y ago

Interesting - I should have qualified all that as US specific, I (stupidly) forgot you have debit card pins as well.

j / k navigate · click thread line to collapse