back to article UK start-up tackles PIN fraud with patterns

We all know that the weakest link in almost any security system is the user. We puny humans are prone to errors, and so we tend to write down complicated passwords, or choose ones which are stupidly easy to guess. Same with PINs. How many of you (be honest now) use your birth year? A PIN also stays the same all the time. But …

COMMENTS

This topic is closed for new posts.
  1. Ross

    Better than PIN but...

    Ummm, surely their maths are out? If they have a 5x5 grid but only populate it with 10 digits (0-9) then there must be duplication digits, meaning that you could make a mistake in guessing the pattern and still get the right password. That reduces the strength of the protection.

    To avoid collisions you'd need to work in base 25. Certainly possible, but you'd need a lot more keys on your keypad.

    I like the idea but it'll not replace chip+PIN for one reason. Cost. Chip+PIN has already reduced card issuers losses where it has been deployed (at great cost) so why would they bother spending even more money when they can just say "sorry, you were lazy about securing your PIN, so the fraud was your fault - no refund" ?

  2. Tom Chiverton

    Um...

    "Each time you see the grid, the numbers are different, so even if you are shoulder surfed, it doesn't matter."

    But the pattern is always the same, so it's just as vunerable to shoulder surfing.

    Did you just repost their press release without thinking ?

  3. Anonymous Coward
    Anonymous Coward

    I do hope they aren't holding out for a patent...

    ...at least 10 years ago "Tomorrows World" showed an idea for replacing PIN numbers where you used photographs. Only the real card holder would know that their code was Aunt Mabel, their dog and their son aged 8 out of a selection of 10 offered pics.

    so it's not a new idea.

    Anyway, it's all immaterial, as the banks won't care - it's not as if fraud costs them anything anyway.

  4. Anonymous Coward
    Anonymous Coward

    Good idea

    I don't actually know all of my PINs, I just remember the pattern on the keyboard!

  5. Anonymous Coward
    Anonymous Coward

    Not suitable for everyone

    Great. Another technology which will actually restrict what I can do.

    I'm registered partially sighted, and find it hard enough to use cash machines at the moment (I have to get to within about 8 to 10 inches of the screen). If this is rolled out, I sure hope the banks have the intelligence to provide alternatives for folks with poor vision - like allowing us to keep using PINs.

  6. Anonymous Coward
    Anonymous Coward

    The Change

    I suspect this will change "shoulder surfers" into "head punchers", as they change from acquiring the PIN to simply grabbing the freshly withdrawn cash.

    Frankly the real solution is to ditch cash points altogether and move to a cashless society with physical token and biometric two-factor authentication.

  7. Jamie Kitson

    Ch-Ch-Ch-Changes

    PINs don't necessarily stay the same, you can change them, maybe banks should force changes on users sometimes. Maybe banks shouldn't allow users to chose their PIN at all.

  8. Anonymous Coward
    Anonymous Coward

    I already do this

    I'm crap at remembering numbers but never have a problem remembering the pattern on the keypad. A couple of times I've had to change the PIN because the pattern didn't 'work' but normally it's fine.

  9. Graham Marsden

    So what's new?

    Here's a post from a message board back in 2005:

    * * * * *

    I've just had a new cash card issued for my Danish account. They also sent me a PIN, and with it a mnemonic device that seems very clever to me.

    It's a slip of paper with 40 randomly coloured squares. It arrives blank; you choose a pattern of colours or a shape that you can remember and write your PIN there. You then fill in the rest of the squares so that the numbers from 0-9 occur 4 times each, in a random pattern. You write on top which card the paper belongs to, and they actually recommend that you carry it around with your card so you can tell your PIN at a glance.

    * * * * *

    I wonder if anyone's patented this...?!

  10. Vladimir Plouzhnikov

    @Tom Chiverton

    That was my first thought - someone looking over your shoulder will look at the numbers then match them to the pattern...

    However, then it ocurred to me that the idea is not so daft after all - it will take a lot of time for anyone to match the 4 numbers to the pattern on the screen because there will be a lot of numbers scattered around. And the shoulder surfers don't have that kind of time.

  11. Anonymous Coward
    Anonymous Coward

    To Tom Chiverton

    I suspect you have misunderstood the article. The system displays a grid with a (presumably random) digit in each square. The user looks at the grid and reads the digits which appear in the pattern that they have memorised - this generates a 'one use' pin which is then entered using a keyboard.

