Devil's Advocate: The thing that could save chip-and-PIN

One downside to chip-and-PIN technology is having to remember a PIN number each time you make a purchase. What could help, says Martin Brampton, is if those all-important digits were available on the web.

Yesterday, I thought I had met my chip-and-PIN nemesis. After filling up my motorbike with petrol, I wandered into the shop and pulled out the credit card I use for fuel purchases. It was then that I noticed the array of PIN pads along the counter. Did I know the PIN for the card? Unlikely.

Fortunately, when the card was processed, it told the operator to take a signature, not a PIN. For the time being at least, I was spared my first confrontation with using a PIN for a purchase. Just as well, since despite a range of useful suggestions submitted by readers in response to my previous column on chip-and-PIN technology, I remain utterly unprepared for the new scheme.

One clever idea was to concoct the PIN out of the 16-digit card number. That sounds promising, as the digits look pretty random, especially towards the right-hand end. But then I worried that too simple a scheme would be insecure. For example, just taking the last block of four numbers or using the first number from each block of four would be easy to remember. Surely those would be too simple to guess, though?

Suppose I could remember just one four-digit PIN that consisted of digits between one and four. It seems quite a secure scheme, provided I could remember the master PIN.

Another suggestion that intrigued me was using the Pincard. Apparently it is a credit card-sized plastic gadget that provides a way to encode up to a dozen PINs. Developed in the Netherlands, it has been in use on the Continent for some years. It can be bought for a few pounds and has apparently been given away as a promotional item on several occasions.

I am most impressed, though, by a completely separate development - the online bank Egg delivering PINs via the internet. Egg has looked at the PIN problem as a way to differentiate its EggCard and at the same time make life easier for itself.

One problem for the banks is that issuing a PIN is a costly and cumbersome process. It also lacks immediacy since it relies on postal delivery. This in itself poses an additional security risk, since fraudsters have proved adept at intercepting financial information sent by post.

Egg started off in an exceptionally good position to use the net for PIN delivery, since it had built its customer base exclusively on online users. All the same, delivering a PIN was not a simple task, not least because Egg was using a third party for its credit card services and did not itself have direct access to a customer's PIN.

Before it could deliver a PIN to a customer, Egg had to work out how to build a secure tunnel to the service provider. There had to be a live connection between the Egg web server and the holder of the PIN, such that the information could be delivered to a customer while online. The solution is a mix of hardware and software technology that connects a mainframe back end through a symmetric encryption tunnel, then on to the customer's browser using PKI.

Unlike some banks, Egg is catholic in its support for web browsers and looked for mechanisms that would work with all modern browsers, not just Internet Explorer. With all this fine technology and a novel facility to try, this morning I dusted off my EggCard, which had been lying around unused for some time.

Amazingly, I could remember all the security information needed to log on to my Egg account. Then I looked around for the service that would tell me the PIN. As I had already identified myself, the only additional piece of information it required was the three-digit security number from the signature strip on the back of the card. Then up popped my PIN in a secure browser window.

It is a neat facility, and for once it seems that technology really has provided a competitive advantage, at least for a while. Now that I know the PIN can be recovered any time I have access to the internet, I am more likely to use the EggCard. Anything that avoids having to ring a call centre has to be a significant advance!