k_passwd
See also
Scope of this bpost is PINs. I like this searchable, permanent keyword. PINs are increasingly popular among banks’ security architects, because smsOTP and (soft/hard) tokens generate PINs, and because keypad is more convenient than keyboard on smartphones (displacing computers)
Q: How about using birthdays, addresses (zip codes…), quasi-permanent phone numbers, permanent IDs (not passport#)?
A: combinations of them OK in less sensitive cases
— site: starhub: use a unique PIN because this PIN will be read out loud each time
— site: Singpass .. PIN is 1FA i.e. single layer of protection, but easier to change thanks to “nanny state”.
todo/sugg: use a unique 6-digit PIN like 694214 (CPFZLH), and change it periodically.
Singpass-2FA is required by some singpass-client site (like cpf) for high-stake transactions. Most fund transfers secured by Singpass are available after 55 only. See cpf: stop online theft
— site: CIMB
For login to mobank, you need only password _or_ fingerprint
For login to webank, you need mobank _or_ SMS OTP
For addPayee, you need mobank + PIN. As of Feb 2025, I use 57xxxx.
— site: ICBC.cn, PSBC.cn, Hsbc.cn .. all use PINs .. hard to reset. I maintain those PINs in those bposts (not 100% uptime)
— site: wcpay … can change to four_seven.
— site: HSBC logon PIN .. 1FA: login name can’t change. This login name is saved in the mobile app, so anyone having my phone needs only one additional thing (6-digit PIN) to log in as me. To address this relative weakness against hacking, I have enabled moneyLock.
Adding payee is highly sensitive but needs only the logon PIN 🙁
Luckily, HSBC app must be removed from old device before it can be set up on a new phone.
If not sure, do not experiment with some new PIN. If you don’t like it and need to change it, you would need to enter the old PIN many many times, reinforcing it!
SCB and HSBC are high-stake, and needs special PINs
— site: SCB.. For most things, you need mobank — the primary authentication device. It has completely replaced hardware token and sms OTP.
Mobank comes with a PIN known as ScMobilePIN, usable only on the mobank. This PIN servers as a second layer of defense.
adding payee (or large payments)… needs handset + ScMobilePIN in addition to password i.e. three layers of security, better than “two” at HSBC.
In conclusion, the 6 digit PIN is almost the single layer of protection over my 300k fund.
Fortify: add some security to the entire phone, until we move bulk of my money out of HSBC. SmartLock is too loose.
Fortify: check balance regularly on the move
Fortify: use a unique logon PIN. (I updated it easily using the mobile app.) Make sure it is different from phone PIN or ATM PIN
Fortify: change PIN periodically.
Fortify: send SMS alert when adding payee or increasing transfer limit
Consider moving large sums to SGD TD/tBill/SSB which are more locked down.
— other sites PINs
- ATM card PINs
- Phone banking PINs .. less “powerful” than ATM PINs
- DBS/DBS webank login PIN .. slightly more secure than HSBC .. physical phone + SIM card + PIN + loginname to steal money
- OC webank PIN .. small balance