Easy-to-Remember PINs

The UK is switching to a "chip and pin" system for credit card transactions. It's been happening slowly, but by January (I'm not sure if it is the beginning of January or the end), every UK credit card will be a smart card.

This kind of system already exists in France and elsewhere. The cards have embedded chips. When you want to make a purchase, you stick your card in a slot and type your four-digit PIN on a keypad. (Presumably they will never turn off the magnetic stripe and signature system required for U.S. cards.)

One consumer fear over this process is about what happens if you forget your PIN. To allay fears, credit card companies have been placing newspaper advertisements suggesting that people change their PINs to an easy-to-remember number:

Keep forgetting your PIN? It's easy to change with chip and PIN. To something more memorable like a birthday or your lucky numbers.

Don't the credit card companies have anyone working on security?

The ad also goes on to say that you can change your PIN by phone, which has its own set of problems.

(I know that the cite I give doesn't quote a primary source, but I also received the information from at least two readers, and one of them said that the advertisement was printed in the London Times.)

Posted on January 3, 2005 at 10:36 AM • 42 Comments

Comments

rjwJanuary 3, 2005 11:50 AM

I think the worse problem is the ultra trojanability of these machines. Every little corner shop has an opportunity to intercept your pin and your credit card number. I presume they can't easily duplicate the entire chip. ( But I wouldn't be surprised.)
I really have no clue why this is even meant to be better than a signature. It just removes any possibility of audit in the future, it seems.

Are there *any* redeeming features of chip and pin?

Tim GreenJanuary 3, 2005 12:15 PM

As Schneier says they've been doing this in France for over 10 years, but what have the security experts learned from this experience?

As for PINs, they're not a new idea so why the big fuss of memorably numbers? More worrying would be using the same PIN on all your cards.

As for card cloning, the rumour seems to be to get the PIN and account number from chip'n'pin and then encoding it into an old style magnetic stripe.

Ric LawsonJanuary 3, 2005 12:27 PM

Not quite true that all credit cards will have a chip, I've still got some in my wallet which are chip-less, and Amex haven't enabled PINs for any cards yet, although they do have chips.

But supposedly from the 1st January if you have a chip&pin card but the retailer allows you to sign instead, they will be liable for any fraud - not VISA/MC. However lots of shops are still allowing signatures, so they can't be too bothered.

Guan YangJanuary 3, 2005 2:13 PM

We've had "stripe & pin" (or sign if the store doesn't have a pin reader) system here in Denmark for ages, and by 1 January 2005 all Danish cards will have a chip on them.

We're not allowed to change our PINs.

ArminJanuary 3, 2005 2:27 PM

Just to add what Ric wrote, as far as I know retailers can refuse to accept your card if you don't use your PIN (provided it has the chip).

I also still have cards which don't have the chip yet as they won't expire for a few more months.

Davi OttenheimerJanuary 3, 2005 2:53 PM

Newer fuel pumps in the US often require you to enter your billing address zip code after you swipe your card. This seems to be meant only as a deterrent against people randomly finding the card. Not a great system, but perhaps the card companies are responding to the most likely threats. After all, everyone you know would probably know your billing zip, and the only way to change this "pin" is to send your bill to another zip code. :)

RyanJanuary 3, 2005 3:03 PM

Here in Holland everyone just gets a random 4 digit pin code. This is the same as the code you use in ATM machines.

Allowing people to choose their own pins isn't exactly a good idea. Can't wait till someone does a study on this and finds out how often 1234 is chosen...

Adam DinwoodieJanuary 3, 2005 4:04 PM

The idea of the chip and pin is to stop card fraud, obviously. This works in two ways:

First, if someone steals a card, then they have to find out the PIN number, rather than just forge the signature. Forging a signature to a standard acceptable to a shop cashier is unfortunatly very simple, but there is only one possible combination that a PIN reader will accept.

Second, and more importantly, if someone clones a card, (and no one is claiming that the chips are not clone-able), they still have to find the PIN, rather than just putting their own signature on the back.

I have seen people and newspapers worrying about people using fake card machines, and getting the card details and PIN that way, but this is possible at the moment, and currently all that is required is a magnetic stripe reader, rather than a fake PIN unit, and a comparativly complicated chip reader.

To be fair to the banks, whilst it is true that memorable PINs are easier to break, if an incorrect PIN is used three times, the card is locked, and the owner must contact the bank to have it unlocked. A simple thief would be unlikely to have any better idea even if memorable numbers are used, and even an accomplished fraudster would have to be lucky to get the correct number in three tries.

