This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||
|
In 2002 two PhD students at Cambridge University, Piotr Zielinski and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624, which was duplicated in most later hardware. This has meant most ATM's are vulnerable to an attack known as the decimalization table attack which means that someone who can access ATM hardware can guess a PIN in an average of 15 guesses.
I've removed the above from the article, because it is somewhat misleading. For one thing, the proportion of the article taken up with it lends it undue weight, when it is actually of very little interest to anyone other than a bank manager. The exploit described is not in fact in ATM hardware, but in internal bank computing systems - a bank employee would probably have to have passed security screenings before they could access the systems on which the attack is possible. Nonetheless, it may bear insertion somewhere, and for reference, here's the research paper as a PDF [1] - IMSoP 05:27, 9 Mar 2004 (UTC)
Pricks? 2.97.117.189 ( talk) 15:31, 20 December 2015 (UTC)
It would be nice to add whether PIN should be pronounced P-I-N or PIN as in sPINning for foreign readers such as me :) Thanks, Swalot 11:19, 2 November 2006 (UTC)
How are PIN's better than passwords? they are only 4 numbers and have fewer combinations than alphanumeric passwords. This has been removed from the article. 165.230.46.153 20:05, 16 November 2006 (UTC)
Is the hoax tag because the page mentions the PIN security hoax (the belief that if you enter your PIN wrongly you can send a request for help if you're mugged in the ATM cubicle)? The article does label that section 'hoax'. Perhaps a little explanation of why such a system would be impossible and a stronger denial of its existence would clarify the section? Rimi talk 06:01, 8 February 2007 (UTC)
2019 —Preceding unsigned comment added by 12.207.88.169 ( talk) 10:37, 25 September 2008 (UTC)
How do we get 0.06% chance of guessing a 4-digit random PIN after three attempts? I calculate the probabilty as 1 - ((9,999 / 10 000) * (9,998 / 9,999) * (9,997 / 9,998)) = 0.0003. —Preceding unsigned comment added by 76.21.155.25 ( talk) 18:05, 8 June 2009 (UTC)
hi —Preceding unsigned comment added by 124.253.122.115 ( talk) 04:42, 20 April 2011 (UTC)
Many services and websites started off using PIN as "Personal Identification Number". However, over time they have evolved the usage to extend to non-numberic values as well. So PIN is not necessarily and anachronism anymore. One example that comes to mind that I use every day is my RSA token. I have a "PIN" assigned to that, but the "PIN" is not numeric. — Preceding unsigned comment added by Docbillnet ( talk • contribs) 14:58, 7 October 2011 (UTC)
the article says the following: "Throughout Europe and Canada the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing" I've had a debet card since 1998 and have never not used my PIN. I do remember(as a child) my mother signing something in the 80's but here (Denmark) the replacement is long over, and i'm wondering if it's the same case anywhere else. 94.145.236.194 ( talk) 14:47, 8 December 2011 (UTC)
We now have several US suppliers demanding the "ATM PIN", ie the card PIN, for internet transactions. Presumably, this enables them to avoid the Card-Not-Present transaction fees. I haven't seen any documentation about this.
The Web is full of old documention saying that the PIN will not be required for Card-Not-Present transactions, and our (AUS) banks don't know anything about it either.
Any further information would be welcome. — Preceding unsigned comment added by 203.206.162.148 ( talk) 03:22, 3 May 2012 (UTC)
At present the lead states that the usage "PIN number" is erroneous. The link given for 'erroneously' goes to the article RAS syndrome, and that article itself gives reasons, I think, for not considering the usage to be erroneous.
The usage is very common (examples: The most common pin numbers: is your bank account vulnerable?, Have only one PIN number? It's YOUR fault if your cash is stolen, ATM PIN Number Reversal hoax email) and could probably be counted as the standard usage, or at least a standard uasge. FrankSier ( talk) 14:54, 25 February 2013 (UTC)
I just changed a sentence in the introduction because I thought it was possibly to misinterpret as suggesting that PINs have not been used in the UK or Ireland at all prior to the Chip and PIN campaign.
The previous text was "In the UK and Ireland this goes under the term 'Chip and PIN', since PINs were introduced at the same time as EMV chips on the cards."
I also added a reference. Stardarks ( talk) 16:03, 3 December 2013 (UTC)
I've simplified the 3rd paragraph of the lead, which describes PINs in non-ATM/EFTPOS environments. If it's not described as a PIN, not subject to the formatting requirements of a PIN (4-12 numeric characters), is it really a PIN?
