The german brank credit report service \"Schufa\" uses a so called \"SuperPIN\"

Question

The german brank credit report service "Schufa" uses a so called "SuperPIN" to enable users to reset their password. This super pin is a permutation of 30 lower and upper case letters and digits and is snail mailed to the user at registration.

To reset the password the system selects two positions and requests the characters at those positions.

I wonder how safe this system is against attacks to the server. The superpin cannot be stored salted and hashed because the server needs access to every individual character. Hashing and salting the character at every position (or all the 870 pairwise combinations) would not resist a brute force attack against the hash either.

From this facts I cannot derive an advantage over snail mailing a reset code to the user. What did I miss?

Explanation / Answer

We are talking about the database of a bank, and that's not your average database. It's a special kind of database, when every step is audited, every alteration is logged. So a database leak is very, very unlikely.

If someone can get access to the bank database, why bother with PIN or password for any user? They can go direct to the money.

The reason to send snail mail for the user is that the bank can almost surely know that only the real owner of the account have the reset codes. If anyone else tries to reset the PIN by using discovered information, it will fail because the fraudster don't have the reset codes.

And unless the fraudster can convince the owner of the account to disclose the codes, only the owner can reset the PIN.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.