AndyJanuary 3, 2005 4:37 PM

My parent's Visa card was cloned. The guy who did it managed to make many purchases before someone noticed that the number on the card didn't match the digits on the receipts. Given this, signature alone isn't really working. Chip and PIN will raise the bar, if we can improve a weak link - people choosing easily guessable PINS.

New Zealand have been using a similar system, EFTPOS, for ages, and it is fine for them.

What worries me more is that the keypads in NZ tended to have little covers around them so that others couldn't see the keys as easily when your PIN - I have yet to see a single reader like that in the UK.

Martin GeddesJanuary 3, 2005 5:07 PM

Nice try, folks, but no banana. They're pulling similar tricks to the telecom industry and trying to reduce customer churn -- which is the real profit-killer. Betfore you only had to remember your ATM PIN. Now you'll have to remember one for each card you use, unless you go to the effort of changing them all to be the same. How much less likely are you to switch? Furthermore, you're more likely to stick with one card -- and less likely to switch for introductory offers, or trigger a paper bill with an occasional low-value transaction.

Fraud prevention is a red herring. You've got too much security on the brain.

nigelJanuary 3, 2005 5:29 PM

Andy is right, NZ has been using pin numbered debit or credit card for years now ( since at least 1987 ), it's totaly ubiquitous now & it works a total treat, you feel like going back in time going to countries without it :).
Mind you we have the physical protection Andy described, as well as alot of information on not using pin numbers like b'days etc! & not giving them out/writing them down.

Fazal MajidJanuary 3, 2005 6:25 PM

I was still in France when chip cards were first introduced in 1989 (yes, 16 years ago, not 10) by the Post Office bank. Our PINs were assigned to us and not changeable.

The French Chip+PIN machines will accept magnetic stripes (so US tourists can still spend), but will refuse to use the magnetic stripe for cards that also have a chip (I guess the card number ranges for France are blacklisted). Thus, even if a rogue machine captured the card number and PIN, a reencoded card would be useless within France (but usable in the US, but you can't fault the French for the insecurity of the US credit card infrastructure).

The chip issues a certificate when the user types in his PIN code, and the certificate is stored in the unit's memory and later offloaded to the POS system. A favorable side-effect of this is that your card does not leave your sight, unlike in the US where the waiter at a restaurant takes your card and could easily use a skimmer to capture the number.

The system is not perfect, but it has reduced fraud to such a small level that I read a newspaper article according to which fraudsters and crooks there are deliberately targetting tourists, as domestic cards are too hard nuts to crack.

One last thing: credit card insecurity is not just a private matter for banks to trade off between the cost of fraud and the cost of countermeasures. It is a well-established fact that Al-Qaeda terrorists are given seed money but expected to support themselves through credit card fraud. Credit card insecurity through lax practices from issuers and banks have a direct impact on national security.

RobJanuary 3, 2005 10:28 PM

The main difference is that in Chip and PIN, the PIN is only used between the PIN entry device and the chip (ICC) on the card. The card itself has a secure cryptographic relationship with the card issuer. Therefore the PIN is not exposed on the network. Issuers can indicate by means of the service code on the card, which method chip, or mag stripe is to be used for identification/ verification in different environments. Hybrid cards having both mag stripe and chip are a potential exposure and the Chip PIN and the mag stripe PIN should ideally be different. Otherwise an attacker can attack the PIN on one medium and use it on the other. Allowing users to change their PIN would favor the selection of the same PIN for different applications/cards and this increases the risks. However PIN selection algorithms should be able to eliminate undesirable choices where possible.

DylanJanuary 4, 2005 12:05 AM

Australian eftpos has been in place for almost 20 years (strip and pin) with no headaches. When I was living in the UK a couple of years ago, I was amazed that they still used the antiquated system they were using in a supposedly 1st world country (I stopped getting amazed as time went by and I realised they are not 1st world any more.)

I never understood why pin numbers are a problem over signatures. At least a pin number is not (usually) written on the back of the card. But I guess I grew up with them.

J. Alex UrbanowiczJanuary 4, 2005 5:39 AM

The problem with using PINs to authorize transactions lies within the contracts customers sign when creating bank accounts. Usually (check the fine print) it says that bank disclaims all responsibility for transactions authorized with PIN, this is constant to all banks I know.

Unlike this, transactions authorized with signature usually can be disputed to some extent depending on type on the card (online vs. offline, Visa and VisaElectron vs MasterCard and Maestro). But non-disputability of PIN authorized transactions is constant in all cases I've seen. Check your bank and credit card contracts.

