Personal identification number

Last updated

A personal identification number (PIN; sometimes redundantly a PIN code or PIN number) is a numeric (sometimes alpha-numeric) passcode used in the process of authenticating a user accessing a system.

Contents

The PIN has been the key to facilitating the private data exchange between different data-processing centers in computer networks for financial institutions, governments, and enterprises. [1] PINs may be used to authenticate banking systems with cardholders, governments with citizens, enterprises with employees, and computers with users, among other uses.

In common usage, PINs are used in ATM or POS transactions, [2] secure access control (e.g. computer access, door access, car access), [3] internet transactions, [4] or to log into a restricted website.

History

The PIN originated with the introduction of the automated teller machine (ATM) in 1967, as an efficient way for banks to dispense cash to their customers. The first ATM system was that of Barclays in London, in 1967; it accepted cheques with machine-readable encoding, rather than cards, and matched the PIN to the cheque. [5] [6] [7] 1972, Lloyds Bank issued the first bank card to feature an information-encoding magnetic strip, using a PIN for security. [8] James Goodfellow, the inventor who patented the first personal identification number, was awarded an OBE in the 2006 Queen's Birthday Honours. [9] [10]

Mohamed M. Atalla invented the first PIN-based hardware security module (HSM), [11] dubbed the "Atalla Box," a security system that encrypted PIN and ATM messages and protected offline devices with an un-guessable PIN-generating key. [12] In 1972, Atalla filed U.S. patent 3,938,091 for his PIN verification system, which included an encoded card reader and described a system that utilized encryption techniques to assure telephone link security while entering personal ID information that was transmitted to a remote location for verification. [13]

He founded Atalla Corporation (now Utimaco Atalla) in 1972, [14] and commercially launched the "Atalla Box" in 1973. [12] The product was released as the Identikey. It was a card reader and customer identification system, providing a terminal with plastic card and PIN capabilities. The system was designed to let banks and thrift institutions switch to a plastic card environment from a passbook program. The Identikey system consisted of a card reader console, two customer PIN pads, intelligent controller and built-in electronic interface package. [15] The device consisted of two keypads, one for the customer and one for the teller. It allowed the customer to type in a secret code, which is transformed by the device, using a microprocessor, into another code for the teller. [16] During a transaction, the customer's account number was read by the card reader. This process replaced manual entry and avoided possible key stroke errors. It allowed users to replace traditional customer verification methods such as signature verification and test questions with a secure PIN system. [15] In recognition of his work on the PIN system of information security management, Atalla has been referred to as the "Father of the PIN". [17] [18] [19]

The success of the "Atalla Box" led to the wide adoption of PIN-based hardware security modules. [20] Its PIN verification process was similar to the later IBM 3624. [21] By 1998 an estimated 70% of all ATM transactions in the United States were routed through specialized Atalla hardware modules, [22] and by 2003 the Atalla Box secured 80% of all ATM machines in the world, [17] increasing to 85% as of 2006. [23] Atalla's HSM products protect 250 million card transactions every day as of 2013, [14] and still secure the majority of the world's ATM transactions as of 2014. [11]

Financial services

PIN usage

In the context of a financial transaction, usually both a private "PIN code" and public user identifier are required to authenticate a user to the system. In these situations, typically the user is required to provide a non-confidential user identifier or token (the user ID) and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches the number stored in the system. Hence, despite the name, a PIN does not personally identify the user. [24] The PIN is not printed or embedded on the card but is manually entered by the cardholder during automated teller machine (ATM) and point of sale (POS) transactions (such as those that comply with EMV), and in card not present transactions, such as over the Internet or for phone banking.

PIN length

The international standard for financial services PIN management, ISO 9564-1, allows for PINs from four up to twelve digits, but recommends that for usability reasons the card issuer not assign a PIN longer than six digits. [25] The inventor of the ATM, John Shepherd-Barron, had at first envisioned a six-digit numeric code, but his wife could only remember four digits, and that has become the most commonly used length in many places, [6] although banks in Switzerland and many other countries require a six-digit PIN.

