By Martin Brampton, 27 July 2004 09:05
COMMENT One downside to chip-and-PIN technology is having to remember a PIN number each time you make a purchase. What could help, says Martin Brampton, is if those all-important digits were available on the web.
Yesterday, I thought I had met my chip-and-PIN nemesis. After filling up my motorbike with petrol, I wandered into the shop and pulled out the credit card I use for fuel purchases. It was then that I noticed the array of PIN pads along the counter. Did I know the PIN for the card? Unlikely.
Fortunately, when the card was processed, it told the operator to take a signature, not a PIN. For the time being at least, I was spared my first confrontation with using a PIN for a purchase. Just as well, since despite a range of useful suggestions submitted by readers in response to my previous column on chip-and-PIN technology, I remain utterly unprepared for the new scheme.
One clever idea was to concoct the PIN out of the 16-digit card number. That sounds promising, as the digits look pretty random, especially towards the right-hand end. But then I worried that too simple a scheme would be insecure. For example, just taking the last block of four numbers or using the first number from each block of four would be easy to remember. Surely those would be too simple to guess, though?
Suppose I could remember just one four-digit PIN that consisted of digits between one and four. It seems quite a secure scheme, provided I could remember the master PIN.
Another suggestion that intrigued me was using the Pincard. Apparently it is a credit card-sized plastic gadget that provides a way to encode up to a dozen PINs. Developed in the Netherlands, it has been in use on the Continent for some years. It can be bought for a few pounds and has apparently been given away as a promotional item on several occasions.
I am most impressed, though, by a completely separate development - the online bank Egg delivering PINs via the internet. Egg has looked at the PIN problem as a way to differentiate its EggCard and at the same time make life easier for itself.
One problem for the banks is that issuing a PIN is a costly and cumbersome process. It also lacks immediacy since it relies on postal delivery. This in itself poses an additional security risk, since fraudsters have proved adept at intercepting financial information sent by post.
Egg started off in an exceptionally good position to use the net for PIN delivery, since it had built its customer base exclusively on online users. All the same, delivering a PIN was not a simple task, not least because Egg was using a third party for its credit card services and did not itself have direct access to a customer's PIN.
Before it could deliver a PIN to a customer, Egg had to work out how to build a secure tunnel to the service provider. There had to be a live connection between the Egg web server and the holder of the PIN, such that the information could be delivered to a customer while online. The solution is a mix of hardware and software technology that connects a mainframe back end through a symmetric encryption tunnel, then on to the customer's browser using PKI.
Unlike some banks, Egg is catholic in its support for web browsers and looked for mechanisms that would work with all modern browsers, not just Internet Explorer. With all this fine technology and a novel facility to try, this morning I dusted off my EggCard, which had been lying around unused for some time.
Amazingly, I could remember all the security information needed to log on to my Egg account. Then I looked around for the service that would tell me the PIN. As I had already identified myself, the only additional piece of information it required was the three-digit security number from the signature strip on the back of the card. Then up popped my PIN in a secure browser window.
It is a neat facility, and for once it seems that technology really has provided a competitive advantage, at least for a while. Now that I know the PIN can be recovered any time I have access to the internet, I am more likely to use the EggCard. Anything that avoids having to ring a call centre has to be a significant advance!
Comments
There are 23 comments. Join the discussion
1. Allan Knowles
For information: The Pincard can be bought from www.cardextras.com
(I do have a vested interest as we sell the Pincard to cardextras and as a promotional item. I came across it in the Netherlands and use mine on a frequent basis!)
2. Fred Perkins
Keeping track of PINs - an easier solution.
Here's an easy approach that allows you to carry around any number of PINS you want, in hard copy, but completely secure.
First, think of a 4 letter word, with all its letters different. This is your keyword, known only to you, and never written down.
Next, for any credit card whose PIN you want to record, construct a little grid, with all the letters of the alphabet in alphabetical order, and a space below each letter (so you have a 10x5 matrix, with the z on an extra row).
Record the PIN by writing the digits of the PIN corresponding to each letter of your Keyword, under the corresponding letter on your grid. (So, if HELP is your keyword, and 1234 is the PIN, write 1 under H, 2 under E and so on).
Then fill in all the other grid spaces with random numbers.
Don't forget to write the identity of the card whose PIN this is, on the piece of paper.
You then end up with a wallet full of little grids, each one of which looks meaningless to anyone who doesn't know what your Keyword is.
