101

The other day I tried to withdraw some cash from an ATM in a hurry and punched in a wrong pin. I realized that only when I hit the "ok" button, but to my surprise the ATM did not complain. It showed the usual menu, asking me to select an operation. It's only when I selected withdrawal I was prompted that the pin is incorrect, and asked to re-enter. Which I did and received the cash.

Why do ATMs allow entering any garbage for a PIN, selecting an operation and only then complain?

EDIT: to add more information about some points discussed in answers and comments: the country where this happened is New Zealand. The card is a chip card which also happens to have a magnetic band, and I have no idea if the ATM can read the chip or not.

Andrew Savinykh
  • 1,640
  • 3
  • 14
  • 23
  • 9
    It must depend on your country: in some countries (USA for example), the ATM only reads the card's magnetic band, while in others, it really authenticate with the chip. If it uses the chip, it needs the correct pin. You can sometimes get a hint by looking at the ATM's behavior: if it spits back your card before asking for the pin, then it will not use the chip. – T. Verron Jul 01 '14 at 12:14
  • 9
    @Verron: I'd be very surprised if it spit out the card before you enter the PIN (they sure don't do that here!). One of the "tasks" an ATM has to fulfill is confiscate the card if you fail entering the correct PIN 3 times. Which, of course, it can't do if it gives you back the card before prompting you. – Damon Jul 01 '14 at 15:02
  • 3
    @Damon All ATMs I've used here (Chicago, US) in the past several years have been the type where you insert it, then it scans as you pull the card out, then you enter the PIN. We used to have ones that held your card (although I don't know about the confiscation feature), until around 4-5 years ago when I last remember using the old kind. – Izkata Jul 01 '14 at 16:43
  • 1
    In India you get both kinds. In one you insert the card and do all operations. With the other type you insert, remove, and then enter PIN and continue up to 1 operation. For another operation, you will have to insert again and repeat the process. – Rajib Jul 01 '14 at 16:51
  • @Damon: I've seen some ATMs spitting the card before prompting the pin in the USA. I guess there is no need to confiscate the card if all verifications happen on the bank's side... – T. Verron Jul 02 '14 at 09:10
  • 1
    @T.Verron: As far as the bank and large shops are concerned, yes. But a lot of small shops (at least in EU) still have a debit note system where you must present the phyiscal card and sign. Which of course works perfectly well with a stolen card and without PIN (I use mine like this all the time since I didn't remember the PIN when the bank changed it for no reason and the bank charges 15€ for sending you the PIN letter again, which I find outrageous). That's a likely reason ATMs are supposed to confiscate them, not _all_ verifications are _always_ done bank-side. – Damon Jul 02 '14 at 10:34
  • @Damon Ah indeed, yes. But nothing prevents you from performing the same scams if you never present the stolen card to an ATM. – T. Verron Jul 02 '14 at 11:34
  • 2
    This will be for user experience; the user gets the top-level menu without the round-trip of authenticating with the mainframe. After entering the request, the ATM bundles the authentication request with the transaction, so doing only a single round-trip in most use cases. – Gaius Jul 06 '14 at 09:30
  • @Gaius, mainframe? Are you sure it's not something from 1970x? – Andrew Savinykh Jul 06 '14 at 19:10
  • This begs the question, why the ATM even asks for the PIN before a transaction is to be done. All machines I usually come across in Germany only ever ask for the PIN if they want to access my account for anything. (And this should be possible regardless of the system used, chip, stripe or whatever) – I'm with Monica May 06 '19 at 09:59

8 Answers8

116

This answer applies when the ATM uses the card's magnetic stripe, not when the card's chip is used.

The keyboard of an ATM is a completely separated device with special hardware security features (like self-destroying chips if someone tries to open it, etc.) because it's the bottleneck of the whole ATM security.

When you enter a pin, the ATM itself won't receive the PIN in plaintext, but rather get the PIN encrypted. When it sends a transaction to the main server, it cryptographically combines the encrypted PIN with the amount of money specified in the transaction to prevent attackers from modifying this amount.

If the ATM would have verified the PIN before the transaction (by sending it to the server), the specification of the amount of money couldn't be securely related to the knowledge of the PIN.

