All the companies that supply our ATM cards tell us to protect the PIN so that nobody can find out what it is. You see, if somebody steals your card it's useless without the PIN. They tell us, especially, not to write it on the card. I've been feeling very secure about all this, thinking that whoever may get my card can't use it because the PIN or some encryption of it is safely stashed away in my bank's giant computer waiting for the poor sucker to try to guess it.
Recently, I changed my PIN at an ATM and a few minutes later another ATM wouldn't accept it. It needed the old PIN. I was surprised that it took more than an instant for the new one to get into the system but I didn't think much about it. Then yesterday guess what I got in the mail? That's right, a new card! I called the bank and they told me that they sent me a new card because I changed my PIN. You mean the PIN is on the card? Yes, I was told, it's encoded in the magnetic stripe.
They tell me not to do it and then they do it! They wrote it on the card! This means that anybody who gets my card and can read the stripe (besides being able to make a counterfeit card which we all knew anyway) can find out what my PIN is. Well, you say, maybe they encrypted the PIN on the card so that all the thief would get is a code that when processed along with my PIN would result in acceptance. Maybe so, but remember how many computers there are all over the world that can do this processing. (I thought there were a lot of big mainframes in banks that could do it, but now I know, it's done by the computer inside the ATM, so there are many more than I thought!) With it programmed into so many computers, how well can they keep the secret of how to check for a match? Once anybody knows the algorithm, its a simple matter to find an actual PIN from an encrypted one. PINs are short numbers, four digits usually. That means there are only ten thousand possible PINs - too many to key in at an ATM but a small number if you can try them with a computer in your own shop.
On the other side of all this. I've checked with several banks I have
used over the years and they have all assured me that, if somebody steals
my card, I am not responsible for what they do with it - "but please report
it immediately", they add.