Attempted PIN theft

Generally, the way that these content based alerting features work is the firewall or anti-spyware tool scans all outgoing packets for any data pattern that you tell it you want to keep secure. If it sees that pattern of data (like a PIN, social security or credit card number, for example), then it usually blocks the connection and pops up an alert. The problem is that there is a simple flaw in the design of these monitors. If the data you have it monitor is too small, (like such a sequence of numbers), or likely to occur naturally in a connection with a website, then you'll get a lot of mistaken alerts (i.e. false positives).

I don't know the specific feature in NIS, but if it is anything like Zone Alarm's, then this thread at DSLR might help explain it a little more...

http://www.dslreports.com/forum/remark,8581299

Most PINs are a fairly short series of numbers. Since many series of numbers are sent in the data stream when communicating to websites, it is very likely that you'll receive alerts that are merely coincidences. A four digit PIN of say 2736 would be very likely to be seen in packets sent to websites, so alerting on something that short would be prone to bogus alerts. When this feature was first added to Zone Alarm, we had a large number of people getting such alerts even on social security and credit card numbers, which are a longer set of numbers, still it happened often enough to have many topics on the subject. (Also, to make the problem worse, some of these tools monitor on just pieces of the data, not always the whole thing. So, in some cases if it even sees the last 4 digits of say a social security number, it may alert.)