This was tolerable when PINs were only input into supposedly secure bank hardware (yes, I know about ATM fraud). But when I am supposed to punch my number into possibly hacked piece of POS terminal, with lots of people looking around, think crowded hypermakert line, it is not the same situation.

I guess the motivation of this is to shift more risk to customers, chip-pin authorization makes it a difficult to clone the card, but it makes finger phising then pickpocketing the card easier - bu it is no bank who will responsible for those risks. It will be shifted to a customer.

daveeJanuary 4, 2005 6:31 AM

Someone said "The main difference is that in Chip and PIN, the PIN is only used between the PIN entry device and the chip (ICC) on the card. The card itself has a secure cryptographic relationship with the card issuer. Therefore the PIN is not exposed on the network."


You still have to trust the card reading device, though.

Nigel SedgwickJanuary 4, 2005 7:33 AM

Somewhat off topic, the sight of site spelt cite is rarer than the sight of cite spelt site.

Nigel SedgwickJanuary 4, 2005 7:45 AM

Above, Adam Dinwoodie wrote: "Second, and more importantly, if someone clones a card, (and no one is claiming that the chips are not clone-able), they still have to find the PIN, rather than just putting their own signature on the back."

My understanding is that the UK chip-and-pin uses on-card matching of the PIN. In that case, if the card contents can be read, it is possible to discover the PIN. This is even if it is encrypted, as the used cryption algorithm must be on the chip and exhaustive search over a 4-digit PIN is not cryptographically hard.

Thus the additional security provided by such chip-and-pin does depend on the difficulty in reading the card memory.

Ashok Argent-KatwalaJanuary 4, 2005 9:34 AM

Another concern with the way things have changed here in the UK is that you use the same PIN for the cash machine as you do in shops.


Previously you used separate authorisation for retailers and cash machines. I'd rather have shop staff checking cards properly (digits on till matching those on card; signature matching) than have them blindly using a tool which checks those things for you.


I'm guessing that if you pick the right cash machine you can still use the mag-stripe/pin combo even for a card that has a chip. I've seen a bunch of retailers swipe my chipped card first and wait for the till to beep and tell them to use the chip reader, so cloning the mag stripe just got a tad easier too.

arteseaJanuary 4, 2005 5:15 PM

As the person who Bruce linked to, I'll give my 2 cents. First the advert was cut out of Metro (a freebie morning newspaper 15 Dec 2004).
I prefer Chip and PIN as a whole, because the number of Petrol Stations which never looked at my card was rather worrying, as too was the fact that waiters just walked off with my card (most now have wireless handheld machines).

I think the main problem, is the one I originally posted about, at that's MC and Visa telling people to pick birthdays.

jamJanuary 4, 2005 5:35 PM

MC and Visa tell people to pick birthdays because, as someone pointed out above, neither MC, Visa or the issuing bank are responsible for any losses. Their prime motive here is to get chip and PIN accepted.

DouglasJanuary 4, 2005 5:40 PM

I'm in Holland, and have been using PIN for years. The systems must be more different in different European countries that I thought. Here, you can load money onto the chip at your bank using a machine similar to the one you get normalcash out of, and then you can use the chip to make purchaces without entering a PIN number in the shops.

You can also just use the magnetic strip: swipe the card, enter you PIN, click OK. The chip interface never makes contact with the card reader.

Douglas

Roberto NericiJanuary 5, 2005 6:41 AM

Bruce wrote:

> Don't the credit card companies have anyone working on security?


Bruce knows more about security than I do so I better be careful, but what's the main "attack" we're worried about here?


I would think the most likely attack is someone stealing your wallet and getting your cards. With a signature system, all you need to use a card is... the card. The signature is on it for you to see (and most shops hardly check). With the Chip and PIN system, you still need the PIN, so you can't just walk into a shop and buy things.


If people set their PIN to something related to them, someone who knows about the person will be able to try and guess their code. But the random thief won't. Maybe that's the main threat dealt with and therefore a major improvement in overall security.


As Bruce himself might have said, when someone can't use their own card because they've forgotten their PIN, that's a security failure :-)

> The ad also goes on to say that you can change your PIN by phone, which has its own set of problems.


This I do think might be a problem. There is also the whole business about how secure the cards themselves are, for which there appear to be different opinions. Still they can't fail to be harder to copy than the previous (US-style?) cards.


Roberto/.

