Saturday, April 4, 2009

PIN Entry Screens Considered Harmful

Digital PIN PadI never wrote a "Considered Harmful" blog post before so I figured it was high time I did so. I often find myself at the grocery store, gas station, or fast-food restaurant keying my 4 digit PIN into some electronic entry system.

I look around and see someone watching me type in my code. Whether they're doing it intentionally or they're doing it incidentally, it still bothers me. I don't really want anyone seeing my PIN, particularly if that person wants to know it.

The other day, I was waiting behind some woman at the grocery store. In my frustration, I watched every move she made. She pulled her card out of her purse, handed it to the cashier, and started keying her PIN. From my angle, I couldn't see the actual numbers, but when she finished, I was completely shocked that I knew what her PIN was!

Evidently, without even noticing that I was doing it, I watched her key her PIN and I figured out what it was by the location of her presses alone. I had to be sure, so I asked, "ma'am, is your pin 4321?" Shocked and appalled she said, "why were you paying attention to that?" I replied, "it was an accident . . . I just happened to see where you were pressing."

That's when I had an idea. The digital keypads must be simply displaying the numbers on the screen. It seems that it would be completely reasonable to scramble the actual numbers so that nobody could decode your PIN simply by watching the location of your key presses.

No comments:

Post a Comment