Note that this previous edit:
mayare not be subject to the formatting limitation ...
is not valid. A web site may limit PINs to those that meet ISO 9564. Eg, Qantas frequent flyer PINs are limited to four digits. Mitch Ames ( talk) 03:51, 27 April 2014 (UTC)
Personal identification number#PIN length says that:
Not all networks support entry of PINs longer than six digits, and many networks truncate the PIN to four digits.
I suspect that the use of the word "network" is misleading or incorrect. Typically if the PIN is being transmitted over a network (ie not verified locally by the ATM or EFTPOS terminal) the PIN entry device will encrypt the PIN then send the encrypted PIN block to the card issuer and/or bank, which will decrypt and verify it. It is not possible to truncate the PIN while it is encrypted, so it must either be truncated by the PIN entry device (before encryption) or by the bank verifying it (after encryption). I suspect that truncation would happen at the entry device, but don't have a reference to support that. (A few years ago an Australian bank, which supported PINs longer than 4 digits, advised me to change my 6-digit PIN to 4 digits before going overseas, because some overseas ATMs would not accept more than 4 digits.) If someone could dig up a reference for the truncation, we could fix that sentence in the article to be more accurate. Mitch Ames ( talk) 12:05, 13 June 2014 (UTC)
Not all networks support entry of PINs longer than six digits, and many networks can only accept four digit PINs.
This edit says that PINs are used in card not present transactions, but that is definitely not the case in Australia, where there are as many as four independent authentication codes:
The last two typically allow account enquiries and transfers between customer's own bank accounts and BPAY bill payment, possibly payments to other peoples' bank accounts, but not general purchases. The Australian banks make a point of using different terms for each, and not using "PIN" to refer to anything other than the ATM/EFTPOS PIN.
Perhaps is other countries, the ATM/EFTPOS PIN is used for internet/phone transactions/banking, but if that is the case:
(This matter was raised a couple of years ago in #card-not-present, but there was no follow-up.) Mitch Ames ( talk) 02:53, 15 June 2014 (UTC)
Plz help me revondaprice22@gmail.com 165.166.100.78 ( talk) 19:00, 23 June 2022 (UTC)
Olvide mi contraseña 64.127.156.125 ( talk) 11:14, 9 August 2023 (UTC)
Olvide mi contraseña 64.127.156.125 ( talk) 11:15, 9 August 2023 (UTC)
This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||
|
In 2002 two PhD students at Cambridge University, Piotr Zielinski and Mike Bond, discovered a security flaw in the PIN generation system of the IBM 3624, which was duplicated in most later hardware. This has meant most ATM's are vulnerable to an attack known as the decimalization table attack which means that someone who can access ATM hardware can guess a PIN in an average of 15 guesses.
I've removed the above from the article, because it is somewhat misleading. For one thing, the proportion of the article taken up with it lends it undue weight, when it is actually of very little interest to anyone other than a bank manager. The exploit described is not in fact in ATM hardware, but in internal bank computing systems - a bank employee would probably have to have passed security screenings before they could access the systems on which the attack is possible. Nonetheless, it may bear insertion somewhere, and for reference, here's the research paper as a PDF [1] - IMSoP 05:27, 9 Mar 2004 (UTC)
Pricks? 2.97.117.189 ( talk) 15:31, 20 December 2015 (UTC)
It would be nice to add whether PIN should be pronounced P-I-N or PIN as in sPINning for foreign readers such as me :) Thanks, Swalot 11:19, 2 November 2006 (UTC)
How are PIN's better than passwords? they are only 4 numbers and have fewer combinations than alphanumeric passwords. This has been removed from the article. 165.230.46.153 20:05, 16 November 2006 (UTC)
Is the hoax tag because the page mentions the PIN security hoax (the belief that if you enter your PIN wrongly you can send a request for help if you're mugged in the ATM cubicle)? The article does label that section 'hoax'. Perhaps a little explanation of why such a system would be impossible and a stronger denial of its existence would clarify the section? Rimi talk 06:01, 8 February 2007 (UTC)
2019 —Preceding unsigned comment added by 12.207.88.169 ( talk) 10:37, 25 September 2008 (UTC)
How do we get 0.06% chance of guessing a 4-digit random PIN after three attempts? I calculate the probabilty as 1 - ((9,999 / 10 000) * (9,998 / 9,999) * (9,997 / 9,998)) = 0.0003. —Preceding unsigned comment added by 76.21.155.25 ( talk) 18:05, 8 June 2009 (UTC)
hi —Preceding unsigned comment added by 124.253.122.115 ( talk) 04:42, 20 April 2011 (UTC)
Many services and websites started off using PIN as "Personal Identification Number". However, over time they have evolved the usage to extend to non-numberic values as well. So PIN is not necessarily and anachronism anymore. One example that comes to mind that I use every day is my RSA token. I have a "PIN" assigned to that, but the "PIN" is not numeric. — Preceding unsigned comment added by Docbillnet ( talk • contribs) 14:58, 7 October 2011 (UTC)
the article says the following: "Throughout Europe and Canada the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing" I've had a debet card since 1998 and have never not used my PIN. I do remember(as a child) my mother signing something in the 80's but here (Denmark) the replacement is long over, and i'm wondering if it's the same case anywhere else. 94.145.236.194 ( talk) 14:47, 8 December 2011 (UTC)
We now have several US suppliers demanding the "ATM PIN", ie the card PIN, for internet transactions. Presumably, this enables them to avoid the Card-Not-Present transaction fees. I haven't seen any documentation about this.
