Personal identification number

A personal identification number (PIN) or PIN is a only one or a few persons known figure, with which they can be authenticated against a machine. Frequently often the redundant acronym PIN number or the name PIN code may be used. Originally there is a PIN only of digits, now there are also banks that require some online banking PINs of numbers and letters.

When the card without chip it is carried out after reading the data from the card entirely in a protected environment, for cards with chip provides this additional one by connecting to your reader protected post.

Use

A common use for PINs to authenticate at an ATM. Here, the input of at least four -digit number is needed to prevent account access by unauthorized persons or at least impede. Also you can pay cash with the bank card and the PIN associated in many stores.

Even for the Internet banking is mostly a PIN needed. With this PIN and account data, you can view his account, the account balance and recent transactions. With a TAN can then conduct a referral arrangements or other banking transactions.

PINs are also used for protecting mobile phones against unauthorized use and many other application areas of technology where a minimum level of security is required. SIM cards for mobile phones come with a PIN, PIN2, PUK and PUK2. All codes are stored on the SIM card. PINs can not be changed, PUKs. The PUKs used for unblocking blocked PINs. The PIN2 is used for changing specific often fee-based services.

Technical design

The Federal Office for Information Technology Security has accompanied a newly introduced PIN method in 2001. The PIN is next to the account number, sort code and other data - particularly contained in encrypted form on the ec - cards. With the keyboard of the ATM a so-called crypto - processor is connected, which decrypts the PIN for secure transmission. For the previous encryption the banks use the encryption Data Encryption Standard ( DES). In the simple variant of the DES to encrypt the information is converted into text blocks of 64 bits. Then, the characters are repeatedly reversed, and added in a block. This number data is also divided and encrypted for security for a further 16 times. Even the old version at that time was to crack only by professionals - due to the rapid development of computer technology, however, it was possible. Since 1997, banks now use the Triple -DES, a variant with even longer chains encryption, which is certainly the case for the courts to be safe. Ultimately, however, it is not necessarily compels a full Triple DES to crack. Insiders seem to have developed attack techniques against the procedure in which they, for example, crack by compromising the terminals without Triple DES come to the PIN.

So Specifically, the following occurs: The ATM reads the encrypted PIN from the card. He decrypts it using a crypto - processor and stored in ATMs Institute wrench. Finally, it compares the result with the input sequence of digits. In case of agreement, the other transactions enabled (eg withdrawal ), otherwise not.

Card terminals and cash registers, as they occur in the retail, catering and other industries that use the same principle to authorize card payment with PIN.

Security

It is therefore excluded mathematically with the greatest possible financial effort to determine the PIN without obtaining the key institution in a width of 118 bits. A fraudster who has found or stolen a Maestro card (former EC- card), try to make withdraw money at an ATM. Even if he does not know the PIN, he can try to guess it. In the four-digit Maestro card PIN from numeric digits is the probability that the scammers can guess the PIN with an attempt to 1/10000 (For numbers from 0-9 are obtained for each digit position 10 options - at 4 locations follows: 104 = 10,000 ). However, since generally up to three attempts are allowed, the scammer has a probability of about

The correct PIN guessing. In general, can the rate probability using the following formula, which is equal to the number of possible PIN combinations and the scammer will not try the wrong PIN in two or three attempts, repeated:

If online banking a five-digit PIN is used with the exclusive use of digits, thus results (neglecting the restriction of combinations ) a probability rate of about 1 to 33 thousand (about). However, if lower case letters are used, the probability decreases with ten digits and 26 letters to approximately 1 in 20 million

Thus, a PIN is not to guess by repeatedly trying (so-called enumeration attack), must not accept any number of incorrect entries the PIN code protected by a PIN system. Especially with online forms, an attacker could otherwise just automatically try all PIN.

Most systems therefore locked after a certain number of incorrect entries the PIN access, then other means must be unlocked ( by another PIN or by the customer service of the vendor usually). With ATMs, online banking and mobile phones, the lock is usually after three incorrect entries.

Note: The PIN on the magnetic strip allows only one transmission to the unidirectional test or rewrite. Today, bank cards usually wear in addition to the magnetic stripe in addition a chip which enables a dynamic examination of the PIN by a bidirectional link. This supports a more complex protection.

Problems in payment transactions

Many internationally issued credit cards are now secured with up to six -digit PINs, in Europe, this concerns, for example, a large part of the Swiss credit cards. Frequently arise here in dealing with international payment systems problems, as most merchants accept only credit card inserts with PIN code. Should the reader of this dealer be hard-coded to four-digit PINs and offer no opportunity for the input of 6 digits, so can not be paid for with the card; this is the case for example with many Dutch ticket machines and a large part of the POS systems.

Striking is the accumulation of this problem for POS systems with row-based LCDs. Systems such as ATM with large LC display switch when introducing a credit card usually in a mode that allows the input PINs of any length.

Remedy for the consumer creates here mostly, if possible, to change the PIN to four digits in the country of origin.

Notes on PIN selection

The Federal Office for Security in Information Technology (BSI ) is generally recommended to use a PIN just random sequences of characters from the allowable character set; PINs such as "0000 " or " 1234" should be strongly avoided. The following table can be considered as an indication of a secure PIN selection: