Security fail

[unixronin]

A Cambridge, UK outfit called Gridsure wants to solve the problem of thieves shoulder-surfing your PIN.  Their solution is this:  Instead of keying in your PIN on a keypad that displays the same digits every time, they're going to display a "keypad" filled with random digits, and defeat shoulder-surfers because the random digits are a red herring — what matters is the pattern of keys that you hit.  So, instead of the insecure and easily shoulder-surfed system of you hitting the same keys on a keypad every time you enter your PIN, they're going to deploy a clever new system wherein you hit the same keys on a keypad every time you enter your PIN, which will completely defeat shoulder-surfing.

... No, it doesn't make any sense to me either.  Didn't anyone at Gridsure stop and think for a moment about whether this hare-brained idea even made sense?

Correction, 2010.01.27:

It transpires that the article I read that mentioned GrIDsure managed to omit a crucial detail that completely changes the strength of the technology.  Please see my followup today for details.

Comments

[randwolf]

Besides, a camera mounted in a skimming device will pick up the PIN. But it doesn't make a lot of sense for another reasons: UK banks are going over to a smartcard system, where the card has to actually be stolen to be skimmed.

[glitch25.livejournal.com]

*grins* gotta love technological myopia.

[laurarey.livejournal.com]

-blink- that's just silly

[perspicuity.livejournal.com]

randomly placed pictographics at least elminate the issues of patterns (which is a key bad point), and make it really hard to guess based on that - like in movies with fingerprints revealing the button presses and order...

hey, how about 5-6 digit pins? how about alphanumberics at least? 4 digits? 10,000 combos? elminate many due to other issues...

i read a blurb that claimed the reason it's 4 digits, is that the deployer's wife felt that 5 or more was too hard (for her). mmm.

#

[unixronin.livejournal.com]

So I've heard. The story has it she was quite emphatic that the design engineer's wife couldn't possibly remember more than four digits.

(I can't help but think, "Poor guy must have married a real dim-bulb...")

[vetpsychwars.livejournal.com]

PIN length is actually 6 digits, but no one seems to do more than 4.

[unixronin.livejournal.com]

Wells Fargo USED to allow 6-digit PINs. Then one day they stopped, without ever giving any clear explanation as to why.

[lwj2.livejournal.com]

Sigh.

Please tell me these people have nothing to do with defence.

It will eventually come down to bio-metrics, something about which I'm thrilled beyond words.

Ah, well. The Yankee government already has my fingerprints, if they've anyone brighter than a box of rocks, they've got a chunk of my DNA also.

[skellington.livejournal.com]

Forget that.

What they do is display a grid of random characters, say 5x5 on a screen.

You've previously agreed that you'll enter, say, the characters on the upper right to lower left diagonal.

So you key in that random sequence of 5 characters.

To "shoulder surf" it, you have to see what they're entering, AND what the 5x5 random grid is.

Different random grid each time, so unless you know their "pattern", you can't enter the same characters each time.

[suzilem.livejournal.com]

and, because the numbers appear more than once on the grid, and you don't enter them on the grid (they're entered on a regular keyboard in the video), the pattern is also kept secret. The numbers change every time. Here's a video I found on youtube.

http://www.youtube.com/watch?v=rgFOEhjdU6g

[unixronin.livejournal.com]

OK, the article I was reading about it in failed to make clear that there was a "read the digits from your pattern off the random grid and enter them" stage. With that, it's actually a sensible scheme, and I recant my ridicule. As presented in the article, it was batshit ridiculous.