Bryan FeeneyJanuary 5, 2005 7:31 AM

For a while in Switzerland, so I'm told, companies used to embed a photograph of the owner into the card when printing it. However the subsequently gave it up (cost I suppose)

In this age of "biometrics" I'm amazed no-one ever considers sticking photos in things, it's a lot harder to copy a face than a pin number.

ArminJanuary 5, 2005 12:41 PM

Citibank in Germany had a photograph of the card owner on the card as well about 5 years ago. Don't know if they still do, I moved back to the UK 4 years ago.

I can't remember how long I had this card, I think may 1.5 years. As far as I can remember only once someone noticed the photo and compared it with my face...

Stephen WalkerJanuary 6, 2005 6:42 AM

It seems to me that the security of chip and pin is compromised in the short term by the needs of the transitional system.

Currently, the chip and pin cards also have the magnetic strip. A cloned ATM card could be made if a rogue terminal and operator capture the magnetic strip and pin. Removing the magnetic strip and switching entirely to the chip should make the cards much harder to clone.

In my experience, retailers seem to be using their till systems linked to the Chip and Pin terminal, rather than reading the chip in the terminal itself. This means handing over the card, with the cashier doing a swipe motion through a unit that reads magnetic strip cards and chip and pin cards. Not one retailer has asked me to insert my card in to the terminal myself, as the demo shows on the chip and pin site.

Surely this means that in the short term, the chip and pin system provides an opening for increased ATM fraud?

AlanJanuary 6, 2005 8:45 AM

Many comments posted state that the PIN raises the difficulty of the attack vs. the use of a signature. But the posts miss a point Bruce was making, the ability to audit the charges has been reduced. If you physically sign for something, you can prove that the signature is not yours. Hence a consumer who wishes to fight a charge may have evidence on his/her side. With a PIN, you have little evidence on your side.

JohnJanuary 6, 2005 11:05 AM

This has been in force for just 6 days, and already I have seen two people (in the queue ahead of me in shops) who obviously had their PIN written on a piece of paper.
The banks have changed their terms-and-conditions to make the customer liable for any money taken from their account using the PIN. Previously the bank was liable for money taken using a forged signature.
So if I had been a pick-pocket, those two people would now have lost the whole contents of their bank account, or the whole amount of their credit limit, and their banks would have refused to reimburse them, or to classify this as fraud. No wonder the banks say that fraud will be reduced by this system.

John McBrideJanuary 7, 2005 4:46 AM

My wife used her chip and pin card in Malaysia and was not sure of the PIN, the retailer asked her to repeatedly enter the PIN until the card appeared to be locked out. When I inquired the bank said they had no record of a lockout and re-issued the same PIN code by POST. Security Failure!
I agree the photograph on the card is probably better to deter most fraud.

chrisJanuary 7, 2005 8:07 AM

I remember reading a couple of years ago about a US bank that experimented with pictures on credit cards. They replaced some of them with pictures of animals etc. and most shop keepers didn't notice.

This doesn't surprise me in the least, if they is no financial liability on the shop (and hence possibly the teller), then they don't even bother looking. Same goes with signatures.

Heres a question though, whats worse - and easily guessable signature or one written on a peice of paper in the wallet as John mentions. I'll go with the easily guessable one every time, at least you would have to know me to guess it, rather than just pick my pocket.

pigletJanuary 7, 2005 10:45 AM

PIN numbers have been used for many years with debit cards, they are widely used and accepted. So it's hard to argue against PINs for credit cards without at the same time arguing against debit cards. There are of course some differences: credit cards must be acceptable world wide so even British PIN credit cards will still have to work with the standard system used everywhere else. And credit cards will continue to be used for internet and telephone transactions which are authenticated neither by PIN nor by signature. It has always been a mystery to me how this can work but without those features, credit cards would be significantly less useful. I guess that in this case security and usefulness cannot be reconciled.

It is difficult to judge whether PIN is really more secure than signature. The problem with this discussion, and by the way with most security discussions on this web site, is the lack of hard data.
I have found a statistic about credit and debit card fraud in Germany (http://www.signplus.com/de/press/releases/2003-05-26_Kriminalstatistik2002.php)
which seems to suggest that both types of fraud are about equally common (about 50000 cases per year are reported), but it is likely to be an underestimation.

MichaelJanuary 12, 2005 7:17 AM

I was a little surprised to see the print ad suggesting people change their PIN to a birthday because the TV ads specifically make the point that easy-to-guess numbers are to be avoided. There's obviously no link for this, but at least one of them is all about choosing unlikely numbers which are individual to you. The official website (http://www.chipandpin.co.uk/consumer/using/remembering.html) also makes the point pretty clearly.