PIN validation

There are several main methods of validating PINs. The operations discussed below are usually performed within a hardware security module (HSM).

IBM 3624 method

One of the earliest ATM models was the IBM 3624, which used the IBM method to generate what is termed a natural PIN. The natural PIN is generated by encrypting the primary account number (PAN), using an encryption key generated specifically for the purpose. [26] This key is sometimes referred to as the PIN generation key (PGK). This PIN is directly related to the primary account number. To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN.

Natural PINs cannot be user selectable because they are derived from the PAN. If the card is reissued with a new PAN, a new PIN must be generated.

Natural PINs allow banks to issue PIN reminder letters as the PIN can be generated.

IBM 3624 + offset method

To allow user-selectable PINs it is possible to store a PIN offset value. The offset is found by subtracting the natural PIN from the customer selected PIN using modulo 10. [27] For example, if the natural PIN is 1234, and the user wishes to have a PIN of 2345, the offset is 1111.

The offset can be stored either on the card track data, [28] or in a database at the card issuer.

To validate the PIN, the issuing bank calculates the natural PIN as in the above method, then adds the offset and compares this value to the entered PIN.

VISA method

When using this credit card terminal, a VISA cardholder swipes or inserts their credit card, and enters their PIN on the keypad. VeriFone credit card terminal Servebase.jpg
When using this credit card terminal, a VISA cardholder swipes or inserts their credit card, and enters their PIN on the keypad.

The VISA method is used by many card schemes and is not VISA-specific. The VISA method generates a PIN verification value (PVV). Similar to the offset value, it can be stored on the card's track data, or in a database at the card issuer. This is called the reference PVV.

The VISA method takes the rightmost eleven digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from one to six, a PVKI of 0 indicates that the PIN cannot be verified through PVS [29] ) and the required PIN value to make a 64-bit number, the PVKI selects a validation key (PVK, of 128 bits) to encrypt this number. From this encrypted value, the PVV is found. [30]

To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered.

Unlike the IBM method, the VISA method does not derive a PIN. The PVV value is used to confirm the PIN entered at the terminal, was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated, user-selected or even derived using the IBM method.

PIN security

Financial PINs are often four-digit numbers in the range 00009999, resulting in 10,000 possible combinations. Switzerland issues six-digit PINs by default. [31]

Some systems set up default PINs and most allow the customer to set up a PIN or to change the default one, and on some a change of PIN on first access is mandatory. Customers are usually advised not to set up a PIN-based on their or their spouse's birthdays, on driver license numbers, consecutive or repetitive numbers, or some other schemes. Some financial institutions do not give out or permit PINs where all digits are identical (such as 1111, 2222, ...), consecutive (1234, 2345, ...), numbers that start with one or more zeroes, or the last four digits of the cardholder's social security number or birth date.[ citation needed ]

Many PIN verification systems allow three attempts, thereby giving a card thief a putative 0.03% probability of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that financial institutions and ATM manufacturers have used in the past. [32]

Research has been done on commonly used PINs. [33] The result is that without forethought, a sizable portion of users may find their PIN vulnerable. "Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders." [34]

Breakable PINs can worsen with length, to wit:

The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (Social Security Numbers contain their own well-known patterns.) [34]

Implementation flaws

In 2002, two PhD students at Cambridge University, Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624, which was duplicated in most later hardware. Known as the decimalization table attack, the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses. [35] [36]

Reverse PIN hoax

Rumours have been in e-mail and Internet circulation claiming that in the event of entering a PIN into an ATM backwards, law enforcement will be instantly alerted as well as money being ordinarily issued as if the PIN had been entered correctly. [37] The intention of this scheme would be to protect victims of muggings; however, despite the system being proposed for use in some US states, [38] [39] there are no ATMs currently in existence that employ this software. [40]

Mobile phone passcodes

A mobile phone may be PIN protected. If enabled, the PIN (also called a passcode) for GSM mobile phones can be between four and eight digits [41] and is recorded in the SIM card. If such a PIN is entered incorrectly three times, the SIM card is blocked until a personal unblocking code (PUC or PUK), provided by the service operator, is entered. [42] If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new SIM card from the mobile carrier service.