    A shoulder surfer can see the numbers being punched in but that does not help him - since each digit appears more than once on the grid, it is not possible to deduce the pattern from the sequence of numbers.

    Obviously, if the user was required to key their pattern on the grid the system would not offer enhanced security.

  12. Neil Smith

    Duplication of digits & the partially sighted

    Ross,

    the reason for multiple repititions of the digits is to stop a shoulder surfer being able to get the pattern. If a 4 digit PIP is still used, then there would still be a 1 in 10,000 chance of guessing the PIN, but not the PIP.

    Anonymous Vulture,

    The conversations have been had with the RNIB to get GrIDsure into formats capable for the partially sighted. Bloor have put out an article on just this subject.

    Graham,

    The card is a way of remembering your PIN, GrIDsure is a means of creating a new PIN each time, just like using a token, but no additional hardware. You don't have a PIN anymore, just a shape to remember.

  13. RMartin

    The meaning of PIN

    PINs are probably as far down the "secret code" route that card issues will ever want to go, as customers have been trained for decades to remember 4 digits. Numerous studies have shown conclusively that the longer the code, or the more abstract the coding system (e.g. choosing "patterns" rather than actual numbers) the more people have trouble remembering them. The claim of "over 90%" in the story sounds convincing until you remember that any system that falls short of 99.9% is likely to be unworkable on a large scale. One of the problems that pundits - particularly clever ones who read The Reg ;-) - have in understanding this is that they tend to see things from their point of view, e.g. "I understand this so it must be easy for everyone" - but when a system is scaled up to encompass tens of millions of people, many of whom could be charitably compared to Cletus the slack-jawed yokel of Simpsons fame, then that argument simply falls over. Any bank contemplating this system had better think about hiring several hundred more call centre staff to handle the forgotten passcode requests.

    The number of permutations in a system, whether it be 10k or 100k, is also something of a red herring. In a 4-digit PIN system, guessing the PIN is made difficult as 3 consecutive failures results in the card being disabled. That mitigates the guessing risk. As for shoulder surfing, there is no difference between using PINs or patterns, as both reveal the same visual information to an attacker.

    The fact that many people write down PINs is also interesting. Personally I doubt if many attacks are perpetrated in this way, and on balance it may even be preferable to write down your PIN as at least that way you don't forget it and your bank is probably secretly happy because they don't have to handle your calls to the helpdesk to get a new one when you do. But it does raise an interesting question as to how a customer would write down a gridsure pattern. I can't think of one - can anyone else?

    The real evolution away from PIN will probably be a biometric. The technology is nowhere near robust enough for banks yet, but it does have many potential benefits, not the least of which is that you may never have to remember a PIN or pattern or whatever again.

  14. Anonymous Coward
    Anonymous Coward

    Re: earlier comments

    "But the pattern is always the same, so it's just as vulnerable to shoulder surfing."

    You don't move anything but your eyes over the pattern! You read the numbers from the correct points on the pattern, then type them on a standard numeric keypad below.

    "To avoid collisions you'd need to work in base 25. Certainly possible, but you'd need a lot more keys on your keypad."

    Or...you could just get the user to type two digits for each location? In a similar fashion, it's possible to write numbers larger than 9 using something called the Hindu-Arabic numeral system. (Hint: you did so in your post.)

  15. Torben Mogensen

    Better use letters

    While many people have trouble remembering four-digit pins, most can remember a much longer sequence of letters -- if the sequence can be pronounced. So, replace number pads with keyboards and allow people to type in their POWs (Personal Identification Words).

    When banks issue POWs, they should be sure that the sequence can be pronounced, so it is easy to remember. Though this will decrease the number of possible sequences, the number of pronounceable five-letter sequences is still much higher than the number of distinct four-digit PINs.

    This doesn't solve the shoulder-surfing problem, though. That could, however, be solved by using a keyboard where each key shows three letters, but where the assignment changes with every use. This way, you need only 9 keys (less than a normal numeric keypad), and there are 3^5 = 243 words that fit any 5-key sequence. Granted, many of those won't be pronounceable, so a shoulder-surfer can eliminate a lot of them, but my guess is that there would still be enough viable words left that the three failed tries before the card is locked will be too few to get a good chance of guessing.