Simple, doesn't require any devices, yet completely secure, as long as you keep your one keyword secret!
3. Chris Allen
Hello, interested party here ;-) I guess what will help ensure the public's rapid take-up of C&P is how easy it will be to unify the PINs on all the cards someone holds (and, the corollary, how easy to revoke them once one PIN is perceived as compromised).
4. anonymous
I firmly believe that chip & pin will lead to more fraud not less. Criminals have recently had the audacity & ingenuity to set up dummy card readers that were observed by pinhole cameras on genuine ATM's at high street banks. It follows therefore that it won't take a New York minute for some enterprising criminal to set up a dummy shop along with the equipment to read cards & pin numbers.
5. anonymous
Egg has one of the best log-in procedures of any online bank that I have used BUT be careful if you use their savings bank! It is all to easy to get the transfer between your current account bank and the 'external' Egg savings account the wrong way round - resulting in unexpected bank charges!
Why on earth Egg can't have a simple MONEY IN and MONEY OUT differentiation beats me!
6. Gordon Wilkinson
I find it incredulous that you are unable to remember a 4 digit PIN number but have no difficulty in remembering all the information needed to log onto your egg account via a website!
Methinks you are trying to create the impression of a problem where none exists. After all, every provider allows you to change your PIN to a number that you can remember.
Would you have problems remembering your vehicle registration if your car was to be stolen?
7. Anonymous
Goes to show what consultants are worth, eh?
Martin is supposed to be a technology consultant of such value that he is employed to write articles for news sites. Yet he fails to remember a simple combination of 4 numbers that allow electronic transactions.
I bet he has a computer degree as well!
8. Chris Brackstone
Mr Brampton should be ashamed of himself for continuing the technical tautology of writing PIN number, when he must know the acronym stands for Personal Identification Number. Sadly, this is type of error is apparent all too often in journalism in general and in many technical publications in particular.
9. anonymous
I couldn't agree more - the big problem with chip and pin is going to be remembering the pin (also educating users that it is the same pin they use for a cash machine) - I don't believe I have seen that mentioned in any of the blurb, so I thought may be it would be different.
The Egg system is very good, and should be copied by all card suppliers.
I also believe that any card supplier that cannot give on-line access to account details must have an ongoing problem - I have a number of cards, and prefer to use the ones where I can moniotor spending on-line.
10. Simon Collins
Hey-hey! A gap in the market! I suggest that you send your card number & PIN to me - at my newly started e-business, www.daylightrobbery.com. For a small annual fee I'll hold your card details & PIN on my secure server. Should you find yourself standing in a queue completely lost for PIN then simply drop me a SMS and I'll text you back your PIN. Bingo. Problem solved. ;-)
Alternatively, you could do what everyone else in the UK will and change all the PIN's on all their cards (and probably the security pin on their mobile too) to be the same number, though I think that EMV (chip & pin) standards forbid certain easy-to-guess combinations like 1234.
11. anonymous
Some old ideas have been reintroduced!
Some bloke forget his name invented a pin card which cunningly remembers all your numbers. You can get buy one and try it from a website called cardextras.co.uk.
Works a treat!
12. Charles
"Unlike some banks, Egg is catholic in its support for web browsers"
Alas, not for the otherwise excellent Your Money feature by which you can access all your bank and card accounts. For that you must have IE 5.0 or above. I was disappointed when I discovered that, as a long-term Netscape user. (I haven't tried it with Opera or Mozilla yet - maybe, with a bit of luck.) Are you reading this, Egg?
13. anonymous
You can remember all your personal details to log on to a financial web site but can't remember a 4 digit PIN... says it all really.
14. Conor O'Neill
For promotional purposes we will brand the Pincard with your own promotional details. If you want further information contact us direct on 0845 1235524. Minimum order quantuties of branded Pincards is 10K units.
15. anonymous
Anybody know about how these things work abroad? Chip and pin has been used for years in France. I got a new chip and pin card last week, took it to France and the tills wouldn't read it. How much sense does that make?
16. anonymous
It makes me laugh when people refer to a PIN number. PIN stands for Personal Identification Number. So when people say PIN Number they are in effect saying "Personal Identification Number Number"
Same goes for LCD display etc.
Pedantic I know, but makes me laugh.....
17. Allan McBain
"I firmly believe that chip & pin will lead to more fraud not less."
Firstly I should say I work in a Bank and used to be a Branch Manager dealing with fraud from the affected customer's side, but I have no direct dealings with Chip and PIN.
