Prologue
I still remember the old days when one must go to its bank to take out money from ones account and stand in a long queue before one can do that. Sometimes it used to be very frustrating if money is needed urgently.
Then came the plastic cards, ATM, Point of sale (POS) terminal that gave consumer relief from going to the bank and liberty to use their money anytime/anywhere. But as the saying goes "There are no free lunches", plastic money also got its own problems. e.g. online fraud, loss of card etc.
Anyways in this blog post I am only going to describe the banking infrastructure that enables user to purchase things or withdraw money on the fly. Probably we can leave the fraud stuff for the later. The real motivation to write a blog on this came from the fact that every one in now a days using cards but not aware of the internals. Even if someone tries to search (as I tried) , There is not much information available on internet. So I decided to write this in my blog.
What is PIN?
Every card has an associated number that is called PIN (Personal Identification Number). This number can be 4-12 digit long (depending on the banks, most of the time it is 4 digit). This number must not be shared with anybody.
Why PIN?
Propose of providing a PIN is two fold:
- This is used to authenticate the cardholder as it is supposed to be known to him only.
- One can argue why a separate PIN is needed when cardholder can be authenticated using the card. The rationale behind this is called two way authentications. Any authentication can be based on following parameters
What you have
What you know and
What you are.
If only card is used for authentication then authentication is only based on what you have. The drawback of this approach is anybody that holds the card can use it. To avoid this extra factor (what you know) is added to the security. Now anybody that has the card must also know the associated PIN in order to use it, only having card or knowing PIN is not adequate.
Banking Infrastructure
Before we go into details of banking infrastructure we must know what are the different entities involved. For a functional point of view banking infrastructure comprises of following three entities:
- Acquirer: Acquirer is the organization that installs ATM. This can be a bank (ICICI, HSBC etc) who installs ATMs or some other institutions (VISA etc).
- Issuer: Issuer is the institution that issue ATM cards to its customers.
- Switch: Switch is an institution that facilitates communication between acquirer and issuer when both are different. When both acquirer and issuer are same (when a card issued by a bank ‘B” is used in B’s ATM) there might not be a need for switch. Examples of switch are MarsterCard, Visa etc.
Apart from above mentioned entities sometimes manufacturer of ATMs is also mentioned in some banking standard ( but its role is limited till the initialization of ATM).
Sequence involved in transactions
ATM transaction starts the moment customer inserts his card in ATM. Complete steps are listed below in chronological sequence:
1. Customer inserts his card.
2. Customer is asked to insert PIN on a PINPAD.
3. Customer is asked to enter the service he wants to avail and other information related to service chosen (like amount in case of withdrawal).
4. PIN along with other customer data written on magnetic stripe on card is sent to ATM acquirer (How data is stored is out of scope for now. I might add it later).
5. ATM acquirer determines from the data if it needs to be forwarded to a switch (If card belongs to different banks) or can be processed by acquirer. This can be determined by the information written on magnetic stripe.
6. Customer entered PIN is verified by the bank. If verification is successful, bank checks if customer has enough balance in his account to withdraw and sends response back to ATM using the same route from where the request has come.
7. Customer can take the money.
Where PIN appears in clear
Primary concern of a customer is secrecy of the PIN because if an attacker gets hold of the PIN along with the card then he can use utilize it to withdraw money or for Point of Sale(POS) transactions. The reason why I didn’t say that card must be secured because it is an physical entity that anybody can duplicate or steal but PIN is supposed to be memorized (at least theoretically).
To the relief of customer, PIN never appears in clear in the entire transmission in host computer. It can be seen in clear only inside a hardware security module (during translation and PIN verification). Amazingly, Even the card issuer bank doesn’t store customer PIN in their database. You might be wondering, if a bank doesn’t know user PIN how it can be verified. The verification is done using PIN verification algorithms (Visa PVV or IBM 3624 ) and reference to these algorithms can be found in the reference section.
Next:
Online shopping (how??)
