Is it some sort of one-time pad arrangement which you use your pin to decrypt, or something close to that? If not then what?

I've often wondered why SecureID technology hasn't been adopted by banks. The cards are replaced regilarly anyway and I'm sure the technology could be fitted into a card at little extra cost (I'd be happy to pay for the priviledge)

My only slight concern with this system would be that repeated use of the card might make it obvious after a while which 4 numbers are in the user's PIN as they could become worn with frequent use.

Does it lock the PIN on 3 failures or can stolen card be used to attack the PIN with unlimited attempts?

I do this frequently for my office door, the code for which I can never remember. The best thing about most common mechanical door / pin entry systems you see is that they don't even care what order the numbers are entered.

I do not doubt for a moment that they could be that stupid. The one I got from NatWest works in exactly this way.

This is less of a response to stolen credit cards (usually that's pretty obvious when that has happened) than to online frauds and cloned cards. Having had that happen to me twice, then I am strongly in favour os one time password systems. The current PIN system and online checks are wide open to replay attacks - a one time password system will eliminate those possiblities.

Exactly what I was thinking. The only buttons that will ever be pressed will be your PIN, so they will wear out. This cuts it down from 1000 possibilities to 24.

Seeing as the thing has a keypad already, i would think it a good idea to use a challenge-response type system, where the website gives you a transaction number, you enter it and get a response back. one thats unique to you and that transaction. this removes the time element, ties it to a specific transaction (so a man in the middle couldnt use it against a different one) and also gives more even wear to the keypad. but then again i guess they dont trust the average user to be able to type more than a 4 digit pin accurately.

If pins are 4 digits long and 4 keys are worn the most, then the number of combinations for that 4 digit pin is 4 factorial:

4 * 3 * 2 * 1 = 24

I think these people thinking of "one-time use" codes are a bit off the mark. In theory, it sounds good. In reality, not so much. Many remote transactions are one-time transactions, true. But many are not. For example, let's say you've decided to purchase three movies from amazon, and you use your new Visa with it's one-time code. Amazon ships out two of the movies, but the third one is backordered. They receive shipment the following day, but when they try to authorize payment, your bank will reject it because the one-use code has already been used.

I (unfortunately) use a Citi (CitiGroup/Citibank) credit card, and they have a "Virtual Account Number" program which you can use to generate a new credit card number for each transaction. The benefit of this system over Visa's one-use system is that with Citi's VAN, you can use that generated number any number of times at the same store. So I can generate a new number, set it with a $500 limit, set it to expire in 6 months, and use it at Amazon. I can keep using it at Amazon until the limit is reached or the time expires (both the limit and expiration can be extended at any time before the expiration). Once an authorization is attempted, it will not accept authorizations from other stores (so I couldn't use it at both Amazon and Barnes & Noble). While this will not have the same level of security, it's most likely a good enough solution without causing massive inconvenience and expense (expense of vendors having to upgrade their systems, and expense of banks having to issue new cards). MBNA also had this same technology (even using the same downloadable app), though they used a different name for it, before they were bought out by Bank of America.

...would be to include entry of either the transaction total, or an upper limit for the transaction, as well as the PIN, thereby getting more keys used and implementing something like the level of security that Cahoot had with its virtual cards.

This would prevent a dodgey site using the approval to charge higher amounts, as the resulting code would use the PIN, total and an algorithm to generate the result.

>"If pins are 4 digits long and 4 keys are worn the most, then the number of combinations for that 4 digit pin is 4 factorial:"

OK, but you are allowed to have repeated digits in your PIN, so the number of combinations is actually 4 to the power of 4, albeit that with some of those combinations only 1, 2 or 3 keys are "worn the most".

Well, it's slightly better than that - it's O(4^4), ie 256, as each digit can (presumably) appear more than once, probably minus 10 or 20 "too easy" combinations (1234, 4444, 1111 etc)

Most mobile phones allow you to lock them with a PIN between 4 and 8 digits long. How about banks also introducing the concept of variable length PINs?

OK, so replacing all the Chip'n'Pin pads might be a logistical challenge, but Tesco appear to have already replaced all theirs since introduction (used to be a black top-entry, now it's a grey bottom-entry).

Oh, and for a 4 digit pin that uses three numbers, that's 18 possible combinations (3^3).

2 numbers, each repeated twice = 6 (not terribly secure...)

2 numbers, 1 repeated thrice = 4 permutations (someone will have been daft enough...)

1 number, repeated 4 times = 1 permutation (wouldn't surprise me...)

Of course, one way to handle possible wear would be to replace cards, not on the basis of time, but on the basis of number of transactions. Someone who rarely uses their card online could have the standard 2 year timescale, whereas someone addicted to buying stuff online could have it replaced more often.

Wouldn't it be cheaper and simpler to have our mug-shots on all credit cards?

(This wouldn't be like the proposed ID card because possession of credit cards is voluntary.)

"the problem lies with websites which try to steer you in the right direction by laying down a list of preconditions as to what is and is not acceptable as a password, such as insisting on a certain number of letters..."

Exactly. While I do remember a lot of passwords for my own system and for my clients' systems, I also find it extremely difficult to remember a completely random password. And a completely random password is not more secure than a correct password (in fact, I'd say they're less secure). Allow the user to select a suitably long password without any other restrictions, and it'll be far more secure (as long as the users actually use an easy-to-remember but hard-to-guess phrase).

For example, which is more secure -- "Abcd123!", "a7bF23jZ", "rustic-albino-black-moon", or "I can't think of a password today, so I guess this will have to suffice"? The more conditions you force upon the user, the shorter they will make the password so they don't spend all day typing it in and so that they can remember it more easily (for those times when they misplace the paper they wrote it on). Compare that with long strings which they can remember much more easily. Along with the typical conditions (requiring a certain number of numerals, requiring upper and lowercase, etc), the one thing that I personally think is the most self-defeating is when these idiotic sites have a maximum password length. Since these sites *should* be storing password hashes, not the actual passwords (there's literally no reason for anybody to see your password), a maximum length shouldn't be a problem. For people thinking about hash collisions, that should be avoidable by saving and comparing the hashes of multiple algorithms. I'd say it's extremely unlikely (if it's even possible) to create a string that will cause a collision in both MD5 and SHA1.

I've actually seen sites (which like to call themselves "high-security") that require at least two numerals, require upper and lowercase characters, require special characters (punctuation, etc), and have a minimum password length of 8 characters... and then have a maximum password length of 12 characters. Then again, these are also the same kinds of sites that think they're increasing security by having additional "security questions" whose (true) answers are easily discovered or are a matter of public record. For those, I'll just use completely random answers or satirical answers that won't be easily guessed (Q: "In what city were you born?", A: "Insecure insanityville").