Did you know that your ATM pin is not stored ANYWHERE? That is assuming you don't have it written down on a sticky pad stuck to the back of your card. You’re probably thinking “It has to be stored somewhere. How else would they know if you enter it correctly? ” Well there's an interesting story behind that.
Most people think that when you enter your PIN in an ATM, a call is made to some back-end database that compares the pin you enter to the one they have on file, if they match then access is granted. This is close, but not quite accurate.
The problem with having a massive database of account numbers and PINs is that it's just too risky. No matter what steps you take to secure this list, there’s always the risk someone could get a hold of it, and the effects would be devastating to a bank. So they have a clever system to help mitigate this risk.
Remember when you first got your ATM card and you were assigned a default PIN and told to change it? This PIN wasn't just some random number the bank assigned you it's the "natural pin" which holds significant value.
This natural pin is generated by a complex mathematical formula. In short it involves encrypting your card number using a set of encryption keys that your bank keeps extremely secure. Usually these keys are only contained on the one system that generates the natural pin, and on paper in the bank vault. Once that account number is encrypted, it is then converted to decimal format and certain digits are stripped out of that decimalized version, which become the natural pin for that card.
You are then forced to use that ATM card in one of that bank's ATMs and change your PIN before it can be used anywhere else. When you do this, the PIN you enter isn't stored at your bank but rather an offset. For example say the natural PIN assigned to your account was 0112 and you chose the pin 1234, the offset would be 1234-0112 which is 1121 and is what's stored with your bank.
If the banks database of these PIN offsets was ever compromised all that would be gained is your PIN offset of 1121 which would be worthless to the person who obtained it unless they also had the encryption keys and formula the bank uses to generate the natural PINs.
No comments:
Post a Comment