Editing Personal identification number

{{Short description|PIN code}}
{{Redirect|PIN code|PIN code in Indian addresses|Postal Index Number}}
A '''personal identification number''' ('''PIN'''; sometimes [[RAS syndrome|redundantly]] a '''PIN code''' or '''PIN number''') is a numeric (sometimes alpha-numeric) [[passcode]] used in the process of authenticating a user accessing a system.

The PIN has been the key to facilitating the [[private data]] exchange between different data-processing centers in computer networks for financial institutions, governments, and enterprises.<ref name=":0">{{cite book |last=Higgs |first=Edward |date= 1998|title=History and Electronic Artefacts |publisher=Oxford University Press |isbn= 0198236336}}</ref> PINs may be used to authenticate banking systems with cardholders, governments with citizens, enterprises with employees, and computers with users, among other uses.

In common usage, PINs are used in ATM or PO transactions,<ref name=":1">{{cite book |last=Martin |first=Keith |date= 2012|title=Everyday Cryptography: Fundamental Principles and Applications |publisher=Oxford University Press |isbn= 9780199695591}}</ref> secure access control (e.g. computer access, door access, car access),<ref>{{cite book |last=Cale |first=Stephane |date= 2013|title=Mobile Access Safety: Beyond BYOD |publisher=Wiley Publishing |isbn= 978-1-84821-435-4}}</ref> internet transactions,<ref name="digitaltransactions1">{{cite news|url=http://www.digitaltransactions.net/news/story/4090|title=E-Commerce: A Tangled Web for PIN Debit|date=1 February 2013|work=Digital Transactions|via=Associated Press}}</ref> or to log into a restricted website.

==History==
The PIN originated with the introduction of the [[automated teller machine]] (ATM) in 1967, as an efficient way for banks to dispense cash to their customers. The first ATM system was that of  [[Barclays]] in London, in 1967; it accepted [[cheque]]s with machine-readable encoding, rather than cards, and matched the PIN to the cheque.<ref>Jarunee Wonglimpiyara, ''Strategies of Competition in the Bank Card Business'' (2005), p. 1-3.</ref><ref name=milligan/><ref name="latimes1">{{cite news|url=http://latimesblogs.latimes.com/afterword/2010/05/atm-inventor-john-shepherdbarron-dies-at-84.html|title=ATM inventor John Shepherd-Barron dies at 84|date=19 May 2010|work=Los Angeles Times|via=Associated Press}}</ref> In 1972, [[Lloyds Bank]] issued the first bank card to feature an information-encoding magnetic strip, using a PIN for security.<ref>Jarunee Wonglimpiyara, ''Strategies of Competition in the Bank Card Business'' (2005), p. 5.</ref> [[James Goodfellow]], the inventor who patented the first personal identification number, was awarded an [[Officer of the Most Excellent Order of the British Empire|OBE]] in the 2006 [[Queen's Birthday Honours]].<ref name="goodfellow">{{cite web  | url=http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/5087984.stm  | title=Royal honour for inventor of Pin  | publisher=BBC  | access-date=2007-11-05 | date=2006-06-16}}</ref><ref>{{Patent|GB|1197183|"Improvements in or relating to Customer-Operated Dispensing Systems" {{ndash}} Ivan Oliveira, Anthony Davies, James Goodfellow}}</ref>