Therefore, the ATM can't verify whether the PIN is valid or not until it attempts to issue a transaction to the main bank servers (who know how to decrypt or otherwise verify the encrypted PIN).

vzwick
  • 103
  • 3
user19426
  • 1,256
  • 1
  • 8
  • 13
  • 9
    What about the case of chip cards, isn't PIN verified locally? Also, do you have any references for your described protocol? – domen Jul 01 '14 at 09:12
  • @domen: the pin is not saved on the chip card. – reox Jul 01 '14 at 09:28
  • 2
    It would not need to be *saved* to be verified. – domen Jul 01 '14 at 09:31
  • 1
    @domen: The PIN is the key that unlocks the digital certificates stored on the chip, which are then used to verify that the card was properly unlocked. However, it does not mean that the communication from the PED to the card processing server is secure, such as unencrypted WiFi. Also, there are drawbacks to the latest EMV standard that make man-in-the-middle attacks possible. Chip/PIN protect retailers and businesses but not consumers. In fact, I wouldn't be surprised if they push liability back onto the consumer. The transactions are also done in real-time. – Engineer2021 Jul 01 '14 at 11:05
  • 2
    @user19426 Here in Serbia, at least, ATM do not allow use of a bank card until correct PIN is entered. Only options are to retry a limited number of times or to eject the card. – AndrejaKo Jul 01 '14 at 11:50
  • 1
    @reox Chip cards do save the PIN. That's how they can enable offline transactions. – Gilles 'SO- stop being evil' Jul 01 '14 at 12:29
  • 7
    @domen With such a small search space (10^4 possible PINs with most banks), there isn't any practical difference between saving the PIN itself and saving something that allows confirmation but not direct recovery (i.e. a hash): brute-forcing 10^4 possibilities offline is trivial. (Brute-forcing online is protected by the lock-after-three-failures behavior.) – Gilles 'SO- stop being evil' Jul 01 '14 at 12:31
  • 3
    @Gilles brute-forcing could be protected by a similar mechanism inside the chip. – domen Jul 01 '14 at 12:45
  • 4
    One minor side note, the PIN COULD be verified before hand and sent again with transaction amount, but this would require more communication. It isn't like sending the encrypted PIN once prevents being able to send the PIN + transaction amount later. It still makes sense not to though as it makes it take longer to execute an attempt if they have to go through setting up the transaction as well. – AJ Henderson Jul 01 '14 at 12:53
  • 3
    @domen This is getting of-topic… but the chip *does* protect against online brute-forcing, by locking up after three failures. The chip protects against offline brute-forcing by making it extremely hard to dump its memory; if this physical tamper resistance is overwhelmed then given the small search space it doesn't matter whether the PIN is stored directly or not. (Actually the PIN is probably not stored as an array of characters, but for a different reason: not to encode it with a one-way function, but to make the PIN checking more resistant against side channel attacks.) – Gilles 'SO- stop being evil' Jul 01 '14 at 12:59
  • 1
    @Gilles, you claimed something which is not true - that the PIN is stored on the card. Now you are getting into a convoluted argument, saying "it doesn't matter whether the PIN is stored directly or not". Why don't you just correct yourself?? –  Jul 01 '14 at 14:11
  • 3
    @jwg That difference is irrelevant. It doesn't really matter how the card encodes or encrypts the PIN. It still has to store and protect something equivalent to the PIN. If somebody manages to bypass the tamper protection of the chip, they can recover the PIN. As Gilles said, it's likely that some form side channel reducing encoding is used. – CodesInChaos Jul 01 '14 at 14:14
  • 1
    @CodesInChaos Gilles didn't say that PIN numbers are secure even if the memory on the card can be read (and I would certainly not disagree). He said *Chip cards do save the PIN*. This is incorrect. –  Jul 01 '14 at 14:16
  • 10
    @jwg You're nitpicking. With that logic a harddisk or cd doesn't store my data either, since it applies some form of error coding. If the chip stores something from which you can compute the PIN, saying "it stores the PIN" is a perfectly fine abstraction. – CodesInChaos Jul 01 '14 at 14:17
  • @CodesInChaos If you know anything about information theory, that is a clearly flawed analogy. –  Jul 01 '14 at 14:19
  • 1
    But why not verify the PIN in the beginning AND send PIN-encrypted requests for withdrawal later? – Cthulhu Jul 01 '14 at 14:19
  • @CodesInChaos I'm not saying that there is a material difference between the two statements. I'm saying that if you correct someone who is *right*, by saying something which is *wrong*, you should have the grace to recognize your error, rather than weasel around with definitions and claim 'the distinction is irrelevant'. –  Jul 01 '14 at 14:25
  • It's simple UI experience: if magnetic cards don't verify PIN beforehand, the chip cards shouldn't do that either. Just to preserve consistent user experience. – Agent_L Jul 01 '14 at 15:52
  • 2
    This answer is wrong, PIN is not used to generate the client cryptogram that protects the amount http://chipnpin.blogspot.com/2012/01/what-is-arqc.html and it is not necessary to go online to verify if PIN is correct, this happens only if EMV chip is damaged or does not exist – bbozo Jul 01 '14 at 16:19
  • 3
    @bbozo This answer is correct for ATMs that use the magnetic stripe (as is the norm in e.g. the US). It's wrong when the ATM uses the chip (as happens e.g. in Europe for European cards). – Gilles 'SO- stop being evil' Jul 02 '14 at 09:49
  • 3
    I worked for Verifone a few years back and can 100% verify that it is correct in the U.S. for magnetic stripe transactions. I don't believe we have the fancy pin-and-amount hash stuff described in the answer, though, unless it's something relatively new or something ATMs do and debit transactions don't. It's only been a few years since Verifone and in my day it was just 3des(pin+sequence_number) and ship off the result to the payment processor. The sequence number would stop replay attacks, but on the other hand it's still only 3DES... – David Perry Jul 03 '14 at 08:55
  • This is a rather video of one being taken apart, and all the security features being shown, as well as the chips: https://www.youtube.com/watch?v=NFLdiK2-Uh0 – George Jul 06 '14 at 20:27
32

