Personal identification number

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Personal identification number shown in a PIN mailer

A personal identification number (PIN, pronounced "pin"; often redundantly PIN number) is a numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token (the user ID) and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches with the number stored in the system. Hence, despite the name, a PIN does not personally identify the user.[1]

PINs are used for automated teller machines (ATMs) and at the point of sale, for debit cards and credit cards. Throughout Europe and Canada the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer enters their PIN instead of signing. In the UK and Ireland this goes under the term "Chip and PIN", because the use of a PIN to authenticate the customer was introduced at the same time as EMV chips on the cards.[2] In other parts of the world, PINs have been used before the introduction of EMV.

In 2006, James Goodfellow, the inventor of the personal identification number, was awarded an OBE in the Queen's Birthday Honours.[3]

PIN length[edit]

The concept of a PIN originates with the inventor of the ATM, John Shepherd-Barron. One day in 1967, while thinking about more efficient ways banks could dispense cash to their customers, it occurred to him that the vending machine model was a proven fit. For authentication Shepherd-Barron at first envisioned a six-digit numeric code, given what he could reliably remember. His wife however preferred four digits, which became the most commonly used length.[4] ISO 9564-1, the international standard for PIN management and security, allows for PINs from four up to twelve digits, but also notes that "For usability reasons, an assigned numeric PIN should not exceed six digits in length."[5]

Apart from financial uses, GSM mobile phones specify a PIN of between four and eight digits.[6] The PIN is recorded in the SIM card.

PIN validation[edit]

There are several main methods of validating PINs. The operations discussed below are usually performed within a hardware security module (HSM).

IBM 3624[edit]

The IBM method is used to generate what is termed a natural PIN. The natural PIN is generated by encrypting the primary account number (PAN), using an encryption key generated specifically for the purpose.[7] This key is sometimes referred to as the PIN generation key (PGK). This PIN is directly related to the primary account number. To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN.

Natural PINs can not be user selectable because they are derived from the PAN. If the card is reissued with a new PAN, a new PIN must be generated.

Natural PINs allow banks to issue PIN reminder letters as the PIN can be generated.

IBM 3624 + offset[edit]

To allow user selectable PINs it is possible to store a PIN offset value. The offset is found by subtracting natural PIN from the customer selected PIN using modulo 10.[8] For example, if the natural PIN is 1234, and the user wishes to have a PIN of 2345, the offset is 1111.

The offset can be stored either on the card track data,[9] or in a database at the card issuer.

To validate the PIN, the issuing bank calculates the natural PIN as in the above method, then adds the offset and compares this value to the entered PIN.

VISA method[edit]

Disbursing Clerk 1st Class Gene Tecson holds a keypad for a customer to enter his Navy Cash Card personal identification number aboard the amphibious assault ship USS Peleliu (LHA 5). The system eliminates cash and coins from the entire ship and instead requires sailors to add money from their personal bank accounts to one of two systems held on the cash card.

The VISA method is used by many card schemes and is not VISA-specific. The VISA method generates a PIN verification value (PVV). Similar to the offset value, it can be stored on the card's track data, or in a database at the card issuer. This is called the reference PVV.

The VISA method takes the rightmost eleven digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from one to six) and the required PIN value to make a 64 bit number, the PVKI selects a validation key (PVK, of 128 bits) to encrypt this number. From this encrypted value, the PVV is found.[10]

To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered.

Unlike the IBM method, the VISA method doesn't derive a PIN. The PVV value is used to confirm the PIN entered at the terminal, was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated or user selected or even derived using the IBM method.

PIN security[edit]

Financial PINs are often four-digit numbers in the range 0000-9999, resulting in 10,000 possible numbers. Switzerland is a notable exception with six digit pins being given by default. However, some banks do not give out numbers where all digits are identical (such as 1111, 2222, ...), consecutive (1234, 2345, …), numbers that start with one or more zeroes, or the last four digits of your social security number.

Many PIN verification systems allow three attempts, thereby giving a card thief a putative 0.03% probability of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that banks and ATM manufacturers have used in the past.[11]

Research has been done on commonly used PINs.[12] The result is that without forethought, a sizable portion of users may find their PIN vulnerable. "Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders."[13]

Breakable PINs can worsen with length, to wit:

The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (Social Security Numbers contain their own well-known patterns.)[13]

Cell phone SIM card[edit]

If a mobile phone PIN is entered incorrectly three times, the SIM card is blocked until a Personal Unblocking Code (PUC or PUK), provided by the service operator, is entered. If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new SIM card.[citation needed]

Implementation flaws[edit]

In 2002 two PhD students at Cambridge University, Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624, which was duplicated in most later hardware. Known as the decimalization table attack, the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses.[14][15]

Reverse PIN hoax[edit]

Rumours have been in e-mail circulation claiming that in the event of entering a PIN into an ATM backwards, police will be instantly alerted as well as money being ordinarily issued as if the PIN had been entered correctly.[16] The intention of this scheme would be to protect victims of muggings; however, despite the system being proposed for use in some US states,[17][18] there are no ATMs currently[when?] in existence that employ this software.[citation needed]

See also[edit]

References[edit]

  1. ^ Your ID number is not a password, Webb-site.com, 8 November 2010
  2. ^ "Q&A: Chip and pin". BBC News. 14 February 2006. Retrieved 3 December 2013. 
  3. ^ "Royal honour for inventor of Pin". BBC. 2006-06-16. Retrieved 2007-11-05. 
  4. ^ "The Man Who Invented The CASH Machine". BBC. 2007-06-25. Retrieved 2007-03-02. 
  5. ^ ISO 9564-1:2002 Banking -- Personal Identification Number (PIN) management and security -- Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, clause 7.1
  6. ^ GSM 02.17 Subscriber Identity Modules, Functional Characteristics, version 3.2.0, February 1992, clause 3.1.3
  7. ^ "3624 PIN Generation Algorithm". IBM. 
  8. ^ "PIN Offset Generation Algorithm". IBM. 
  9. ^ "Track format of magnetic stripe cards". Gae.ucm.es. 
  10. ^ "PVV Generation Algorithm". IBM. 
  11. ^ Kuhn, Markus (July 1997). Probability theory for pickpockets — ec-PIN guessing (PDF). Retrieved 2006-11-24. 
  12. ^ Nick Berry (28 September 2012). "The most common pin numbers: is your bank account vulnerable?". Guardian newspaper website. Retrieved 2013-02-25. 
  13. ^ a b Lundin, Leigh (2013-08-04). "PINs and Passwords, Part 1". Passwords. Orlando: SleuthSayers. "Armed with only four possibilities, hackers can crack 20% of all PINs." 
  14. ^ Zieliński, P & Bond, M (February 2003). Decimalisation table attacks for PIN cracking (PDF). University of Cambridge Computer Laboratory. Retrieved 2006-11-24. 
  15. ^ "Media coverage". University of Cambridge Computer Laboratory. Retrieved 2006-11-24. 
  16. ^ "Reverse PIN Panic Code". Retrieved 2007-03-02. 
  17. ^ Full Text of SB0562 Illinois General Assembly, accessed 2011-07-20
  18. ^ sb379_SB_379_PF_2.html Senate Bill 379 Georgia General Assembly, published 2006, accessed 2011-07-20