Personal identification number

From Wikipedia, the free encyclopedia

(Redirected from Pin number)

A personal identification number (PIN; pronounced "pin") is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system. Upon receiving the User ID and PIN, the system looks up the PIN based upon the User ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches with the number stored in the system.

PINs are most often used for automated teller machines (ATMs) but are increasingly used at the point of sale, for debit cards and credit cards. Throughout Europe the traditional in-store credit card signing process is being replaced with a system where the customer is asked to enter their PIN instead of signing. In the UK and Ireland this goes under the term 'Chip and PIN', since PINs were introduced at the same time as EMV chips on the cards. In other parts of the world, PINs have been used before the introduction of EMV. Apart from financial uses, GSM mobile phones usually allow the user to enter PIN between 4 and 8 digits length. The PIN is recorded in the SIM card.

In 2006, James Goodfellow, the inventor of the personal identification number, was awarded an OBE in the Queen's Birthday Honours List.^[1]

[edit] PIN length

The concept of a PIN originates with the inventor of the ATM, John Shepherd-Barron. One day in 1967, while thinking about more efficient ways banks could disburse cash to their customers, it occurred to him that the vending machine model was a proven fit. For authentication Shepherd-Barron at first envisioned a six-digit numeric code, given what he could reliably remember. His wife however preferred four digits, which became the most commonly used length.^[2] ISO 9564-1 allows for PINs from 4 up to 12 digits, but also notes that "For usability reasons, an assigned numeric PIN should not exceed six digits in length".^[3]

[edit] PIN generation

[edit] Natural PINs

The Natural PIN of a card is generated by encrypting the Primary Account Number (PAN), with a PIN Generation Key (PGK) using Triple DES. The resulting encrypted text is then decimalised, rendering a PIN. The Natural PIN of a card does not change. The user can not change this type of PIN.

[edit] Offset PINs

By adding an offset value to the natural PIN, a selectable PIN can be generated. For example, if the natural PIN of a card is 1111 and the required value is 5555, a value of 4444 can be stored as an offset. Subtracting the offset from the supplied PIN will result in the natural PIN, whose value can be verified.

[edit] PIN Security

Financial PINs are often 4-digit numbers in the range 0000-9999, resulting in 10,000 possible numbers. However, some banks do not give out numbers where all digits are identical (such as 1111, 2222, ...) or consecutive (1234, 2345, ...) or numbers that start with one or more zeroes. Many PIN verification systems allow three attempts, thereby giving a card thief a 0.06% probability of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that banks and ATM manufacturers have used in the past.^[4]

In 2002 two PhD students at Cambridge University, Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624, which was duplicated in most later hardware. Known as the decimalization table attack, the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses.^[5]^[6]

If a mobile phone PIN is entered incorrectly three times, the SIM card is blocked until a Personal Unblocking Code (PUC), provided by the service operator, is entered. If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new SIM card.

Safety practices for PIN:^[7]

Limit PIN usage.
Use the link key instead of the PIN.
Use in secure environments.

[edit] English language usage

The term "PIN number" (hence "personal identification number number") is commonly used, which is an example of RAS syndrome (Redundant Acronym Syndrome syndrome).

[edit] Reverse PIN hoax

Main article: ATM SafetyPIN software

Rumours have been in e-mail circulation claiming that in the event of entering a PIN into an ATM backwards, police will be instantly alerted as well as money being ordinarily issued as if the PIN had been entered correctly.^[8] The intention of this scheme would be to protect victims of muggings; however, despite the system being proposed for use in some American states, there are no ATMs currently in existence that employ this software.^{[citation needed]}

[edit] Related pages

[edit] References

^ "Royal honour for inventor of Pin". BBC. 2006. http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/5087984.stm. Retrieved 2007-11-05.
^ "The Man Who Invented The CASH Machine". BBC. 2007. http://news.bbc.co.uk/2/hi/business/6230194.stm. Retrieved 2007-03-02.
^ ISO 9564-1:2002 Banking -- Personal Identification Number (PIN) management and security -- Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
^ Kuhn, Markus (July 1997) (PDF). Probability theory for pickpockets — ec-PIN guessing. http://www.cl.cam.ac.uk/~mgk25/ec-pin-prob.pdf. Retrieved 2006-11-24.
^ Zieliński, P & Bond, M (February 2003) (PDF). Decimalisation table attacks for PIN cracking. University of Cambridge Computer Laboratory. http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf. Retrieved 2006-11-24.
^ "Media coverage". University of Cambridge Computer Laboratory. http://www.cl.cam.ac.uk/~mkb23/media-coverage.html. Retrieved 2006-11-24.
^ MySecureCyberSpace
^ "Reverse PIN Panic Code". http://www.snopes.com/business/bank/pinalert.asp. Retrieved 2007-03-02.

[goodfellow-0] "Royal honour for inventor of Pin". BBC. 2006. http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/5087984.stm. Retrieved 2007-11-05.

[1] "The Man Who Invented The CASH Machine". BBC. 2007. http://news.bbc.co.uk/2/hi/business/6230194.stm. Retrieved 2007-03-02.

[2] ISO 9564-1:2002 Banking -- Personal Identification Number (PIN) management and security -- Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems

[kuhn-3] Kuhn, Markus (July 1997) (PDF). Probability theory for pickpockets — ec-PIN guessing. http://www.cl.cam.ac.uk/~mgk25/ec-pin-prob.pdf. Retrieved 2006-11-24.

[decimalization-4] Zieliński, P & Bond, M (February 2003) (PDF). Decimalisation table attacks for PIN cracking. University of Cambridge Computer Laboratory. http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf. Retrieved 2006-11-24.

[decimalization-media-5] "Media coverage". University of Cambridge Computer Laboratory. http://www.cl.cam.ac.uk/~mkb23/media-coverage.html. Retrieved 2006-11-24.

[6] MySecureCyberSpace

[PIN-Hoax-7] "Reverse PIN Panic Code". http://www.snopes.com/business/bank/pinalert.asp. Retrieved 2007-03-02.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Personal identification number

From Wikipedia, the free encyclopedia

Contents

[edit] PIN length

[edit] PIN generation

[edit] Natural PINs

[edit] Offset PINs

[edit] PIN Security

[edit] English language usage

[edit] Reverse PIN hoax

[edit] Related pages

[edit] References

Views

Personal tools

Navigation

Search

Interaction

Toolbox

Languages