Stop reusing PINs (unlike passwords) is an unrealistic idea. PINs should only be used for local authentication, and they should be allowed to be reused. It's the banks that use them on the web that are at fault.

On the news on the 4th of this month, the Metropolitan Police Department announced that the telephone numbers and PINs of contract holders resold by the president of a SoftBank agency were used in the Docomo Account Incident. Some people said, "See, it wasn't reverse brute force, was it?" However, there were two cases, and this is the older one that became a hot topic later...https://t.co/hZl7ima7J5

— Hiromitsu Takagi (@HiromitsuTakagi) March 18, 2021

…The older case involved a Japanese person as the main perpetrator, but the newer case that was initially the subject of discussion involved Chinese students being arrested as thieves and using a Chinese app as a means of communication with the person in charge. The method used in this case was suspected to be reverse brute force from the beginning. Today’s…https://t.co/uaSUfkZ8Al

— Hiromitsu Takagi (@HiromitsuTakagi) March 18, 2021

...Today's National Police Agency announcement distinguishes between these, and they are being reported separately.https://t.co/TfCs9b3AmI
"In addition, the damage from another case of fraudulent withdrawals from Docomo accounts uncovered by the Metropolitan Police Department and others was,"https://t.co/4SGay9rPGj
"Apart from this, in 2019, a group of Japanese people were arrested for using Docomo Accounts and PayPay..."

— Hiromitsu Takagi (@HiromitsuTakagi) March 18, 2021

The fact that 600 other people's email accounts were used to open Docomo accounts is not the essence of the method used in this case. Any address could have been used, but the skilled criminal simply used a hijacked account he already had.

So, is today's announcement from Japan Post Bank unrelated to this case?https://t.co/ijZphDZhAq

— Hiromitsu Takagi (@HiromitsuTakagi) March 18, 2021

The National Police Agency says this, but stopping the reuse of PIN numbers (unlike passwords) is unrealistic. PIN numbers should only be used for local authentication, and they should be allowed to be reused. It's the banks that use them on the web that are at fault.https://t.co/TfCs9b3AmI
The National Police Agency urges people not to reuse PIN numbers, which pose a high risk of infection.

— Hiromitsu Takagi (@HiromitsuTakagi) March 18, 2021

The PIN number is essentially a Sender Constrained Token (it is also required at ATMs and cash cards where the PIN is used, making it a so-called HoK) which is a prerequisite for security, so if you remove this and use it as a Bearer Token, then of course that's no good.

— Nat Sakimura (@_nat) March 18, 2021