    Example: My POW is "krolf". The keys show

    1:VIZ 2:UDB 3:LOX

    4:AQT 5:RSF 6:GMP

    7:JYC 8:EWH 9:KNE

    Note that to make all keys have three letters, E is repeated.

    So I type 95335. This could also have been "eslos", "efoof", "kroos", "erxor" and many other.

    The key assignment should spread vowels as much as possible, so most keys have one. With only AEIOUY (and E repeated), two keys will be without vowels. If we omit Q and X and repeat two other vowels (e.g., A and O), all keys will have vowels and we get rid of some troublesome letters. Note that repetitions will give several valid key sequences for some WOSs, but that shoud not be a major problem.

  16. Anonymous Coward
    Anonymous Coward

    Its easy to understand.

    What is it with some people. Whycant you actually read whats written.

    Example :

    Grid

    58467

    35984

    93457

    62486

    38459

    Pattern: (yes the "X")

    OOOOO

    XXXOOO

    OOXOO

    OOOOO

    OOOOO

    So the temp pin = 3594

    However there are

    3 x 3's

    4 x 5's

    3 x 9's

    5 x 4's

    Making it very difficult to recognise a pattern.

  17. system

    The maths

    The maths of it does seem completely wrong.

    I can't find any information on what actually sits in the squares (single or double digits), but for single digits the results will always be 10^x where x is the number of digits in the sequence.

    To get 25^4, they need double digits and may as well just go for a 10x10 square, giving them 100,000,000 possibilities. If it's a matter of ease of use (maybe people can't remember a 4 step pattern in a 10x10 block), even a 3x4 block offers double the security of 10^4. There is no reasoning given on their site for why it would be a 5x5 block.

    I'd go with it all just being wonky maths though. Here's from their site:

    "However add into the ‘mix’ the fact that up to a third of users write down and carry their PINs with them, and that many more use easy-to-remember numbers like their spouse’s birthday, overall security is reduced to say 5000:1 or even 2000:1."

    2000 possibilities for a spouses birthday?

    If day and month are both single digits (3rd april say) we can have d/m/yy, 0d/0m, 0m/yy as easily memorable dates (and lets face it, someone using a spouses b/day is not going for hard to remember). This is 1/3, nowhere near the 1/2000 or 1/5000.

    Even changing the zeroes to any other number, with those 3 date combinations there are 111 possibilites.

    Using a spouses birthday only becomes a liability when someone knows that date, for someone who doesn't know your spouses birthday they are right back at 1/10,000.

    If the pin is written down and you're assuming the thief has it, it's a 100% probability that they have your PIN. If you assume they don't have the PIN, then again it's back at 10,000 possibilities.

    Besides, a pattern can also be put down on paper and is harder to disguise as something innocent like a phone number.

    And Jonathan Craymer likes to call it "chip and spin" :-P

  18. system

    RE: Its easy to understand.

    The example you have given still uses single digit numbers.

    The fact is, using only 0-9 4 times, you cannot exceed 1/10,000 probability or 10^4.

    In fact, as your example neglects the use of 0 and 1, it has an 8^4 probability, or one in 4096, half the effectiveness of a regular PIN.

  19. Joe

    Not such a bad idea

    I like it! But the banks won't because it'll cost them.

    Personally, I'm pretty good at remembering major PINs, but for a credit card I very rarely use, I have a business card with three phone numbers on the back - all made up ones - so it looks pretty innocuous. I know which one is a PIN! (It's the last four digits of the middle phone number... ;) Use London phone numbers for lots of 4-digit groups!)

  20. Anonymous Coward
    Anonymous Coward

    Keyboard pattern

    "I don't actually know all of my PINs, I just remember the pattern on the keyboard!"

    Be careful when you're abroad. Egyption cashpoints (and probably others) have the 789 row at the top, whereas we have 123 at the top.

  21. Neil Smith

    The Maths

    Gentlemen, the mathamatical study was carried out by Prof. Richard Weber, the Director of Cambridge Universities Statistics Laboratory. The maths is sound.

    The numerics 0-9 are placed into a 5x5 grid, therefore 25 cells, 2.5 repititions of each digit. The PIP is selected by choosing 4+ cells, OR the same cell 4 times if you wanted.