Confirming the PIN when the card's magnetic stripe is used requires contacting the bank's server. Since this takes time (and took even more time back in the days of dialup), the ATM combines "verify the PIN" and "withdraw money" into a single contact.

The behavior might be different if the card has a chip and the ATM supports it.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Mark
  • 34,513
  • 9
  • 86
  • 135
  • 5
    If there is a chip on the card, it can verify the pin locally. – T. Verron Jul 01 '14 at 12:17
  • 1
    There is no industry-wide standard to perform just "verify PIN online" if chip isn't present, also what T Verron said, a lot of bad upvoted answers here – bbozo Jul 01 '14 at 16:26
  • 2
    It's worth mentioning that the days of dialup are not over - standalone ATMs (like those in stores and restaurants) often still use landlines (sometimes cellular modems). – nobody Jul 01 '14 at 17:44
  • @T.Verron the chip on the card doesn't generally 'verify the pin'. It either accepts/denies a specific transaction in offline mode, or, in an ATM, signs a transaction before sending it to the bank - if it's an online transaction, then it defers all decisions to the central server. Both things are done *after* you have entered what you wish to do. – Peteris Jul 02 '14 at 08:56
  • @Peteris : I will check that next time I use an ATM here (in France). The order here is: insert the card, enter the pin, enter the operation, enter the amount, recover the card. I am pretty sure that if you enter a wrong pin, you are prompted for a new one immediately, but it is worth checking. – T. Verron Jul 02 '14 at 09:13
  • @T.Verron the ATM is capable to send the PIN to to the bank to verify immediately; as the answers says, sometimes ATMs choose not to do it in order to save time. It would also depend on the tech used to connect ATM to the network - in some areas, ATMs are (were?) connected with, in essence, dialup connections over phone lines that have a many second initialization time before the connection is active, so that also could have been a factor in their programming. – Peteris Jul 02 '14 at 09:37
  • ... besides the fact that one probably tries to avoid hogging all bank-side dial-in data lines with unneeded connect(ion)s. – JimmyB Jul 02 '14 at 10:18
21

Most ATMs have to deal with 2 types of cards: old, magnetic ones and newer chip cards. Magnetic cards can't verify the PIN locally. Chip cards theoretically have this ability - but it doesn't mean that this functionality isn't limited.

The behavior you've described perfectly matches magnetic card flow. But - should chip card be verified using another path? There are 2 reasons it should not:

1) Implementing brand new second path costs money. ATM manufacturer surely want's to keep costs low and reuse as much of the code as possible.

2) Presenting consistent user experience. It's easy to imagine someone with 2 cards, one magnetic and one chip. Or a customer being issued new chip card to replace old magnetic-only one. There is no need to confuse users by providing them with 2 different paths. ATMs are scary enough.

/edit: Oh, I forgot one very important thing:

Local PIN on card can be out of date.