As for changing your PIN by calling a phone number, AFAIK most banks don't accept this and you have to go to an ATM to change. I presume the mention of calling in the change is for banks that don't have an ATM network.

Curt SampsonJanuary 19, 2005 9:57 PM

Japan is still very much a "cash society," and accordingly the daily withdrawal limits from ATMs are quite high (in the several thousands of dollars range). It's well known here that people tend to use their birthdays as PIN numbers, so thieves steal the entire purse and use the bank card at the ATM with the date from the driving license. My Japanese teacher lost about $5000 this way when her purse was stolen.

Another common tactic is to mug someone for his ATM card, demand his PIN, and then have confederates wait with the victim whilst one guy goes to the ATM and withdraws money. If the PIN is wrong, the guy comes back and the muggers make their displeasure known.

jaffJanuary 21, 2005 8:19 AM

My wife used her chip and pin card in Malaysia and was not sure of the PIN, the retailer asked her to repeatedly enter the PIN until the card appeared to be locked out. When I inquired the bank said they had no record of a lockout and re-issued the same PIN code by POST. Security Failure!
I agree the photograph on the card is probably better to deter most fraud.

spiggyJanuary 22, 2005 3:28 AM

If the 4 cypher card code is not checked by phone to a database system, but is embedded on the card itself, all you need is a computer hooked to a reading machine (every restaurant will get one I guess) and test 10000 possibilities to "guess" the code. Doesn't seen very reliable.

Frank SmithFebruary 18, 2006 12:59 PM

I haven't seen any comment yet regarding liability for fraudulent use of a lost card.
How can you prove that it wasn't you using the card if someone is using the correct pin? I always thought there was an onus on the retailer to authenticate the transaction signature against the one on the card, but a number is a number.
So what happens if you don't realise you've lost your card for a few days and someone locally makes a few substantial purchases using the correct pin.
How can you convince the card provider that it wasn't you?

David PApril 16, 2006 7:18 AM

Chip & PIN is more secure because:
-Most shop staff don't check the signature
-Many card holders give me a funny look for checking the signature
-On many cards the signature has worn off. Typical responce from a card holder is:"No I will not get a new one" and "I will never shop here again"

However it does have its problems:
-Customers don't care it someone else see them putting in the PIN
-"You must use your PIN to be sure off using your Chip and PIN card" is read my many customers and some shop staff as you must use a PIN on any card. When it says "...on your Chip and PIN card" if you have a chip & sign or a non-chip card you can use it.
-The Disability Discrimination Act requires that if a card holder is unable to leave their vehicle when they have pruchased fuel I must let them sign even if they have a chip & PIN card. The bank supplied card machine dials up for authroisation and in most cases refuses it as the PIN has not been used. You either break your agreement with the bank or break the law - you cannot win.
-One customer came in and still had all the PIN advise letters from the bank in her handbag. I huge queue gre while she went through each one. I hope the perosn behind was a good guy!
-With our bank owned terminal you insert a chip AMEX card in it displays "Card Application Mismatch" you then have to follow a set way which lets you then swipe the card. I am sorry to say I did not accept the first chip AMEX card, because we have recieved no information what so ever from AMEX or the bank about accepting these. After one go a figured it out. I am sure many shops with the same machine will reject all chip AMEX cards.

jhon```January 2, 2007 4:06 PM

if somebody have one credit card with chip and if somebody clone that card ex. in france where the credit cards have chips if one man clone one card , he can't take money out from te ATM but if he's go in another country where the bank's doesn't have chips on credit cards he can take money aut and he don't have nothing problems! I'M from india, i have a credit card in france and somebody clone my card in september 2006 and he's take money in italy on bank where doesn't exist chips one the credit cards!

RobertMarch 26, 2007 2:25 PM

This chip installed credit and debit cards becoming a big hassel for me cause all of my cards were issued in USA and i need to withdraw money in Malaysia by using my USA debit and credit card which they don't have any chips and Malaysian ATM don't accept these foreign chipless card. What should i do ? Malaysian don't need turist? why they can't just simpy make those ATM acceptable for both strip and chip cards.
Any kind of suggestion will be appreciated in this regard. i m in big trouble now.
Robert
any suggestion: plz email me at robertusa@gmail.com

RichMay 12, 2007 6:53 AM

I am in "Holland" and for my on-line banking I have one of these tokens (calculator shaped) which requires my PIN first, then expects a challenge number from the bank's site, and a response from me in return(generated by the token after entering the bank's number); this is not unique, I have learned that at least two banks here use this kind of system, or some form of it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..