End-user security of automatic teller machine (ATM) and debit cards primarily depends on the user to hold and keep the card safe, and to keep the user's personal identification number (PIN) secret. Cards are usable in more environments, including for online purchasing. Users are subject to attacks from many venues, such as “phishing” attacks on the account PIN itself. The static nature of the magstripe data on the ATM card and the use of a static account PIN aggravates the problem. During the life of the ATM or debit card, which may be typically up to three years, the magstripe data and PIN do not change, e.g., the magstripe data is static, and the PIN is static. The same static PIN is used to authorize each and every transaction conducted with the ATM card on the user's account. If an attacker obtains the card and PIN, he can easily compromise the account, which may go undetected until the user reviews an account statement, or an event such as an overdraft notifies the user that the account has been compromised.
The security of PIN authorized transactions, such as ATM transactions, is vulnerable to a number of attack methods, which may include the debit or ATM magstripe being read by a skimmer or similar device attached to an ATM terminal, point-of-sale (POS) terminal or other form of magnetic card reader. The card can be “cloned” using the magstripe information obtained from the skimmer. The user's static PIN can be obtained by visual observation of the PIN being entered into an ATM or POS terminal, which may be facilitated, for example, by a surveillance camera or other recording device. The user's static PIN can be obtained by other means, for example, during an online transaction where the PIN, which is not protected cryptographically prior to input into the online interface, and other account data may be recorded and obtained using a “Trojan” type virus or other malicious virus to record and retrieve the account information and PIN for use in subsequent attacks on the user's account.