    Each time a challenge grid is shown to the user, he has a new sequence of numbers, which corespond to his PIP, the constant pattern.

    There is always a chance of guessing the PIN of 1 in 10,000, if 4 digits are used. But it will be useless next time.

  22. Paul Buxton

    I maybe wrong but...

    It looks to me that the number of digits in a cell is irrelevant. All that matters is the number of pattern combinations.

    So for the example cited

    "For a five by five grid, and a four cell pattern, you have 254 possible patterns. That's 390,625 possible arrangements, compared to the 10,000 possible combinations of four digits in a traditional PIN,"

    You actually have 25x24x23x22= 303600 possible patterns.

  23. Anonymous Coward
    Anonymous Coward

    Billy Idiot finger print?

    Am I being stupid, but getting a really basic fingerprint reader that picks up on a slight pattern in a finger and gererates a 4 digit "pin" from that (the relative postion of two swirls from a third?) is that really that difficult and still beyond our grasp?

  24. Anonymous Coward
    Anonymous Coward

    Just to complete the conversations!

    Thought I would just add the following. . .

    1. When challenged with the authentication you enter the numbers on the grid which correspond to your pattern (you don't actually enter the pattern itself) and because the digits are repeated on the grid anyone 'shouldersurfing' you would find it extremely difficult to identify your pattern from the numbers you enter. Compare this to someone shouldersurfing a standard PIN, once it is observed once, the PIN is compromised. With GrIDsure this is not the case as the PIN is one-time.

    2. As for people choosing common patterns, our trials have shown that there is a wide diversity of patterns that people choose. Indeed the view of a Cambridge mathematics professor who we have been working with is that the number of 'common' patterns runs into the tens of thousands (the total number of possible patterns is over 390,000 patterns)

    Compare that to a standard PIN where a random guess at a PIN gives only a 10,000:1 chance and as you rightly say people do not randomly choose a PIN.

    To further allay your concerns, we have serious ongoing discussions with a number of banks, card issuers, card schemes and large software companies around the world who have all considered these same questions and we hope to be making further significant announcements very shortly.

  25. Martin Edmondson

    Pin Pals

    Having just discovered the finite number of possible four digit pin codes, I think it would be rather cool if I met my pin pal, and we exchanged details.. or rather I just get his details.

    So, please post your pin number here, and I will contact you if we're pin pals :-)

  26. theregister@mariegriffiths.co.uk

    THIS IS MY INVENTION

    I came up with this in 1988.

    See you in court.

  27. Paul Buxton

    Just noticed that you can use the same cell twice.

    Which is where you get 25^4.

  28. Andy S

    needs to appear more complicated than it actually is

    you need to apply a bit of thougt to it, make pins longer but give people a means of remembering them/writing them down cryptically

    ie, shamelessly pinched from an episode of jonathan creek, if you dont read it aloud, it could be anything

    Oh when I know to free hate, to sever no one

    01902382701

    an alternative, which i actually thought was good, call me a faschist, is a demolition man style chip implanted into the hand. if you have a completely shielded box that you have to insert your hand into to buy something, then not only would someone have to read and decrypt your id, but implant it into their own hand to use it. Or cut off your hand, but i'm assuming most shops would notice a person carrying a severed hand around.

  29. Anonymous Coward
    Anonymous Coward

    Remembering patterns

    When I recently asked for an *additional* bank card, my bank *replaced* my current card without warning. Anyway I got burdened with a new PIN. Using my computer numeric keypad I figured out its corresponding "shape", and memorised it. Three days later when I went to use the card I was about to enter the PIN when I realised than cash-machine numeric keyboards are like phone keyboards - starting 1-2-3 at the *top*. So I have to mentally invert the shape before entering. Grrrrrr.....

  30. Anonymous Coward
    Anonymous Coward

    title

    personally i prefer the "pick a 4 letter word and use a mobile phone keypad to convert it to numbers" approach... e.g. bank = 2265 so no need to write anything down or remember fancy patterns... this is helped even more as a growing number of cash points have the letters on the keypad already

    now all we need to the banks to get their act together and let us have different pins for the atm and chip and pin...