In many banks you can change card's PIN, but there is no way the card's chip can know about it. So if ATM would check PIN locally, it would reject correct, new PIN, but allow incorrect, old PIN. And ofc PIN check would succeed and transaction would fail.

Agent_L
  • 1,931
  • 14
  • 13
  • 1
    This is the only answer so far that isn't flawed in some way, +1 – bbozo Jul 01 '14 at 16:23
  • 1
    This really depends on the country. There are countries where the pin check is almost mandatory, at least in shops. In these cases, if the bank offers you to change your pin, that should imply that they give you a new card with a new chip accepting the new pin (but I don't think the card number needs to be changed). – T. Verron Jul 02 '14 at 09:17
  • @T.Verron I think it's a misunderstanding. The original question was "why is the PIN checked during transaction but not when inserting card (offline)". Ofc PIN is always checked during transaction. – Agent_L Jul 02 '14 at 10:32
  • Sorry, it was a comment on "Local PIN on card can be out of date.". – T. Verron Jul 02 '14 at 11:36
  • Yeah. Local PIN on the chip card is updated only during transaction (which involves communication with central server). Because the card has no way of communication other than transaction terminal. Even cards with LCD (which claim to display your account balance) update only during transactions. Transactions in shops check PIN on the server, not locally on the card. (in some banks I got debit chip card with no PIN at all, I had to set it via WWW. Bank warned that first transaction may fail, but after that the PIN will be updated on the card.) – Agent_L Jul 02 '14 at 11:58
14

This is a question of policy in the ATM software. Many ATMs do in fact verify the PIN with the bank before allowing you to continue.

But the ATM itself doesn't know whether your PIN is correct. It has to ask the bank, and this takes time. How much time it takes will often determine whether or not the ATM will skip this step.

Each transaction between the ATM and the bank is separate, so each needs to be separately authenticated and therefore the PIN is validated with every transaction. This means from a practical standpoint, the ATM doesn't technically need to validate the PIN up front. It knows that an incorrect PIN will cause any other transaction to fail.

So there's a balance that needs to be struck, and each ATM may do this differently. Validating the PIN up front might be simpler for the user, but it might require extra time if the ATM doesn't have a dedicated line open to the bank. So imagine typing in your pin and waiting 20 seconds for the ATM to tell you if you did so correctly. To reduce the total time required, they can opt to skip that step.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 1
    The one true answer. Everything else is just speculation based on potential knowledge of a single ATM's programming, or worse. Why would folks think they all work the same way? – jmarkmurphy Jul 01 '14 at 17:32
2

There is no reason to verify the pin at this stage, if anything it would be bad to.

  1. Waste of bandwidth/time to check as it most likely needs to be sent again with the transaction call anyway.

  2. If someone is attempting guess the pin, it takes considerably longer to find out if it is the correct pin. There is a higher chance of getting their face on a camera the longer they stand in front of the machine.

  3. There is no way to verify the pin against the card, it must involve the bank to verify otherwise you could do offline verification.
  4. This applies to both strip, and chip cards, the pin would never be stored in either of this places in any form.
Jegsar
  • 121
  • 1
  • 1
    Your last point is wrong, many chip cards store the PIN to support offline chip and pin transactions at merchants. – Peter Green Oct 12 '16 at 00:21
1

user19426's answer is interesting-- I didn't know ATM keypads were implemented that way-- but it doesn't seem like it can be the whole explanation because there's still no reason you couldn't verify the PIN initially (without exposing its plaintext value), and then later use the PIN hash to sign the actual transaction. In the case of chip cards, this wouldn't even require any extra communication with the bank.

Anyone can privately verify the PIN for a chip card at any time, for example using the handheld authentication keypads European banks routinely mail out to their customers (I would guess the cards can disable themselves after a certain number of wrong attempts). An ATM that rejects a wrong PIN up front doesn't provide any attack vector that isn't available from an ATM that also requires you to attempt a transaction. Brute force is a non-issue since a 30-second delay just means it takes 90 seconds longer to hit the point where the machine confiscates the card.