[[Mohamed M. Atalla]] invented the first PIN-based [[hardware security module]] (HSM),<ref name="Stiennon">{{cite web |last1=Stiennon |first1=Richard |title=Key Management a Fast Growing Space |url=https://securitycurrent.com/key-management-a-fast-growing-space/ |website=SecurityCurrent |publisher=IT-Harvest |access-date=21 August 2019 |date=17 June 2014}}</ref> dubbed the "Atalla Box," a security system that encrypted PIN and [[Automated teller machine|ATM]] messages and protected offline devices with an un-guessable PIN-generating key.<ref name="Lazo">{{cite book |last1=Bátiz-Lazo |first1=Bernardo |title=Cash and Dash: How ATMs and Computers Changed Banking |date=2018 |publisher=[[Oxford University Press]] |isbn=9780191085574 |pages=284 & 311 |url=https://books.google.com/books?id=rWhiDwAAQBAJ&pg=PA284}}</ref> In 1972, Atalla filed {{US patent|3938091}} for his PIN verification system, which included an encoded [[card reader]] and described a system that utilized [[encryption]] techniques to assure telephone link security while entering personal ID information that was transmitted to a remote location for verification.<ref name="nist">{{cite web|last=|first=|date=October 2001|title=The Economic Impacts of NIST's Data Encryption Standard (DES) Program|url=https://www.nist.gov/sites/default/files/documents/2017/05/09/report01-2.pdf|url-status=dead|archive-url=https://web.archive.org/web/20170830020822/https://www.nist.gov/sites/default/files/documents/2017/05/09/report01-2.pdf|archive-date=30 August 2017|access-date=21 August 2019|website=[[National Institute of Standards and Technology]]|publisher=[[United States Department of Commerce]]}}</ref>

He founded [[Atalla Corporation]] (now [[Utimaco Atalla]]) in 1972,<ref name="Langford">{{cite web |last1=Langford |first1=Susan |title=ATM Cash-out Attacks |url=https://h41382.www4.hpe.com/gfs-shared/20140318153228.pdf |website=[[Hewlett Packard Enterprise]] |publisher=[[Hewlett-Packard]] |year=2013 |access-date=21 August 2019}}</ref> and commercially launched the "Atalla Box" in 1973.<ref name="Lazo"/> The product was released as the Identikey. It was a card reader and [[Identity verification service|customer identification system]], providing a terminal with [[plastic card]] and PIN capabilities. The system was designed to let [[bank]]s and [[thrift institutions]] switch to a plastic card environment from a [[passbook]] program. The Identikey system consisted of a card reader console, two customer [[PIN pad]]s, intelligent controller and built-in electronic interface package.<ref name="Computerworld1978">{{cite journal |title=ID System Designed as NCR 270 Upgrade |journal=[[Computerworld]] |date=13 February 1978 |volume=12 |issue=7 |page=49 |url=https://books.google.com/books?id=fB-Te8d5hO8C&pg=PA49 |publisher=IDG Enterprise}}</ref> The device consisted of two [[keypads]], one for the customer and one for the teller. It allowed the customer to type in a secret code, which is transformed by the device, using a [[microprocessor]], into another code for the teller.<ref name="Computerworld1976">{{cite journal |title=Four Products for On-Line Transactions Unveiled |journal=[[Computerworld]] |date=26 January 1976 |volume=10 |issue=4 |page=3 |url=https://books.google.com/books?id=3u9H-xL4sZAC&pg=PA3 |publisher=IDG Enterprise}}</ref> During a [[Financial transaction|transaction]], the customer's [[Bank card number|account number was read by the card reader]]. This process replaced manual entry and avoided possible key stroke errors. It allowed users to replace traditional customer verification methods such as signature verification and test questions with a secure PIN system.<ref name="Computerworld1978"/> In recognition of his work on the PIN system of [[information security management]], Atalla has been referred to as the "Father of the PIN".<ref name="purdue">{{cite web|title=Martin M. (John) Atalla|url=http://www.purdue.edu/uns/html3month/hondocs03/03.ATALLA.html|website=[[Purdue University]]|year=2003|access-date=2 October 2013}}</ref><ref name="bizjournals">{{cite news |title=Security guru tackles Net: Father of PIN 'unretires' to launch TriStrata |url=https://www.bizjournals.com/sanfrancisco/stories/1999/05/03/story3.html |access-date=23 July 2019 |work=[[The Business Journals]] |publisher=[[American City Business Journals]] |date=May 2, 1999}}</ref><ref>{{cite news |title=Purdue Schools of Engineering honor 10 distinguished alumni |url=https://www.newspapers.com/newspage/265046278/ |work=[[Journal & Courier]] |date=May 5, 2002 |page=33}}</ref>

