Responding to the PIN cracking attacks from Berkman and Ostrovsky (FC 2007), we outline a simple solution called salted-PIN. Instead of sending the regular user PIN, salted-PIN requires an ATM to generate a Transport Final PIN from a user PIN, account number, and a salt value (stored on the bank card) through, e.g., a pseudo-random function. We explore different attacks on this solution, and propose a variant of salted-PIN that can significantly restrict known attacks. Salted-PIN requires modifications to service points (e.g. ATMs), issuer/verification facilities, and bank cards; however, changes to intermediate switches are not required.

Additional Metadata
Persistent URL
Mannan, M. (Mohammad), & Van Oorschot, P. (2008). Weighing down "the unbearable lightness of PIN cracking". doi:10.1007/978-3-540-85230-8_14