Each day in the United States alone over 100 million transactions aggregating $5 Billion are authorized and initiated by cardholders at over 400,000 Automated Teller Machines (ATMs) and seven million Point-of-Sale (POS) terminals. Securing the massive daily financial flow against fraud and loss relies upon protecting and verifying cardholder Personal Identification Numbers (PINs) using methods, structures, and cryptographic algorithms originating over twenty-five years ago.
Data security systems, such as financial systems, use security techniques and systems originating in the early 1980s that were based on technologies created in the late 1970s. Computational power, cryptanalytic knowledge, breadth of targets, and creative ingenuity accessible to potential attackers have grown dramatically since origination of the systems, while defensive technologies have scarcely evolved.
The Personal Identification Number (PIN) is a basic construct for establishing identity and authorization for consumer financial transactions.
Current PIN verification techniques are cryptographically weak, resulting in a data security vulnerability that even exceeds weaknesses in underlying keys and algorithms. These weaknesses can be attacked by an adversary, potentially resulting in a loss of data security.
Present-day financial and commercial transaction systems predominantly use cryptographic algorithms with known weaknesses. One difficulty is that conventional techniques involve sending the PIN through the network, enabling an adversary to access the PIN and potentially compromise or breach security offered by using the PIN. Because the PIN is communicated on the network, security is attempted in conventional systems by encrypting the PIN. However, advances in technology have substantially rendered common encryption methods, such as Data Encryption Standard (DES), vulnerable to attack.