Note that this should not be confused with software-based passcodes that are often used on smartphones with lock screens: these are not related to the device's cellular SIM card, PIN and PUC.

See also

Related Research Articles

<span class="mw-page-title-main">EFTPOS</span> Type of Electronic Funds Transfer system

Electronic Funds Transfer at Point Of Sale, abbreviated as EFTPOS, is the technical term referring to a type of payment transaction where electronic funds transfers (EFT) are processed at a point of sale (POS) system or payment terminal usually via payment methods such as payment cards. EFTPOS technology was developed during the 1980s.

<span class="mw-page-title-main">Telephone card</span> Card used to pay for telephone services

A telephone card, calling card or phone card for short, is a credit card-size plastic or paper card used to pay for telephone services. It is not necessary to have the physical card except with a stored-value system; knowledge of the access telephone number to dial and the PIN is sufficient. Standard cards which can be purchased and used without any sort of account facility give a fixed amount of credit and are discarded when used up; rechargeable cards can be topped up, or collect payment in arrears. The system for payment and the way in which the card is used to place a telephone call vary from card to card.

<span class="mw-page-title-main">ATM</span> Electronic telecommunications device to perform financial transactions

An automated teller machine (ATM) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, funds transfers, balance inquiries or account information inquiries, at any time and without the need for direct interaction with bank staff.

<span class="mw-page-title-main">Secure cryptoprocessor</span> Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">IBM 3624</span> Early automatic teller machine

The IBM 3624 was released in 1978 as a second-generation automatic teller machine (ATM), a successor to the IBM 3614. Designed at the IBM Los Gatos lab, the IBM 3624, along with the later IBM 4732 model, was manufactured at IBM facilities in Charlotte, North Carolina and Havant, England until all operations were sold to Diebold, tied to the formation of the InterBold partnership between IBM and Diebold. Comparable ATM units marketed by other companies at the time were the Diebold TABS 9000 and NCR 5xxx.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

<span class="mw-page-title-main">Payment card</span> Card issued by a financial institution that can be used to make a payment

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.

A card reader is a data input device that reads data from a card-shaped storage medium and provides the data to a computer. Card readers can acquire data from a card via a number of methods, including: optical scanning of printed text or barcodes or holes on punched cards, electrical signals from connections made or interrupted by a card's punched holes or embedded circuitry, or electronic devices that can read plastic cards embedded with either a magnetic strip, computer chip, RFID chip, or another storage medium.

<span class="mw-page-title-main">Chip Authentication Program</span> Aspect of banking security

The Chip Authentication Program(CAP) is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. It was also adopted by Visa as Dynamic Passcode Authentication (DPA). The CAP specification defines a handheld device (CAP reader) with a smartcard slot, a numeric keypad, and a display capable of displaying at least 12 characters (e.g., a starburst display). Banking customers who have been issued a CAP reader by their bank can insert their Chip and PIN (EMV) card into the CAP reader in order to participate in one of several supported authentication protocols. CAP is a form of two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading so-called phishing emails.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

<span class="mw-page-title-main">Security of automated teller machines</span>

Automated teller machines (ATMs) are targets for fraud, robberies and other security breaches. In the past, the main purpose of ATMs was to deliver cash in the form of banknotes, and to debit a corresponding bank account. However, ATMs are becoming more complicated and they now serve numerous functions, thus becoming a high priority target for robbers and hackers.

An ATM controller (ATMC) is a system used in financial institutions to route financial transactions between ATMs, core banking systems and other banks. An ATMC is sometimes referred to as an "EFTPOS Switch". An ATM controller is key infrastructure in an interbank network.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

ISO 9564 is an international standard for personal identification number (PIN) management and security in financial services.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.