The success of the "Atalla Box" led to the wide adoption of PIN-based hardware security modules.<ref>{{cite book |last1=Bátiz-Lazo |first1=Bernardo |title=Cash and Dash: How ATMs and Computers Changed Banking |date=2018 |publisher=[[Oxford University Press]] |isbn=9780191085574 |page=311 |url=https://books.google.com/books?id=rWhiDwAAQBAJ&pg=PA311}}</ref> Its PIN verification process was similar to the later [[IBM 3624]].<ref>{{cite journal |last1=Konheim |first1=Alan G. |title=Automated teller machines: their history and authentication protocols |journal=Journal of Cryptographic Engineering |date=1 April 2016 |volume=6 |issue=1 |pages=1–29 |doi=10.1007/s13389-015-0104-3 |s2cid=1706990 |url=https://slideheaven.com/automated-teller-machines-their-history-and-authentication-protocols.html |issn=2190-8516 |access-date=22 July 2019 |archive-url=https://web.archive.org/web/20190722030759/https://slideheaven.com/automated-teller-machines-their-history-and-authentication-protocols.html |archive-date=22 July 2019 |url-status=dead |url-access=subscription }}</ref> By 1998 an estimated 70% of all ATM transactions in the United States were routed through specialized Atalla hardware modules,<ref>{{cite book |last1=Grant |first1=Gail L. |title=Understanding Digital Signatures: Establishing Trust Over the Internet and Other Networks |date=1998 |publisher=[[McGraw-Hill]] |isbn=9780070125544 |page=163 |url=https://books.google.com/books?id=joY_AQAAIAAJ |quote=In fact, an estimated 70 percent of all banking ATM transactions in the USA are routed through specialized Atalla hardware security modules.}}</ref> and by 2003 the Atalla Box secured 80% of all ATM machines in the world,<ref name="purdue"/> increasing to 85% as of 2006.<ref>{{cite web |title=Portfolio Overview for Payment & GP HSMs |url=https://hsm.utimaco.com/wp-content/uploads/2018/12/20181206-Utimaco-webinar-Vision-for-Atalla-Portfolio-Overview-Payment-GP-HSMs.pdf |website=[[Utimaco]] |access-date=22 July 2019 |archive-date=21 July 2021 |archive-url=https://web.archive.org/web/20210721060737/https://hsm.utimaco.com/wp-content/uploads/2018/12/20181206-Utimaco-webinar-Vision-for-Atalla-Portfolio-Overview-Payment-GP-HSMs.pdf |url-status=dead }}</ref> Atalla's HSM products protect 250{{nbsp}}million [[Card Transaction Data|card transactions]] every day as of 2013,<ref name="Langford"/> and still secure the majority of the world's ATM transactions as of 2014.<ref name="Stiennon"/>

==Financial services==
=== PIN usage===
In the context of a financial transaction, usually both a private "PIN code" and public user identifier are required to authenticate a user to the system. In these situations, typically the user is required to provide a non-confidential user identifier or token (the ''user ID'') and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches the number stored in the system. Hence, despite the name, a PIN does not ''personally'' identify the user.<ref>[http://webb-site.com/articles/identity.asp Your ID number is not a password], Webb-site.com, 8 November 2010</ref> The PIN is not printed or embedded on the card but is manually entered by the cardholder during [[automated teller machine]] (ATM) and [[point of sale]] (PO) transactions (such as those that comply with [[EMV]]), and  in [[card not present]] transactions, such as over the Internet or for phone banking.

