GrIDsure, a British start-up providing a method to strengthen personal identification numbers (Pins), expects to announce that a major card issuer is introducing its system by the end of this year.
The card issuer is at an advanced stage of testing and implementing the system, which displays random single digits on a one-time use five-by-five grid. Rather than memorising a Pin, users have to remember a sequence of squares: obvious choices, such as the four corners, can be rejected. When authorising a transaction, the user types in the numbers found in their chosen squares.
The grid of random numbers can be displayed on devices including cash machines, mobile telephones and Chip and Pin card-readers: GrIDsure already counts French firm Ingenico, which makes such readers, among its customers.
Founder, Jonathan Craymer, says the system avoids use of biographical data, such as mother's maiden name, or biometric. "Chip and Pin has severe flaws," he says, but as his company's system could use the existing hardware to provide much improved security, "we are talking about saving it".
Craymer says the system makes shoulder-surfing much more difficult, as numbers are typed into a keypad, and it is tricky to watch both fingers and the screen. Even if the watcher does record both the numbers typed and on the grid, each 0 to 9 digit appears on average 2.5 times on each 25-digit grid, so a large number of square-sequences would still be possible.
The Cambridgeshire-based firm, which opened for business in late 2005 but launched publicly on 4 October, plans to license its concept non-exclusively. Early customers include Canadian outsourcing firm CGI, which has supplied South Lakeland district council in Cumbria with the system, Indian services group Tata Consulting and US identity supplier ActivIdentity.
This article first appeared on the web-site of Infosecurity magazine, http://www.infosecurity-magazine.com