<span class="mw-page-title-main">Mohamed M. Atalla</span> Egyptian engineer, physicist, cryptographer, inventor and entrepreneur (1924 - 2009)

Mohamed M. Atalla was an Egyptian-American engineer, physicist, cryptographer, inventor and entrepreneur. He was a semiconductor pioneer who made important contributions to modern electronics. He is best known for inventing, along with his colleague Dawon Kahng, the MOSFET in 1959, which along with Atalla's earlier surface passivation processes, had a significant impact on the development of the electronics industry. He is also known as the founder of the data security company Atalla Corporation, founded in 1972. He received the Stuart Ballantine Medal and was inducted into the National Inventors Hall of Fame for his important contributions to semiconductor technology as well as data security.

Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in network security, and hardware security modules (HSMs) used in automated teller machines (ATMs) and Internet security. The company was founded by Egyptian engineer Mohamed M. Atalla in 1972. Atalla HSMs are the payment card industry's de facto standard, protecting 250 million card transactions daily as of 2013, and securing the majority of the world's ATM transactions as of 2014.

The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: identity management, credit card, debit card or driver's license. A non-physical digital card, unlike a magnetic stripe card, can emulate (imitate) any kind of card.

References

  1. Higgs, Edward (1998). History and Electronic Artefacts. Oxford University Press. ISBN   0198236336.
  2. Martin, Keith (2012). Everyday Cryptography: Fundamental Principles and Applications. Oxford University Press. ISBN   9780199695591.
  3. Cale, Stephane (2013). Mobile Access Safety: Beyond BYOD. Wiley Publishing. ISBN   978-1-84821-435-4.
  4. "E-Commerce: A Tangled Web for PIN Debit". Digital Transactions. 1 February 2013 via Associated Press.
  5. Jarunee Wonglimpiyara, Strategies of Competition in the Bank Card Business (2005), p. 1-3.
  6. 1 2 "The man who invented the cash machine". BBC. 2007-06-25. Retrieved 2014-06-15.
  7. "ATM inventor John Shepherd-Barron dies at 84". Los Angeles Times. 19 May 2010 via Associated Press.
  8. Jarunee Wonglimpiyara, Strategies of Competition in the Bank Card Business (2005), p. 5.
  9. "Royal honour for inventor of Pin". BBC. 2006-06-16. Retrieved 2007-11-05.
  10. GB 1197183 "Improvements in or relating to Customer-Operated Dispensing Systems" – Ivan Oliveira, Anthony Davies, James Goodfellow
  11. 1 2 Stiennon, Richard (17 June 2014). "Key Management a Fast Growing Space". SecurityCurrent. IT-Harvest. Retrieved 21 August 2019.
  12. 1 2 Bátiz-Lazo, Bernardo (2018). Cash and Dash: How ATMs and Computers Changed Banking. Oxford University Press. pp. 284 & 311. ISBN   9780191085574.
  13. "The Economic Impacts of NIST's Data Encryption Standard (DES) Program" (PDF). National Institute of Standards and Technology . United States Department of Commerce. October 2001. Archived from the original (PDF) on 30 August 2017. Retrieved 21 August 2019.
  14. 1 2 Langford, Susan (2013). "ATM Cash-out Attacks" (PDF). Hewlett Packard Enterprise . Hewlett-Packard . Retrieved 21 August 2019.
  15. 1 2 "ID System Designed as NCR 270 Upgrade". Computerworld . 12 (7). IDG Enterprise: 49. 13 February 1978.
  16. "Four Products for On-Line Transactions Unveiled". Computerworld . 10 (4). IDG Enterprise: 3. 26 January 1976.
  17. 1 2 "Martin M. (John) Atalla". Purdue University . 2003. Retrieved 2 October 2013.