  31. Jon Tocker

    25x25x25x25

    Some have missed it:

    There is very little penalty in having a "pattern" of pressing the same key 4 times as the repetitions in the grid will befuddle things:

    It is a simple matter with a 5x5 grid (25 positions) to use all 10 digits at least twice, three times for some:

    ABCDE

    1 14562

    2 40823

    3 03978

    4 61957

    5 14729

    Assume your pattern is 4x the D1 key - on this iteration of the grid: "6"

    You hit 6 4 times. How is the shoulder surfer to know if your 4 6's correspond to D1 or A4 (the other "6" in the grid)?

    If you are seen to hit "2" 4 times, this could mean E1, D2 or D5 - assuming the shoulder surfer has memorised all instances of "2" on the grid during the short time it is displayed.

  32. the Jim bloke

    Implanted chips were causing cancer

    .. last I heard, any further news on that?

    I dont want to join the "phone towers radiate death rays" loonies, but there is still scope for further research on the implanted IDs.

    the problem with this grid->number->keyboard system that I can see, is that it will slow down transactions. Users will have to look at the grid, work out the numbers which make up their pattern, then key those numbers in. Instead of ..keying their number in.. Sure it will be more secure, but how much more time will be consumed waiting in ATM queus behind geriatrics and slow readers?

  33. Anonymous Coward
    Anonymous Coward

    Shoulder surfing + mobile phone...

    So all that will happen is that the shoulder surfers will pretend to be on their phones and in fact be recording what you enter and the image of the grid. They can then analyse the footage later and work out the possibilities of the patterns, and narrow it down to likely patterns (ie adjacent boxes)... It may not be 100% but I can't see that it's any worse than trying to remember a 4 digit code that they've only seen once.

    It will not fix the problem, it'll just mean that the crooks have to come up with another method to find out our secrets.

    Oh yeah, the other thing they do is to put false fronts on cash points - which currently have a camera in to record the pin as it's entered... all they need to do is adjust it to see the grid as well. With a fixed position camera, it would be trivial to run the video through a computer program to identify the possible patterns.

    Sometimes I worry that my mind works in this way, but I'm sure that mine isn't the only one that does... Better to know the risks than be ignorant.

  34. Anonymous Coward
    Anonymous Coward

    Shoulder surfing & mobile phones

    There would not be a problem using GrIDsure running on a time sync alogrithm as a super token on a mobile phone, for example. That would stop the false front problem. It would also mean that the phone itself being stolen would not give away the PIP, as it would not be stored there - only in the head of the user.

    Of course the Banks & public would not switch over to such a system, even if it does offer increased security because it seem like too much work. Therefore GrIDsure simply raises the bar for criminals to carry out fraud. It's not a silver bullet, but a step in the right direction and should be hailed as a way of getting the initiaive back.

  35. Chris

    Mobile phone + Text message

    Like some payment systems in Europe you simply send a text message to your payment provider with the shop's unique id code and the amount to pay them.

    Everyone has a mobile these days, they could use some system like above to authorise the cash machine withdrawals.

    E.g. You put your card in the machine, your bank sees this and sends a text to your mobile with a unique pin code in it (and maybe the cash machine's location), you enter this code and your normal pin code to continue.

    Although, I suppose the theif could watch you enter you PIN, steel your bank card and also your phone. But there's gonna be a problem with any system and this one above sounds good to me - and not too expensive to employ because it doesn't require buying new cash machines, just linking into the mobile network.

  36. Neil Smith

    Mobile Phone & Text Message

    Chris,

    There are two ways that GrIDsure could be used for these auth's, including a mobile device. The first would be simply a time-sync with host and an applet on the mobile, so you open the app & a grid is on the mobile screen, then key in the digits into the ATM or PoS device. That would be like using a secure OTP Token, but even better, as even if the phone is stolen, the grid shown gives nothing to the thief.

    The second would be to use transaction details sent to the mobile, which would wake the app, then be asked if the transaction is one you would like to carry out - are you really trying to buy this item from this vendor for this much? - If you say Yes, the transaction details can be used to seed the algorithm to generate the grid numbers. Then you take the numbers and key them into the browser.

    That creates a reactive, transaction specific, out-of-band authentication. It also means that both the phone and the PC can have spyware and the system still has an amount of security.

    What do you think?

  37. Anonymous Coward
    Anonymous Coward

    simple solution

    I find that typing my PIN with one finger, and covering the keypad with both hands and position of my body works a treat. And it's much simpler.

This topic is closed for new posts.