Talk:Personal identification number

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

PIN Hack[edit]

In 2002 two PhD students at Cambridge University, Piotr Zielinski and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624, which was duplicated in most later hardware. This has meant most ATM's are vulnerable to an attack known as the decimalization table attack which means that someone who can access ATM hardware can guess a PIN in an average of 15 guesses.

I've removed the above from the article, because it is somewhat misleading. For one thing, the proportion of the article taken up with it lends it undue weight, when it is actually of very little interest to anyone other than a bank manager. The exploit described is not in fact in ATM hardware, but in internal bank computing systems - a bank employee would probably have to have passed security screenings before they could access the systems on which the attack is possible. Nonetheless, it may bear insertion somewhere, and for reference, here's the research paper as a PDF [1] - IMSoP 05:27, 9 Mar 2004 (UTC)

Rereading it, I agree that the location of the explot should be more clearly stated, but I think you're underestimating how important it is. See also Ross Anderson believes some of Bond's attacks have been used in practice.--Imran 14:03, 9 Mar 2004 (UTC)

Pricks? (talk) 15:31, 20 December 2015 (UTC)

Request: Pronunciation of PIN[edit]

It would be nice to add whether PIN should be pronounced P-I-N or PIN as in sPINning for foreign readers such as me :) Thanks, Swalot 11:19, 2 November 2006 (UTC)


How are PIN's better than passwords? they are only 4 numbers and have fewer combinations than alphanumeric passwords. This has been removed from the article. 20:05, 16 November 2006 (UTC)

hoax tag?[edit]

Is the hoax tag because the page mentions the PIN security hoax (the belief that if you enter your PIN wrongly you can send a request for help if you're mugged in the ATM cubicle)? The article does label that section 'hoax'. Perhaps a little explanation of why such a system would be impossible and a stronger denial of its existence would clarify the section? Rimi talk 06:01, 8 February 2007 (UTC)

There's no reason for the hox tag that I can see. Talking about a hoax doesn't make the article a hoax. The existence of the software isn't a hoax - I've added an additional link to the article about it, just to clarify, although there were two already. CiaranG 08:27, 8 February 2007 (UTC)

PIN CODE[edit]

2019 —Preceding unsigned comment added by (talk) 10:37, 25 September 2008 (UTC)

Probability question[edit]

How do we get 0.06% chance of guessing a 4-digit random PIN after three attempts? I calculate the probabilty as 1 - ((9,999 / 10 000) * (9,998 / 9,999) * (9,997 / 9,998)) = 0.0003. —Preceding unsigned comment added by (talk) 18:05, 8 June 2009 (UTC)

The preceding sentence ("some banks do not give out numbers where all digits are identical ... or consecutive ... or numbers that start with one or more zeroes") implies that the calculations are based on less than 104 possible PINs. (Note: I haven't actually done the calculations.) However the next sentence says "if all PINs are equally likely", implying (to me at least) "all PINs including all digits identical etc". I suggest that the paragraph (especially "all PINs are equally likely") needs rewording to clarify. Mitch Ames (talk) 13:56, 9 June 2009 (UTC)
The mathmatic formula is sound on the first comment, not to mention if you drop the possibility of all repeating digit PINs (i.e. 8888) there are 10 less numbers to choose from AND if you continue on to eliminate the possibility of PINs that start with 0 then you have reduced the TOTAL number of possible PINs by 1009, if you take away PINs that are consecutive in addition to the previous math it takes away another 6 potential PINs thus vastly increasing your chances of guessing correctly in 3 tries. I calculate the probabilty as 1 - ((8,984 / 8,985) * (8,983 / 8,984) * (8,982 / 8,983)) which, though I don't have a calculator in front of me, I can tell you is a heck of a lot different than the odds presented in the article. WesUGAdawg (talk) 03:44, 16 December 2009 (UTC)
I have put Citation needed tag on the 0.06% claim. This page quotes the same number but I suspect they got it from this article. FrankSier (talk) 15:33, 25 February 2013 (UTC)


hi —Preceding unsigned comment added by (talk) 04:42, 20 April 2011 (UTC)

PIN's are not necessarily numeric anymore[edit]

Many services and websites started off using PIN as "Personal Identification Number". However, over time they have evolved the usage to extend to non-numberic values as well. So PIN is not necessarily and anachronism anymore. One example that comes to mind that I use every day is my RSA token. I have a "PIN" assigned to that, but the "PIN" is not numeric. — Preceding unsigned comment added by Docbillnet (talkcontribs) 14:58, 7 October 2011 (UTC)

Can you provide some references for this use of "PIN" for non-numeric password? If so, we can update the article to mention the semantic change of the "word". Mitch Ames (talk) 15:11, 7 October 2011 (UTC)

outdates info?[edit]

the article says the following: "Throughout Europe and Canada the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing" I've had a debet card since 1998 and have never not used my PIN. I do remember(as a child) my mother signing something in the 80's but here (Denmark) the replacement is long over, and i'm wondering if it's the same case anywhere else. (talk) 14:47, 8 December 2011 (UTC)


We now have several US suppliers demanding the "ATM PIN", ie the card PIN, for internet transactions. Presumably, this enables them to avoid the Card-Not-Present transaction fees. I haven't seen any documentation about this.

