Tuesday, January 26th, 2010 01:32 pm

A Cambridge, UK outfit called Gridsure wants to solve the problem of thieves shoulder-surfing your PIN.  Their solution is this:  Instead of keying in your PIN on a keypad that displays the same digits every time, they're going to display a "keypad" filled with random digits, and defeat shoulder-surfers because the random digits are a red herring — what matters is the pattern of keys that you hit.  So, instead of the insecure and easily shoulder-surfed system of you hitting the same keys on a keypad every time you enter your PIN, they're going to deploy a clever new system wherein you hit the same keys on a keypad every time you enter your PIN, which will completely defeat shoulder-surfing.

... No, it doesn't make any sense to me either.  Didn't anyone at Gridsure stop and think for a moment about whether this hare-brained idea even made sense?

Correction, 2010.01.27:

It transpires that the article I read that mentioned GrIDsure managed to omit a crucial detail that completely changes the strength of the technology.  Please see my followup today for details.

Tags:
Wednesday, January 27th, 2010 12:55 pm (UTC)
Besides, a camera mounted in a skimming device will pick up the PIN. But it doesn't make a lot of sense for another reasons: UK banks are going over to a smartcard system, where the card has to actually be stolen to be skimmed.
Tuesday, January 26th, 2010 06:40 pm (UTC)
*grins* gotta love technological myopia.
Tuesday, January 26th, 2010 06:53 pm (UTC)
-blink- that's just silly
Tuesday, January 26th, 2010 07:03 pm (UTC)
randomly placed pictographics at least elminate the issues of patterns (which is a key bad point), and make it really hard to guess based on that - like in movies with fingerprints revealing the button presses and order...

hey, how about 5-6 digit pins? how about alphanumberics at least? 4 digits? 10,000 combos? elminate many due to other issues...

i read a blurb that claimed the reason it's 4 digits, is that the deployer's wife felt that 5 or more was too hard (for her). mmm.

#
Tuesday, January 26th, 2010 07:38 pm (UTC)
So I've heard. The story has it she was quite emphatic that the design engineer's wife couldn't possibly remember more than four digits.

(I can't help but think, "Poor guy must have married a real dim-bulb...")
Tuesday, January 26th, 2010 10:40 pm (UTC)
PIN length is actually 6 digits, but no one seems to do more than 4.
Tuesday, January 26th, 2010 10:46 pm (UTC)
Wells Fargo USED to allow 6-digit PINs. Then one day they stopped, without ever giving any clear explanation as to why.
Wednesday, January 27th, 2010 12:43 am (UTC)
Sigh.

Please tell me these people have nothing to do with defence.

It will eventually come down to bio-metrics, something about which I'm thrilled beyond words.

Ah, well. The Yankee government already has my fingerprints, if they've anyone brighter than a box of rocks, they've got a chunk of my DNA also.
Wednesday, January 27th, 2010 03:36 am (UTC)
Forget that.

What they do is display a grid of random characters, say 5x5 on a screen.

You've previously agreed that you'll enter, say, the characters on the upper right to lower left diagonal.

So you key in that random sequence of 5 characters.

To "shoulder surf" it, you have to see what they're entering, AND what the 5x5 random grid is.

Different random grid each time, so unless you know their "pattern", you can't enter the same characters each time.
Edited 2010-01-27 03:41 am (UTC)
Wednesday, January 27th, 2010 05:11 am (UTC)
and, because the numbers appear more than once on the grid, and you don't enter them on the grid (they're entered on a regular keyboard in the video), the pattern is also kept secret. The numbers change every time. Here's a video I found on youtube.

http://www.youtube.com/watch?v=rgFOEhjdU6g

Wednesday, January 27th, 2010 12:55 pm (UTC)
OK, the article I was reading about it in failed to make clear that there was a "read the digits from your pattern off the random grid and enter them" stage. With that, it's actually a sensible scheme, and I recant my ridicule. As presented in the article, it was batshit ridiculous.