=== PIN length===
The international standard for financial services PIN management, [[ISO 9564]]-1, allows for PINs from four up to twelve digits, but recommends that for usability reasons the card issuer not assign a PIN longer than six digits.<ref>[http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54083 ISO 9564-1:2011 ''Financial services &mdash; Personal Identification Number (PIN) management and security &mdash; Part 1: Basic principles and requirements for PINs in card-based systems''], clause 8.1 PIN length</ref> The inventor of the ATM, [[John Shepherd-Barron]], had at first envisioned a six-digit numeric code, but his wife could only remember four digits, and that has become the most commonly used length in many places,<ref name=milligan>
{{cite web
  | url=http://news.bbc.co.uk/2/hi/business/6230194.stm
  | title=The man who invented the cash machine
  | publisher=BBC
  | access-date = 2014-06-15 | date=2007-06-25}}
</ref> although banks in Switzerland and many other countries require a six-digit PIN.

=== PIN validation ===
There are several main methods of validating PINs. The operations discussed below are usually performed within a [[hardware security module]] (HSM).

==== IBM 3624 method====
One of the earliest ATM models was the [[IBM 3624]], which used the IBM method to generate what is termed a ''natural PIN''.  The natural PIN is generated by encrypting the primary account number (PAN), using an encryption key generated specifically for the purpose.<ref>{{cite web
  | url=http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.csfb400/csfb4z80539.htm
  | title=3624 PIN Generation Algorithm
  | publisher=IBM
  }}</ref> This key is sometimes referred to as the PIN generation key (PGK).  This PIN is directly related to the primary account number.  To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN.

Natural PINs cannot be user selectable because they are derived from the PAN.  If the card is reissued with a new PAN, a new PIN must be generated.

Natural PINs allow banks to issue PIN reminder letters as the PIN can be generated.

==== IBM 3624 + offset method====
To allow user-selectable PINs it is possible to store a PIN offset value.  The offset is found by subtracting the natural PIN from the customer selected PIN using [[modular arithmetic|modulo]] 10.<ref>{{cite web
  | url=http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.csfb400/csfb4z80541.htm
  | title=PIN Offset Generation Algorithm
  | publisher=IBM}}</ref> For example, if the natural PIN is 1234, and the user wishes to have a PIN of 2345, the offset is 1111.

The offset can be stored either on the card track data,<ref>{{cite web
    | url=http://www.gae.ucm.es/~padilla/extrawork/tracks.html
    | title=Track format of magnetic stripe cards
    | publisher=Gae.ucm.es
    | access-date=2010-04-25
    | archive-date=2014-09-28
    | archive-url=https://web.archive.org/web/20140928190852/http://www.gae.ucm.es/~padilla/extrawork/tracks.html
    | url-status=dead
    }}</ref> or in a database at the card issuer.

To validate the PIN, the issuing bank calculates the natural PIN as in the above method, then adds the offset and compares this value to the entered PIN.

==== VISA method ====
[[File:VeriFone credit card terminal Servebase.jpg|thumb|When using this credit card terminal, a VISA cardholder swipes or inserts their credit card, and enters their PIN on the keypad.]]

The VISA method is used by many card schemes and is not VISA-specific.  The VISA method generates a PIN verification value (PVV).  Similar to the offset value, it can be stored on the card's track data, or in a database at the card issuer. This is called the reference PVV.

The VISA method takes the rightmost eleven digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from one to six, a PVKI of 0 indicates that the PIN cannot be verified through PVS<ref>{{Cite web|title=Sun Crypto Accelerator 6000 Board User's Guide for Version 1.0|url=https://docs.oracle.com/cd/E19321-01/819-5536-12/4_FS.html|access-date=2021-06-22|website=docs.oracle.com|language=en-US}}</ref>) and the required PIN value to make a 64-bit number, the PVKI selects a validation key (PVK, of 128 bits) to encrypt this number.  From this encrypted value, the PVV is found.<ref>{{cite web|title=PVV Generation Algorithm|url=https://www.ibm.com/docs/en/linux-on-systems?topic=linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_appdpvvgenalg.html|publisher=IBM}}</ref>

To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered.

