Personal identification number

Communication of a PIN that was previously protected against inspection by a cover

A personal identification number ( PIN ) or secret number is a sequence of digits known only to one or a few people with which they can authenticate themselves to a machine . The redundant acronym PIN number or the designation PIN code is also often used. In a narrower sense, PINs are numeric passwords .

In the case of the card without a chip, this processing takes place after the data has been read from the card exclusively in a protected environment; in the case of cards with a chip, this also makes a contribution protected by the connection to the reader.

use

A common use for PINs is authentication at an ATM . A sequence of at least four digits must be entered here in order to prevent or at least make it more difficult for unauthorized persons to access the account. You can also pay cashless in many shops with the bank card and the associated PIN.

A PIN is also usually required for internet banking. With this PIN and the account details you can view your account , the account balance and the last bookings . With a TAN you can then make a transfer or other banking transactions.

PINs are also used to protect cell phones from unauthorized use and in many other areas of technology where a minimum level of security is required. SIM cards for mobile phones are supplied with a PIN, PIN2, PUK and PUK2. All codes are saved on the SIM card. PINs can be changed, PUKs cannot. The PUKs are used to unblock blocked PINs. The PIN2 is used to change special, often chargeable services.

Technical design

The Federal Office for Information Security supported a newly introduced PIN procedure in 2001. In addition to the account number, the bank code and other data, the PIN is contained on the EC card in a specially encrypted form. A so-called crypto-processor is connected to the keyboard of the ATM , which decrypts the PIN for secure transmission. The credit institutions use the Data Encryption Standard (DES) encryption method for the previous encryption . In the simple version of DES, the information to be encrypted is converted into text blocks of 64 bits each. Then the characters within a block are swapped and added several times. This numerical data is also shared and encrypted 16 more times for security. Even the old version could only be cracked by professionals at the time - but it was possible due to the rapid development of computer technology. Since 1997 the banks have been using the Triple-DES , a variant with even longer encryption chains, which is considered secure by the courts. Ultimately, however, it is not absolutely necessary to crack a full Triple DES. Insiders seem to have developed attack techniques against the procedure in which they e.g. B. by compromising the terminals without cracking Triple-DES to get to the PIN.

Specifically, the following happens: The ATM reads the encrypted PIN from the card. He decrypts this with the help of a crypto processor and the institute key stored in the ATM. Finally he compares the result with the entered sequence of digits. If they match, the other transactions are released (e.g. withdrawal), otherwise not.

Card terminals and cash registers, such as those found in retail, hospitality and other industries, use the same principle to authorize card payments with a PIN.

safety

It is therefore mathematically impossible, even with the greatest possible financial outlay, to determine the PIN with a width of 118 bits without first obtaining the institute key. A fraudster who has found or stolen a Maestro card (formerly an EC card) will try to withdraw money from an ATM. Even if he does not know the PIN, he can try to guess it. With the four-digit Maestro card PIN made up of numeric digits, the probability that the fraudster will be able to guess the PIN with one attempt is 1/10000 (digits from 0-9 result in 10 possibilities for each digit - with 4 digits, this means: 10 4 = 10,000). However, since up to three attempts are generally allowed, the cheater has a probability of about

${\ displaystyle P \ approx {\ frac {3} {10000}} \ approx {\ frac {1} {3333}}}$

guess the correct PIN. In general, the guess probability can be calculated according to the following formula, where is the same as the number of possible PIN combinations and the fraudster will not try the wrong PIN again after two or three attempts: ${\ displaystyle a}$

${\ displaystyle P = {\ frac {1} {a}} + \ left (1 - {\ frac {1} {a}} \ right) \ cdot \ left ({\ frac {1} {a-1} } + \ left (1 - {\ frac {1} {a-1}} \ right) \ cdot {\ frac {1} {a-2}} \ right) = {\ frac {3} {a}} }$.

If a five-digit PIN is used in online banking with the exclusive use of digits, the result (neglecting the restriction on combinations) is approximately 1 in 33 thousand (because of ). However, if lowercase letters are also used, the probability is reduced to about 1 in 20 million with ten digits and 26 letters. ${\ displaystyle a = 10 ^ {5}}$

In order that a PIN cannot be guessed by repeated attempts (so-called enumeration attack), a system protected by a PIN must not accept any number of incorrect PIN entries. In the case of online forms in particular, an attacker could otherwise simply automatically try out all possible PINs.

Most systems therefore block access after a certain number of incorrect PIN entries, which then has to be unblocked in another way (usually with an additional PIN or by the provider's customer service). At ATMs, online banking and mobile phones, the block usually occurs after three incorrect entries.

Note: The PIN on the magnetic strip only allows transmission for unidirectional testing or for rewriting. Today, bank cards usually have a chip in addition to the magnetic stripe, which enables the PIN to be checked dynamically through a bidirectional connection. This supports more complex protection.

When entered, PINs are subject to attack by skimming , a fraudulent act.

Problems in payment transactions

Many internationally issued credit cards are now secured with up to six-digit PINs; in Europe, for example, this affects a large number of Swiss credit cards. Problems often arise when dealing with payment systems internationally, because most retailers only accept credit card applications with a PIN code. If the merchant's reader is permanently programmed to four-digit PINs and does not offer the option of entering 6 digits, the card cannot be used to pay; this is the case, for example, with many Dutch ticket machines and most of the POS systems .

The accumulation of this problem in POS systems with line-based LC displays is noticeable. When a credit card is introduced, systems such as ATMs with large LC displays usually switch to a mode that allows PINs of any length to be entered.

A remedy for the consumer is usually, if possible, changing the PIN to four digits in the country of origin.

Notes on selecting a PIN

The Federal Office for Information Security (BSI) generally recommends using only random sequences of characters from the permitted character set as a PIN; PINs such as B. "0000" or "1234" should be avoided as a matter of urgency. The following table can serve as a guide for a secure PIN selection:

Character set used Maximum PIN length Minimum PIN length
0-9 19 characters 12 characters
0-9, AZ 12 characters 8 characters
0-9, A-Z, a-z 11 characters 7 characters
Printable ASCII characters 10 characters 6 characters