Changing PINs of German bank card

[Peter Lebbing]

On 11/07/17 12:32, Binarus wrote:
> I am not completely sure if I got you right. Wouldn't that mean that I
> have to lose my card, the bad person then makes two guesses, then I get
> back my card and enter my correct pin, then I lose my card again, and
> the same bad person finds it again and makes another two guesses, then I
> get my card back again and so on?

But you were discussing both card PINs as well as web passwords with low
entropy, right? You said earlier:

> - If somebody tries to brute force the pin (or online banking password),
> the access will be permanently denied if there are more than 3 failures
> (the exact number may vary).

I still don't think you could brute-force it with just two tries in
between your regular logins. However, this seems like a nice DoS if
someone dislikes you and is mean-spirited. They get a hold of your bank
account number, attempt to log in with the three password guesses "say",
"bye" and "now" and you need to phone up your bank, they need to send
you a new letter with a new password, etcetera. Or is there some other
secret or semi-secret, like a card number, that an attacker needs to
enter in order to decrement the failure counter?

This "three strikes and you're out" scheme is generally for two-factor
auth, not for regular web passwords. For a reason.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170711/5f8b04a4/attachment.sig>