A pass code represents a string of symbols or characters for providing controlled access to a resource. A pass code is known to an individual or group of individuals authorised to access the resource. A copy of the pass code is stored in a security system that protects the resource. When an individual desires to use the resource, he or she enters the pass code into the security system, which checks that the entered pass code matches the stored pass code. Assuming that there is a match, the security system grants the user access to the resource.
FIGS. 1A, 1B, 1C, and 1D represent a variety of situations in which pass codes are used. In FIG. 1A, a user 101 enters a pass code into a terminal 110. Typically terminal 110 is provided with a keypad for this purpose, with the pass code comprising a short string of digits. Such terminals are frequently used to control access to buildings, car parks, and so on. Note that in many cases there is a single pass code that is shared by all users. This pass code is stored in the terminal, and the terminal compares the input from user 101 with the stored pass code in order to validate the user.
FIG. 1B illustrates a variation on FIG. 1A, where this time user 101 has a card 102 (and will therefore be referred to as card holder 101B). Card 102 may comprise a smart card with an embedded chip typically incorporating a processor and non-volatile storage. This non-volatile storage is used to hold a pass code in the form of a personal identification number (PIN) for card holder 101B.
In order to use terminal 110, card holder 101B typically engages card 102 into terminal 110, and then enters the PIN for the card. The terminal 110 forwards the user-entered PIN to the card 102, where it is compared to the PIN stored on the card. If there is a match, the card holder 101B is assumed to be properly authorised, and so the transaction is allowed to proceed.
Card 102 may be used in the configuration of FIG. 1B as a form of purse for payment purposes. One type of terminal 110 can be used to load the purse, by feeding cash into the terminal 110, with the cash then being loaded onto the card. Another form of terminal 110 allows purchases using card 102, where the terminal deducts money for a purchase from the balance on card 102.
FIG. 1C illustrates a configuration where terminal 110 is indicated as being a client system 110C connected by a network 120 to a server 130C. In one example, client system 110C may comprise a desktop personal computer. Network 120 can be any form of wired and/or wireless communications network, such as the Internet, a local area network (LAN), a wide area network (WAN), a mobile phone network, and so on.
The configuration of FIG. 1C might correspond to providing on-line access to an account held on server 130C, such as for email, home banking, Internet betting, and so on. Typically the account is accessed by user 101 providing a user ID to specify the particular account in question, and a pass code, which controls access to the specified account. The pass code is normally in the form of a password comprising an alphanumeric string. The user enters the password into client 110C. The password is then transferred across network 120 to server 130, where it is compared against a stored password for the account. If a match is obtained, the server 130C allows the client 110C to manipulate the account, e.g. to read emails, transfer funds, etc, depending upon the nature of the account.
FIG. 1D illustrates a configuration where card holder 101D uses card 102 to access terminal 110, which in turn is linked to a server 130D via network 120. The configuration of FIG. 1D may correspond to a cash supply system, in which terminal 110 is an automated teller machine (ATM) connected via a private (secure) link 120 to server 130 that maintains account records for card holder 101D. It may also correspond to a conventional credit card purchase, where card 102 is a credit card, and terminal 110 is typically located in some merchant store. Terminal 110 is then connected over network 120 (which may be in the form of a dial-up link) to server 130D.
In one implementation of FIG. 1D, card 102 contains an identifier of user 101D, but not the pass code (PIN). Thus in use, card 102 is typically inserted into or swiped through terminal 110, which allows the terminal 110 to access the account number from card 102. The card holder 101D is then prompted to enter the PIN into terminal 110. The PIN and the account number are transmitted to server 130 for verification. Server 130 therefore confirms that the PIN entered by card holder 101D matches that stored in the server 130 in respect of the account identified by card 102. This model is generally used for ATM transactions.
In another implementation of FIG. 1D, the user pass code is stored on card 102 itself. In this case, the PIN entered by the user can be verified directly against the PIN stored on the card 102, in analogous fashion to that described above for FIG. 1B. Note that in this embodiment, the PIN need not be transferred to the server 130D, since the PIN authorisation has already been performed within card 102. Nevertheless, terminal 110 may still send the PIN to server 110, for example to provide an additional security layer against fraudulent use of card 102 (e.g. for audit purposes). The terminal 110 might also ask the server 130D to confirm that the account is still active (e.g. card 102 has not been stolen) and that the account has sufficient funds for the intended transaction (although this can be done without the server having to receive the PIN).
One risk with PINs and other forms of pass code is that they may be intercepted while being transmitted over a network 120. There is also a risk of interception between card 102 and terminal 110, especially bearing in mind that wireless links are sometimes used to transfer data between card 102 and terminal 110. Of course, an adversary may not initially understand the protocol used for such communications. However, if the same card 102 is used for many transactions, then it may become possible to determine or guess the PIN by looking for a repeated sequence in different communications.
One mechanism to protect pass codes is to encrypt messages in transit, such as over network 120 and/or between card 102 and terminal 110. Consequently, even if an adversary does manage to intercept the communications, this still does not divulge the pass code (assuming that the encryption algorithm is secure). One drawback however with encryption is that it generally requires both the sender and receiver to have knowledge of a key (or key pair) to be used for encrypting and decrypting the message. This may be difficult to arrange in situations such as shown in FIG. 1B, where a very large number of cards 102 and terminals 110 may be expected to interoperate in a heterogeneous environment.
A known technique for protecting pass codes in transit during authorisation is based on a challenge-response strategy. This strategy is illustrated in FIG. 2, for use in the general configuration of FIG. 1B. The processing of FIG. 2 starts when it is assumed that card 102 is brought into engagement with terminal 110, such as by insertion, proximity, swiping, or any other appropriate mechanism. This causes the card 102 to generate a challenge 210, which is typically a random (pseudo-random) number. Note that card 102 normally generates a fresh challenge for each new interaction (session) with terminal 110. Card 102 then transmits the challenge to the terminal 110 (step 215).