Unlike the IBM method, the VISA method does not derive a PIN. The PVV value is used to confirm the PIN entered at the terminal, was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated, user-selected or even derived using the IBM method.

==PIN security==
Financial PINs are often four-digit numbers in the range 0000&ndash;9999, resulting in 10,000 possible combinations. Switzerland issues six-digit PINs by default.<ref>{{Cite book|last1=Wang|first1=Ding|last2=Gu|first2=Qianchen|last3=Huang|first3=Xinyi|last4=Wang|first4=Ping|title=Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security |chapter=Understanding Human-Chosen PINs |date=2017-04-02|chapter-url=https://dl.acm.org/doi/10.1145/3052973.3053031|series=Asia CCS '17|language=en|location=Abu Dhabi United Arab Emirates|publisher=ACM|pages=372–385|doi=10.1145/3052973.3053031|isbn=978-1-4503-4944-4|s2cid=14259782}}</ref>

Some systems set up default PINs and most allow the customer to set up a PIN or to change the default one, and on some a change of PIN on first access is mandatory. Customers are usually advised not to set up a PIN-based on their or their spouse's birthdays, on driver license numbers, consecutive or repetitive numbers, or some other schemes. Some financial institutions do not give out or permit PINs where all digits are identical (such as 1111, 2222, ...), consecutive (1234, 2345, ...), numbers that start with one or more zeroes, or the last four digits of the cardholder's [[social security number]] or birth date.{{citation needed|date=August 2014}}

Many PIN verification systems allow three attempts, thereby giving a card thief a putative 0.03% [[probability]] of guessing the correct PIN before the card is blocked. This holds only if all PINs are equally likely and the attacker has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that financial institutions and ATM manufacturers have used in the past.<ref name="kuhn">{{cite journal
  | author=Kuhn, Markus
  | date=July 1997
  | title=Probability theory for pickpockets — ec-PIN guessing
  | url=http://www.cl.cam.ac.uk/~mgk25/ec-pin-prob.pdf 
  | access-date = 2006-11-24}}
</ref>

Research has been done on commonly used PINs.<ref>
{{cite web
  | url=https://www.theguardian.com/money/blog/2012/sep/28/debit-cards-currentaccounts
  | title=The most common PINs: is your bank account vulnerable?
  | author = Nick Berry
  | date = 28 September 2012 <!-- 12.28 BST --> 
  | publisher = Guardian newspaper website
  | access-date = 2013-02-25}}</ref> The result is that without forethought, a sizable portion of users may find their PIN vulnerable. "Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders."<ref name="SS1">{{cite web |last=Lundin|first=Leigh| title=PINs and Passwords, Part 1| url=http://www.sleuthsayers.org/2013/08/pins-and-passwords-part-1.html |work=Passwords| publisher=SleuthSayers| location=[[Orlando, Florida|Orlando]]| date=2013-08-04| quote=Armed with only four possibilities, hackers can crack 20% of all PINs.}}</ref>

Breakable PINs can worsen with length, to wit:
{{Blockquote| The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their [[Social Security Number]], which makes them vulnerable. (Social Security Numbers contain their own well-known patterns.)<ref name="SS1" />}}