  18. "Security guru tackles Net: Father of PIN 'unretires' to launch TriStrata". The Business Journals . American City Business Journals. May 2, 1999. Retrieved 23 July 2019.
  19. "Purdue Schools of Engineering honor 10 distinguished alumni". Journal & Courier . May 5, 2002. p. 33.
  20. Bátiz-Lazo, Bernardo (2018). Cash and Dash: How ATMs and Computers Changed Banking. Oxford University Press. p. 311. ISBN   9780191085574.
  21. Konheim, Alan G. (1 April 2016). "Automated teller machines: their history and authentication protocols". Journal of Cryptographic Engineering. 6 (1): 1–29. doi:10.1007/s13389-015-0104-3. ISSN   2190-8516. S2CID   1706990. Archived from the original on 22 July 2019. Retrieved 22 July 2019.
  22. Grant, Gail L. (1998). Understanding Digital Signatures: Establishing Trust Over the Internet and Other Networks. McGraw-Hill. p. 163. ISBN   9780070125544. In fact, an estimated 70 percent of all banking ATM transactions in the USA are routed through specialized Atalla hardware security modules.
  23. "Portfolio Overview for Payment & GP HSMs" (PDF). Utimaco . Archived from the original (PDF) on 21 July 2021. Retrieved 22 July 2019.
  24. Your ID number is not a password, Webb-site.com, 8 November 2010
  25. ISO 9564-1:2011 Financial services Personal Identification Number (PIN) management and security Part 1: Basic principles and requirements for PINs in card-based systems, clause 8.1 PIN length
  26. "3624 PIN Generation Algorithm". IBM.
  27. "PIN Offset Generation Algorithm". IBM.
  28. "Track format of magnetic stripe cards". Gae.ucm.es. Archived from the original on 2014-09-28. Retrieved 2010-04-25.
  29. "Sun Crypto Accelerator 6000 Board User's Guide for Version 1.0". docs.oracle.com. Retrieved 2021-06-22.
  30. "PVV Generation Algorithm". IBM.
  31. Wang, Ding; Gu, Qianchen; Huang, Xinyi; Wang, Ping (2017-04-02). "Understanding Human-Chosen PINs". Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. Asia CCS '17. Abu Dhabi United Arab Emirates: ACM. pp. 372–385. doi:10.1145/3052973.3053031. ISBN   978-1-4503-4944-4. S2CID   14259782.
  32. Kuhn, Markus (July 1997). "Probability theory for pickpockets — ec-PIN guessing" (PDF). Retrieved 2006-11-24.{{cite journal}}: Cite journal requires |journal= (help)
  33. Nick Berry (28 September 2012). "The most common PINs: is your bank account vulnerable?". Guardian newspaper website. Retrieved 2013-02-25.
  34. 1 2 Lundin, Leigh (2013-08-04). "PINs and Passwords, Part 1". Passwords. Orlando: SleuthSayers. Armed with only four possibilities, hackers can crack 20% of all PINs.
  35. Zieliński, P & Bond, M (February 2003). "Decimalisation table attacks for PIN cracking" (PDF). 02453. University of Cambridge Computer Laboratory. Retrieved 2006-11-24.{{cite journal}}: Cite journal requires |journal= (help)
  36. "Media coverage". University of Cambridge Computer Laboratory. Archived from the original on 2018-10-20. Retrieved 2006-11-24.
  37. "Reverse PIN Panic Code". 7 October 2006. Retrieved 2007-03-02.
  38. Full Text of SB0562 Illinois General Assembly, accessed 2011-07-20
  39. sb379_SB_379_PF_2.html Senate Bill 379 Archived 2012-03-23 at the Wayback Machine Georgia General Assembly, published 2006, accessed 2011-07-20
  40. "Will Entering Your ATM Pin Backwards Trigger the Police?". Rare. 2020-12-15. Retrieved 2021-02-27.
  41. 082251615790 GSM 02.17 Subscriber Identity Modules, Functional Characteristics, version 3.2.0, February 1992, clause 3.1.3
  42. "What is a PUK code?". support.bell.ca. Retrieved 2024-07-15.