Can we inject a bit of realism here please?
Will there be fraud using Chip and PIN - Yes.
Will there be more - well consider that the PIN is replacing the bored and harrassed shop assistant verifying your signature (and aren't cards difficult to sign?) against what you scribbled on a piece of paper - often held in a little machine that makes it almost impossible to get at properly. Anybody obtaining a card - even finding one dropped in the street - any one of you reading this could, with a bit of practice at a signature, probably get away with fraud right now. How many of us could muster up the resources to capture a card and its PIN? Fraud simply has to go down.
Oh, and in dissing the system rather than helping to make it work, remember who pays for it - you do through higher charges to offset the Banks losses.
18. Alex
Chip & Pin fraud = the customer pays
The thing about a fradulent transaction with the old system it was assumed the bank was at fault. If the signature didn't match it was their stupidity and their cost.
With chip and PIN the customer will end up paying.The bank will never believe the customer hasn't released their PIN despite evidence to prove it can be obtained fraudulently.
Chip & PIN is flawed despite it being available for over 15 years. The flaws are even more apparent now because of advances in consumer electronics (mini cameras and card readers).
Electronic signature verification would be a welcome addition for high value purchases that too has been available for 15 years. This would prove beyond reasonable doubt the user was present at the till and the user experience would be similar to current signatures on slips.
If banks were worried about fraud they could have eradicated it over a decade ago one wonders why they didn't.
As to remembering a pin number get a PDA and something like securit or take memory classes.
19. anonymous
From the Egg Web Site, Chip & PIN FAQs & A letter I received today.
DO I HAVE TO HAVE A CHIP AND PIN CARD?
Yes. All your credit and debit cards will gradually be replaced with Chip & PIN cards over the next two years. If you feel there are circumstances why you cannot use a Chip and PIN card and you'd like to be issued with a Chip and Signature Egg Card instead, please get in touch. We can review this on an individual basis.
And in the letter:
"You were issued with a Chip & Signature card as you stated to me that you had difficulty in remembering PIN numbers"
Who can remember seldom used numbers? Who thinks it's sensible to change all your cards to operate with the same PIN, or write a PIN down thinly disguised?
If you've no wish or need to use a credit card to withdraw cash at an ATM or are concerned over the high incidences of ATM fraud which is usually committed with a captured PIN then you have an option.
Do what I've done and opt for Chip & Signature Credit Cards. It's your choice. Some of the literature on Chip & PIN could be judged as misleading.
20. Mike W
Chip readers are more secure than ATMs, which only (in this country) read the mag stripe.
It is not possible to 'clone' the secure data inside a chip/smart card without having all the required access codes that belong to the bank or card issuer.
Hence even if you do know a card's PIN, you also need the actual card itself to be able to validate yourself to the chip & PIN system.
That said, we have heard of the 'phantom withdrawals' from ATMs which must have been inside jobs, therefore security is only as good as its weakest link.
PS. Glad Martin liked my scheme based on the card's own digits !
21. Tim Davies
On the three times I've been asked to use the PIN it's rejected the [correct because I've had it resent to me] number twice and once, even before anything was entered, told the shop the PIN entered was incorrect. Gives you faith.....
22. anonymous
It is probably not a bad idea to use Biometric Signatures.. The customers will still continue to sign whatever they have sign without having to use PIN and the hassles of remembering them...remembering maynot be the worst hassle but PIN´s can be easily captured and misused. many stories to this effect has affected many banks already..
23. Chip-and-PIN adversary
Chip and SPIN, more like; a CON!
OH, so now we learn that the CaP technology is so naff that we need another secondary 'intelligent' card to unlock our PIN or remind us of yet another arbitrary meaningless number without which our lives will be hell?
CaP adds no extra security and opens up a whole minefield of other security leaks of personal information. Even anyone with less than 20:20 vision can easily see the numbers that anyone punches into the sales countertop PIN pad, it's so big and inadequately shielded.
Also, my local bank's hole-in-the-wall money dispenser used to have a nice small discrete keypad - but now it's been replaced with a goddam 12inch colour screen that anybody standing within 100yards can see!
I urge everyone to vote with their credit cards and refuse to shop anywhere that uses such naff technology as CaP.
No I'm not advocating going back to cash, Roman clay buttons pretty shells or wampam as money, but let's offer IT solutions that help our lifestyle, not complicate it beyond the point of enjoyment!