The Web is full of old documention saying that the PIN will not be required for Card-Not-Present transactions, and our (AUS) banks don't know anything about it either.
Any further information would be welcome. — Preceding unsigned comment added by 203.206.162.148 ( talk) 03:22, 3 May 2012 (UTC)
At present the lead states that the usage "PIN number" is erroneous. The link given for 'erroneously' goes to the article RAS syndrome, and that article itself gives reasons, I think, for not considering the usage to be erroneous.
The usage is very common (examples: The most common pin numbers: is your bank account vulnerable?, Have only one PIN number? It's YOUR fault if your cash is stolen, ATM PIN Number Reversal hoax email) and could probably be counted as the standard usage, or at least a standard uasge. FrankSier ( talk) 14:54, 25 February 2013 (UTC)
I just changed a sentence in the introduction because I thought it was possibly to misinterpret as suggesting that PINs have not been used in the UK or Ireland at all prior to the Chip and PIN campaign.
The previous text was "In the UK and Ireland this goes under the term 'Chip and PIN', since PINs were introduced at the same time as EMV chips on the cards."
I also added a reference. Stardarks ( talk) 16:03, 3 December 2013 (UTC)
I've simplified the 3rd paragraph of the lead, which describes PINs in non-ATM/EFTPOS environments. If it's not described as a PIN, not subject to the formatting requirements of a PIN (4-12 numeric characters), is it really a PIN?
Note that this previous edit:
mayare not be subject to the formatting limitation ...
is not valid. A web site may limit PINs to those that meet ISO 9564. Eg, Qantas frequent flyer PINs are limited to four digits. Mitch Ames ( talk) 03:51, 27 April 2014 (UTC)
Personal identification number#PIN length says that:
Not all networks support entry of PINs longer than six digits, and many networks truncate the PIN to four digits.
I suspect that the use of the word "network" is misleading or incorrect. Typically if the PIN is being transmitted over a network (ie not verified locally by the ATM or EFTPOS terminal) the PIN entry device will encrypt the PIN then send the encrypted PIN block to the card issuer and/or bank, which will decrypt and verify it. It is not possible to truncate the PIN while it is encrypted, so it must either be truncated by the PIN entry device (before encryption) or by the bank verifying it (after encryption). I suspect that truncation would happen at the entry device, but don't have a reference to support that. (A few years ago an Australian bank, which supported PINs longer than 4 digits, advised me to change my 6-digit PIN to 4 digits before going overseas, because some overseas ATMs would not accept more than 4 digits.) If someone could dig up a reference for the truncation, we could fix that sentence in the article to be more accurate. Mitch Ames ( talk) 12:05, 13 June 2014 (UTC)
Not all networks support entry of PINs longer than six digits, and many networks can only accept four digit PINs.
This edit says that PINs are used in card not present transactions, but that is definitely not the case in Australia, where there are as many as four independent authentication codes:
The last two typically allow account enquiries and transfers between customer's own bank accounts and BPAY bill payment, possibly payments to other peoples' bank accounts, but not general purchases. The Australian banks make a point of using different terms for each, and not using "PIN" to refer to anything other than the ATM/EFTPOS PIN.
Perhaps is other countries, the ATM/EFTPOS PIN is used for internet/phone transactions/banking, but if that is the case:
(This matter was raised a couple of years ago in #card-not-present, but there was no follow-up.) Mitch Ames ( talk) 02:53, 15 June 2014 (UTC)
Plz help me revondaprice22@gmail.com 165.166.100.78 ( talk) 19:00, 23 June 2022 (UTC)
Olvide mi contraseña 64.127.156.125 ( talk) 11:14, 9 August 2023 (UTC)
Olvide mi contraseña 64.127.156.125 ( talk) 11:15, 9 August 2023 (UTC)