===Implementation flaws===
In 2002, two PhD students at [[University of Cambridge|Cambridge University]], Piotr Zieliński and Mike Bond, discovered a security flaw in the PIN generation system of the [[IBM 3624]], which was duplicated in most later hardware. Known as the [[decimalization table attack]], the flaw would allow someone who has access to a bank's computer system to determine the PIN for an ATM card in an average of 15 guesses.<ref name="decimalization">
{{cite journal
  |author1=Zieliński, P  |author2=Bond, M
   |name-list-style=amp | title = Decimalisation table attacks for PIN cracking
  | version =02453
  | publisher = University of Cambridge Computer Laboratory
  | date = February 2003
  | url = http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
  | access-date = 2006-11-24}}</ref><ref name="decimalization-media">{{cite web
  | url=http://www.cl.cam.ac.uk/~mkb23/media-coverage.html
  | title=Media coverage
  | publisher=University of Cambridge Computer Laboratory
  | access-date=2006-11-24
  | archive-date=2018-10-20
  | archive-url=https://web.archive.org/web/20181020060141/https://www.cl.cam.ac.uk/~mkb23/media-coverage.html
  | url-status=dead
  }}</ref>

==Reverse PIN hoax==
{{Main|ATM SafetyPIN software}}

Rumours have been in e-mail and Internet circulation claiming that in the event of entering a PIN into an ATM backwards,  law enforcement will be instantly alerted as well as money being ordinarily issued as if the PIN had been entered correctly.<ref name="PIN-Hoax">
{{cite web
  | url=http://www.snopes.com/business/bank/pinalert.asp
  | title=Reverse PIN Panic Code
  | date=7 October 2006
 | access-date = 2007-03-02}}</ref> The intention of this scheme would be to protect victims of muggings; however, despite the [[ATM Safety PIN Software|system]] being proposed for use in some US states,<ref>[http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=3&GA=93&DocTypeId=SB&DocNum=562&GAID=3&LegID=3193 Full Text of SB0562] Illinois General Assembly, accessed 2011-07-20</ref><ref>[http://www1.legis.ga.gov/legis/2005_06/versions/sb379_SB_379_PF_2.htm sb379_SB_379_PF_2.html Senate Bill 379] {{webarchive|url=https://web.archive.org/web/20120323052605/http://www1.legis.ga.gov/legis/2005_06/versions/sb379_SB_379_PF_2.htm |date=2012-03-23 }} Georgia General Assembly, published 2006, accessed 2011-07-20</ref> there are no ATMs currently in existence that employ this software.<ref>{{Cite web|date=2020-12-15|title=Will Entering Your ATM Pin Backwards Trigger the Police?|url=https://rare.us/rare-life/money-rare-life/will-entering-your-atm-pin-backwards-trigger-the-police/|access-date=2021-02-27|website=Rare|language=en-US|archive-date=2022-03-19|archive-url=https://web.archive.org/web/20220319082737/https://rare.us/rare-life/money-rare-life/will-entering-your-atm-pin-backwards-trigger-the-police/|url-status=dead}}</ref>

==Mobile phone passcodes==
A mobile phone may be PIN protected. If enabled, the PIN (also called a passcode) for [[GSM]] mobile phones can be between four and eight digits<ref>082251615790 [http://www.etsi.org/deliver/etsi_gts/02/0217/03.02.00_60/gsmts_0217sv030200p.pdf GSM 02.17 Subscriber Identity Modules, Functional Characteristics, version 3.2.0, February 1992], clause 3.1.3</ref> and is recorded in the [[SIM card]]. If such a PIN is entered incorrectly three times, the SIM card is blocked until a [[personal unblocking code]] (PUC or PUK), provided by the service operator, is entered.<ref>{{Cite web |title=What is a PUK code? |url=https://support.bell.ca/mobility/smartphones_and_mobile_internet/what_is_a_puk_code |access-date=2024-07-15 |website=support.bell.ca}}</ref> If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new SIM card from the mobile carrier service.

Note that this should not be confused with software-based passcodes that are often used on smartphones with [[Lock screen|lock screens]]: these are not related to the device's cellular SIM card, PIN and PUC.

== See also ==
*[[ATM SafetyPIN software]]
* [[Campus card]]
*[[Transaction authentication number]]

==References==
{{Reflist}}

{{Authority control}}

{{DEFAULTSORT:Personal Identification Number}}
[[Category:Banking terms]]
[[Category:Identity documents]]
[[Category:Password authentication]]