Portable personal computing devices such as smart phones, Personal Digital Assistant, portable computers, tablet computers and audio devices such as digital music players have become ubiquitous in recent years. This opens up the possibility of many different mobile applications such as mobile banking, mobile payment, mobile commerce, and person-to-person money transfer, among others.
One of most important aspects of these applications is the authentication of the user and verification of the identity. In many systems, the authentication is done by using a 4 to 12 digits number called a Personal Identification Number (PIN). The PIN is a number known only to that person and not to anyone else. In multiple factor authentication systems, a combination of “something you know”, “something you have” and “something you are” is used. “Something you have” can be a digital token, a card. “Something you are” is some biometrics like facial characteristics, fingerprints, voice, iris or retina scan or even DNA. PIN, password and personal information such as date of birth fall into the category of “something you know”.
For payment cards, PIN is the most sensitive piece on information used for authentication. There are Payment Card Industry (PCI) regulations or other industrial standards that govern how the PIN should be handled by a terminal that accepts a PIN. In the past, PINs are entered by specially designed PIN-entry devices (PEDs). These PIN entry devices are tamper-resistant, and because of the stringent security requirements, are usually very expensive.
Accepting PIN entry by using software running on mobile devices and by using the keys or touch screens on the mobile devices are inherently insecure because of malwares, Trojan horses or hacked operating systems. It is possible that keyloggers and screen capturers can capture the user input and then send it to hackers. One of the challenges in the design of a mobile terminal is how to allow a mobile phone to accept a PIN securely. Therefore, there is a need for a system and a method for secure and yet convenient PIN entry.