The terminal 110 now requests the card holder 101 to enter the PIN (step 220) (this request may be made before or after receipt of the challenge from the card 102). The card holder therefore enters his or her PIN, typically by pressing buttons corresponding to the PIN digits on a keypad (step 225). The terminal 110 now uses the PIN received from the card holder 101 as a key to encrypt the challenge received from the card 102 (step 230). This encrypted challenge forms the response, which is then sent by the terminal back to the card (steps 235, 245).
The card itself also encrypts the challenge that it sends to the terminal (step 240) (this encryption can be performed at any time after the challenge is first generated at step 210). The encryption is performed using a locally stored PIN on the card 102 as the key, and using the same encryption algorithm as used on the terminal to encrypt the challenge at step 230.
The card can now compare the response received from the terminal 110 with the encrypted version of the locally stored PIN (step 250). If the PIN entered by the card holder 101 at step 225 matches the locally stored PIN, then they will both produce the same outcome when encrypting the challenge. Accordingly, if a match is found at step 250, then the card holder is properly authorised to use card 102.
Note that the neither the transmission of the challenge from the card 102 to the terminal 110 (step 215) nor the return from the terminal back to the card of the response (steps 235, 245) has to be encrypted (i.e. they can be sent in plain or clear text). This is because even if an adversary does obtain both the challenge and the response, then it is still not possible to deduce the PIN stored on the card or the PIN entered by the customer (assuming a secure encryption algorithm is employed for generating the response). Moreover, because the card issues a different challenge for each new session, any response intercepted from a previous session cannot be used to validate a new session.
The skilled person will be aware of a wide range of variations on the particular challenge-response strategy illustrated in FIG. 2. For example, the strategy may be used in a wide variety of configurations (not just that of FIG. 1B). In addition, card 102 may decrypt the incoming response from terminal 110 using the locally stored PIN (or locally stored decryption key matching the PIN, depending upon the particular encryption algorithm employed). The decrypted response can then be compared to the challenge initially generated at step 210. A match indicates that the card holder 101 has entered the correct PIN (i.e. corresponding to that stored on card 102), and so is authorised to use the card.
Although a challenge-response strategy generally provides good protection for a pass code during communication, there is still a weakness at the point where the pass code is initially entered by the user (corresponding to step 225 in FIG. 2). One possible attack is to use a “sniffer” program that tracks all inputs to a terminal or other input device. If a customer enters a PIN directly into the terminal system, this may potentially be picked up by such a sniffer program and reported to an adversary. Note that desktop computers are especially susceptible to this type of attack, given that they are liable to infection by foreign software, for example a virus or a worm, that may act as the sniffer program.
An even more important vulnerability for pass codes is that an adversary may simply observe a user entering the pass code into a terminal. Since the pass code is often quite short (typically four digits for a PIN), and is entered for each new transaction, it is not difficult in practice for an adversary to acquire knowledge of a pass code through observation in this manner. This is especially true if the pass code is being entered at a very public location such as a supermarket check-out, where it is very difficult to conceal hand movements for keypad entry.
The problem is exacerbated by the ready availability of high quality miniature video cameras (once the exclusive preserve of undercover television reporters). Such cameras are now easily purchased at modest cost from many electronics stores, and can be used in a concealed manner to film a card holder entering a PIN in a public place. The video recording can then be subsequently studied in order to determine the particular PIN that the customer entered.
Despite such concerns, PINs are being increasingly used for transactions involving credit and debit cards. In the past such transactions have generally relied upon a customer signature for authorisation purposes, but this is vulnerable to forgery. One problem is that the staff who have to verify the signatures in shops, cafes, etc., are frequently under time pressure to process the transaction as quickly as possible, and may not be highly motivated to detect forgery. Accordingly, a fake signature of even quite poor quality may be accepted.
The use of PINs to authorise credit card transactions removes reliance upon staff verification, and indeed enables completely automated processing of the transaction. Nevertheless, from a customer perspective it has the worrying consequence that if a PIN is stolen, it is more difficult for the card holder to prove that the card has been used fraudulently. Thus if a transaction involving a signature is subsequently disputed, then the signature can be studied in much more detail than at the time of the transaction itself. Consequently, it is very likely that any forgery can be detected, in retrospect at least.
With the use of a PIN however, once the PIN itself is compromised and available to an adversary, there is no way of distinguishing between legitimate use of the card by the card holder and fraudulent use of the card by an adversary. In other words, there is no biometric linkage that ties the PIN to the particular card holder. Rather anyone who knows the PIN is, in effect, able to authorise card transactions. Accordingly, if a PIN is discovered by an adversary, it becomes very difficult for a card holder to demonstrate that his or her card has been used fraudulently.
Another concern relating to PIN authorisation for credit cards stems from the nature of potential criminal activity relating to these cards. Thus signature-based cards are most susceptible to opportunistic theft. For example, a dropped card may be found, or perhaps a handbag containing a card is snatched. A criminal can then try to forge the card signature in order to make fraudulent purchases with the card.
In contrast, with a PIN-based card, criminal activity may well be triggered by observation of the card holder's use of the PIN, thereby allowing the PIN to be deduced. It then becomes attractive for a criminal to specifically target the card holder in order obtain this particular card, for which the PIN is already known. This may entail a higher level of violence against the card holder (compared to the opportunistic theft of signature-based cards).
Such consideration underline the importance of ensuring that a card holder is properly able to protect the PIN or other form of pass code against disclosure to third parties.