As far as I can tell, there's only one security implication to not verifying the PIN upfront. If I put your stolen card into an ATM, and enter what I think is your PIN, and it tells me the PIN is wrong, then I walk away and the CCTV shows I'm guilty of trying to access your account. If I put in the PIN, and then ask for £200, the CCTV shows I'm guilty of trying to access your account and trying to steal £200 from it.

bobtato
  • 186
  • 3
  • Local PIN check always is an attack vector. If you fail check PIN on the server, you get attempts count decreased on central server. After X attempts, the card is blocked worldwide. Even if a method of cloning chips or bypassing local disable is not known now, it may appear in the future. – Agent_L Jul 01 '14 at 15:48
  • That's a good point. Still, the behavior in question doesn't affect the extent to which ATMs can be used as PIN testing machines. It doesn't even affect the difficulty of creating a fake ATM to capture PINs, because no ATM verifies its own credentials (e.g. by showing your account balance) until a successful PIN entry. – bobtato Jul 01 '14 at 15:58
  • Perhaps chip cards don't answer to any PIN check requests. It's reasonable to require some kind of certificate. It's possible this feature is configured by the bank, so one cards can and other can't verify PIN. – Agent_L Jul 01 '14 at 16:07
  • 1
    PIN hash is not used to generate client cryptogram – bbozo Jul 01 '14 at 16:21
  • If you have a card reader, chip and pin cards in the UK will verify the PIN locally straight away before going on to the next function. Don't know how it works with ATMs. Some shop card machines which don't require an online transaction accept the transaction straightaway. This is quite common with trains in the UK. – Shaun McDonald Jul 05 '14 at 00:42
0

This occurs because of two reasons:

  1. It is more secure and banks want to save on bandwidth.

    The bank usually stores your PIN in hashed form in its database. To be able to verify the PIN you've entered at the ATM, the ATM has to send to the bank server the hash of the PIN you've entered. These two hashes are then compared to check if the PIN you've entered is correct and only then, are you allowed to perform transactions. Of course, it is a rudimentary approach to security. There are things like replay and man-in-middle attacks to consider (for more info, read Challenge-response authentication).

    Instead of doing this, the bank can send your PIN together with the transaction itself, verifying your PIN and transaction at the same time. This saves bandwidth, and is potentially more secure since the attack window is decreased. For example, if the bank authenticates your session from the moment you've entered your PIN, it gives any potential attacker time to intercept the connection and make their own transaction(s).

    On the other hand, a proper secure connection is difficult to implement and bugs do occur. A one-off verification when you make a transaction allows the bank to identify you securely and saves bandwidth. Ultimately, it still depends on the ATM machine in question, since the bank can always verify your PIN at the start of each session and for each subsequent transaction.

  2. ATM cards do not store your PIN in the magnetic stripe. (Chip cards do.)

    In contrast to some answers, ATM cards cannot and will not store your PIN. The purpose of the ATM card is to achieve two factor authentication: something you have (the card) and something you know (the PIN). There have been instances where the ATM card has been breached by attackers.

    The ATM has to connect to the bank servers to verify you are who you say you are. ATM cards can and have been duplicated before (skimming). If the PIN could be verified off-line using only the data on the magnetic stripe on the ATM card, attackers could brute-force attack all 9999 possible PINs fairly rapidly with an off-line attack. So the system is designed to require contacting the bank for each guess, making it more difficult for attackers to steal your ATM card and withdraw all your money.

David Cary
  • 2,730
  • 4
  • 20
  • 20
Roy
  • 117
  • 3
  • 3
    Your 2nd point is false. EMV standard chip&pin cards do store the PIN and are able to verify it offline, though there are restrictions on the cases where they should do it; usually the card would be set to reject any offline ATM transactions (i.e., if the ATM 'says' that it won't/can't contact the bank but still wants a withdrawal) regardless of anything. – Peteris Jul 02 '14 at 09:01
  • Chip and pin cards will block transactions after 3 failed attempts. – Shaun McDonald Jul 05 '14 at 00:44
  • I think it's 10000 possible PINs. 0000 - 9999 – Kaz Wolfe Jul 06 '14 at 17:25
0

A popular scenario where this usually happens is, when the card you are using is from different bank and the ATM is of another bank.

Why?:

Different banks connect with each other through a country level national switch that connects different bank to one another. Just like VISA is an international switch there are national switch(es) for within country transactions.

While performing such a transaction, beside bandwidth there is also a particular amount that is being deducted on account of using that national switch, this amount is per transaction based.

So, instead of sending two transaction to that switch and eventually to that bank. Only one transaction is used in which entered PIN and the transactions details are sent. If the PIN is correct transaction is done if not it is declined.

The above scenario can also be used for same bank transactions but there won't be any financial benefits of it as its not saving any fee money but just a little bandwidth.

SajjadHashmi
  • 111
  • 2