The Web is full of old documention saying that the PIN will not be required for Card-Not-Present transactions, and our (AUS) banks don't know anything about it either.

Any further information would be welcome. — Preceding unsigned comment added by (talk) 03:22, 3 May 2012 (UTC)

"PIN number" erroneous?[edit]

At present the lead states that the usage "PIN number" is erroneous. The link given for 'erroneously' goes to the article RAS syndrome, and that article itself gives reasons, I think, for not considering the usage to be erroneous.

The usage is very common (examples: The most common pin numbers: is your bank account vulnerable?,Have only one PIN number? It's YOUR fault if your cash is stolen, ATM PIN Number Reversal hoax email) and could probably be counted as the standard usage, or at least a standard uasge. FrankSier (talk) 14:54, 25 February 2013 (UTC)

Yeah. Unlike others like "ATM machine" which are clearly redundant, "PIN number" is not completely redundant. There are other types of pins. (talk) 22:47, 27 March 2013 (UTC)
There are many other types of ATM as well - not all of them machines. Mitch Ames (talk) 09:29, 29 March 2013 (UTC)

Update to Intro[edit]

I just changed a sentence in the introduction because I thought it was possibly to misinterpret as suggesting that PINs have not been used in the UK or Ireland at all prior to the Chip and PIN campaign.

The previous text was "In the UK and Ireland this goes under the term 'Chip and PIN', since PINs were introduced at the same time as EMV chips on the cards."

I also added a reference. Stardarks (talk) 16:03, 3 December 2013 (UTC)

PINs that are not PINs[edit]

I've simplified the 3rd paragraph of the lead, which describes PINs in non-ATM/EFTPOS environments. If it's not described as a PIN, not subject to the formatting requirements of a PIN (4-12 numeric characters), is it really a PIN?

Note that this previous edit:

may are not be subject to the formatting limitation ...

is not valid. A web site may limit PINs to those that meet ISO 9564. Eg, Qantas frequent flyer PINs are limited to four digits. Mitch Ames (talk) 03:51, 27 April 2014 (UTC)

Support for and truncation of PINs longer than 4 digits[edit]

Personal identification number#PIN length says that:

Not all networks support entry of PINs longer than six digits, and many networks truncate the PIN to four digits.

I suspect that the use of the word "network" is misleading or incorrect. Typically if the PIN is being transmitted over a network (ie not verified locally by the ATM or EFTPOS terminal) the PIN entry device will encrypt the PIN then send the encrypted PIN block to the card issuer and/or bank, which will decrypt and verify it. It is not possible to truncate the PIN while it is encrypted, so it must either be truncated by the PIN entry device (before encryption) or by the bank verifying it (after encryption). I suspect that truncation would happen at the entry device, but don't have a reference to support that. (A few years ago an Australian bank, which supported PINs longer than 4 digits, advised me to change my 6-digit PIN to 4 digits before going overseas, because some overseas ATMs would not accept more than 4 digits.) If someone could dig up a reference for the truncation, we could fix that sentence in the article to be more accurate. Mitch Ames (talk) 12:05, 13 June 2014 (UTC)

I have had a similar experience, but I also do not have a reference (it was a verbal advice), and I'm also not sure what the network mechanism is. Enthusiast (talk) 03:49, 14 June 2014 (UTC)
This updated version of the article said:

Not all networks support entry of PINs longer than six digits, and many networks can only accept four digit PINs.

This wording has the same problem - the network typically transmits an encrypted PIN block, containing a PIN whose length is unknown to the network. The PIN entry device is what limits the "entry of PINs longer than six digits".
So I've updated the article accordingly - but we still need a reference. Mitch Ames (talk) 08:57, 14 June 2014 (UTC)
I think this edit is too much irrelevant detail. While it is probably true that the limit is imposed by software rather than hardware, that distinction is not relevant in this context; most readers of the article and/or users of an ATM are not going to care about the difference. (The distinction might be relevant in the automated teller machine or PIN pad articles, but not here.) Also "most" (vs "not all") and "software" are more specific statements that we have no references for. (The earlier version is also unreferenced, but - being more general - ought to be easier to find a reference for.)
I propose reverting to the earlier, simpler description. If you really think it matters we could use the more verbose "Not all ATM and EFTPOS terminals support entry of PINs longer than six digits ...", but I really don't think we should make the distinction between hardware and software. Mitch Ames (talk) 03:45, 15 June 2014 (UTC)

Card not present, 2014-06[edit]

This edit says that PINs are used in card not present transactions, but that is definitely not the case in Australia, where there are as many as four independent authentication codes:

The last two typically allow account enquiries and transfers between customer's own bank accounts and BPAY bill payment, possibly payments to other peoples' bank accounts, but not general purchases. The Australian banks make a point of using different terms for each, and not using "PIN" to refer to anything other than the ATM/EFTPOS PIN.

Perhaps is other countries, the ATM/EFTPOS PIN is used for internet/phone transactions/banking, but if that is the case:

  • The article needs to explicitly mention that different countries have different rules
  • References should be provided.

(This matter was raised a couple of years ago in #card-not-present, but there was no follow-up.) Mitch Ames (talk) 02:53, 15 June 2014 (UTC)