Entering Personal Identification Numbers (PINs) has become something of an art form. Everyone has a different style and rhythm for punching in those 4 numbers (for most institutions in North America, anyway). Some banks and Point of Sale (POS) device manufacturers put little shields around the pin pad to keep people from being able to clearly see the numbers you are touching.

But do you really take the time to think about how visible your PIN is when you have a line of people waiting for service? It’s not usually the people waiting in line that you have to worry about.

An employee may have been paid off, or may be working together with another observer to record your cash/debit card number and PIN separately. Or a dishonest merchant may use electronics to skim the card number and video cameras to capture the image of your keystrokes, the bigger risk seems to be related to the merchant. The risk is actually growing quite quickly these days.

In one case (HERE), thieves distracted store staff and completely replaced the POS equipment that was designed to capture numbers and PINs during purchase transactions. They then had to return and repeat the diversion to swap the machines back.
You can’t do much to protect yourself from the latter example, but there are things you can do to reduce the chances that a crooked merchant-side individual can easily steal enough of your bank card data to create a successful forgery.

Ideally, you should try to keep the pad from being visible to others by covering it with your other hand, but that’s not always possible, especially if you have to hold it, or if you are holding something else in the other hand. What about debit-enabled gas pumps whose PIN pads are hard to conceal, and some ATMs that have terrible PIN pad layouts for security? Or, like me, you may also just feel silly about looking so paranoid regarding your PIN.

OK, so I’m paranoid, and I don’t want to look silly. What do I do? (A serious topic, I know, but sometimes we just need to push the envelope.)

If you’re like most people who always punch in 4 digits, and then the OK button, any witness nearby may have a significant probability of observing and identifying the right PIN. Over a period of time observing many customers, some numbers collected will work, and others won’t be correct because they didn’t get a clear glimpse of the numbers. But there is a good chance they will be able to harvest some.

Being a game of probabilities, the more numbers the crooks have to watch for, the less chance they can identify the right ones in the right order. So, how do you add more numbers to your PIN? You can fake them! (I don’t usually advocate “security by obscurity”, but this is one of those times when it can improve your odds. Of course, there’s no guarantee.)

Try this. Instead of pressing each of your numbers in sequence, add a few “unregistered” numbers by barely touching the keys. So, if my number was 4873, I could move my finger to the following numbers… 549872831… but only press hard enough to register on the 4, the 8, the 7 and the 3. Suddenly, the observer trying to catch the numbers sees a sequence that has a lot more numbers in it than they were expecting. They probably won’t notice that not all of the numbers registered a “beep”. But even if they did notice the omission of some “beeps”, they would have to match the beep to the exact number I had my finger over at the time. So, I probably threw them off long enough to make it a failed attempt to capture my PIN.

If they are using a hidden video camera to watch over my shoulder (yes, you should assume there is one anyway; I always do!) and they catch the sequence, it would still be hard unless the sound of the beeps was being recorded as well.

One more piece of “chaff” to throw them off is to add a couple of trips to the “OK” button, with more numbers in between OK’s. Then they have to figure out which OK was the real one.

Now, all this “real” and “fake” number (and “OK”) pressing is bound to lead to errors in input once in a while. If so, you just have to try again. If you know you screwed it up, before you hit the OK button, hit the “Correction” key to start over without the cashier having to ring it through again.

It may also seem like it slows down the whole process quite a bit, which it does, at first (and people in line behind you may start to get impatient). But, just as with a 4 digit PIN, you can develop a rhythm, and I dare say, style. However, I have been doing this for years, and figure I have about a 20% overhead on my PIN pad activity during the keying of a debit transaction.

So, not only do I have an impressively fast draw on the POS, but I have a good chance of keeping my PIN from being stolen… and I look cool, too.