GrIDsure
, a British start-up providing a method to strengthen personal
identification numbers (Pins), expects to announce that a major
card issuer is introducing its system by the end of this
year.
The card issuer is at an advanced stage of testing and
implementing the system, which displays random single digits on a
one-time use five-by-five grid. Rather than memorising a Pin, users
have to remember a sequence of squares: obvious choices, such as
the four corners, can be rejected. When authorising a transaction,
the user types in the numbers found in their chosen squares.
The grid of random numbers can be displayed on devices including
cash machines, mobile telephones and
Chip and Pin card-readers: GrIDsure already counts French firm
Ingenico, which makes such readers, among its customers.
Founder, Jonathan Craymer, says the system avoids use of
biographical data, such as mother's maiden name, or biometric.
"Chip and Pin has severe flaws," he says, but as his company's
system could use the existing hardware to provide much improved
security, "we are talking about saving it".
Craymer says the system makes shoulder-surfing much more
difficult, as numbers are typed into a keypad, and it is tricky to
watch both fingers and the screen. Even if the watcher does record
both the numbers typed and on the grid, each 0 to 9 digit appears
on average 2.5 times on each 25-digit grid, so a large number of
square-sequences would still be possible.
The Cambridgeshire-based firm, which opened for business in late
2005 but launched publicly on 4 October, plans to license its
concept non-exclusively. Early customers include Canadian
outsourcing firm CGI, which has supplied South Lakeland district
council in Cumbria with the system, Indian services group Tata
Consulting and US identity supplier ActivIdentity.
This article first appeared on the web-site of Infosecurity
magazine,http://www.infosecurity-magazine.com