Many consumer transactions today are conducted between the consumer and a mechanized representative of the other party, without human involvement on behalf of the non-consumer party. Examples of such transactions include banking transactions performed through automated teller machines (ATM's) and telephone calls placed at public telephones using telephone credit cards. In both of these examples, the identity of the consumer is verified for security purposes through the use of a PIN. In the case of an ATM, the banking customer first inserts an access card, and must then correctly enter a multidigit code, which the ATM system associates with the individual access card.
To use a telephone credit card, a caller must enter a valid telephone credit card number when prompted, usually by an automated operator. The number often consists of a multidigit code, such as the caller's home telephone number. The caller must then typically enter a four-digit PIN.
In both of the above-described scenarios, the PINs are entered by the consumer through the use of a numeric keypad with an unchanging, standardized configuration. Because the location of the keys on the keypad is a constant, an adverse observer can deduce a PIN by simply observing the identity and order of the keys pressed by the consumer. An adversary can also gain information about the PIN by posing as the user and making deductions based on the system's prompts or responses. The adversary can then use the fraudulently procured PIN in a later transaction, in which the identical keystrokes will again provide access to the system.
In the case where authorization of the consumer is based solely on the correct input of a code, such as a telephone credit card number plus a PIN, the successful adverse observer can make immediate fraudulent use of the newly obtained number simply by placing a call using the stolen number. In the case where authentication depends on the possession of an access card such as an ATM card, in addition to knowledge of a PIN, the successful adverse observer must in addition procure the consumer's card or manufacture a copy. While the second step requires additional sophistication or determination, such crimes occur with increasing regularity.
Several solutions have been proposed to the problem of adverse observation of PIN entry. A simple proposal is the use of mechanical sight barriers to block observation of the keypad during PIN input. Such barriers, however, are expensive and must necessarily compromise their effectiveness for the convenience of the user, who must himself see the keypad during PIN input, and must also access the keypad with his fingers.
Several systems have been proposed in which special equipment is used to deter adverse observers. U.S. Pat. No. 3,587,051 to Hovey discloses a lock with a series of randomly illuminated lights selected by the user on the basis of a known combination. U.S. Pat. No. 4,032,931 to Haker uses a four-by-three key matrix with eleven moveable keys and one vacant space, so that the keys that can be scrambled by the user before typing the PIN. U.S. Pat. Nos. 4,333,090 to Hirsch, 4,502,048 to Rehm and 4,962,530 to Cairns disclose systems in which the numeric designation of keys in fixed positions on the keypad can be changed from transaction to transaction. In U.S. Pat. No. 5,276,314 to Martino et al., an array of symbols is manipulated by buttons that rotate the symbols in columns or rows within the array.
Other systems use existing terminal equipment. In U.S. Pat. No. 5,239,583 to Parrillo, the PIN is changed after each transaction in a predetermined sequence known to the user. U.S. Pat. No. 5,311,594 to Penzias describes a system wherein the user is prompted to input pieces of information already known to the user, such as a street address.