Cenzic 232 Patent
Paid Advertising
web application security lab

Reverse Pin Numbers Enable Emergency Function

A while ago I ran across someone who was claiming that if you enter your pin backwards in an ATM it will still allow you to withdraw money, however, it also calls the police. The theory is that if someone has a gun to my head it doesn’t look like I’m messing with the robber by allowing me to withdraw money but still alerts the police to the threat. I’m not sure if I believe that story is true (it would be a pain to be a dyslexic - or to have the numeric equivalent of a palindrome - IE: 4334). But it is an interesting story.

But it does bring up an interesting idea - why not allow consumers to enter a pin number/password to only be used in emergency situations? ATMs are not the only place where you could get robbed. It’s entirely possible that someone may break into my home and put a gun to my head telling me to do an online bank transfer. Having a safety number to type in would be pretty handy in that situation - to alert the police to my presence (my IP I suppose) or at minimum alert the bank that the transfer may be fraudulent.

Further, if you happen to be the type who writes their passwords on sticky notes, you could write one of the safety numbers down so that if anyone ever used it without my being there, I would be protected. Interesting idea anyway.

26 Responses to “Reverse Pin Numbers Enable Emergency Function”

  1. Jungsonn Says:

    Hmm yeah seems hard to believe that something exists, cause it limits the number of possible pins if they are reversed. Maybe if you use a salt -an extra number- I think it could work, like pressing your pin and another extra digit twice like: 5234 + 99 in case of a stick up.

  2. dusoft Says:

    I am going to test it tomorrow ;-)

  3. .:Computer Defense:. » Today’s Tidbits. Says:

    […] We’ll start with a post over at ha.ckers.org by RSnake on the ability to have an emergency sequence linked to your account for emergencies… It comes out of a (potential) myth that entering your PIN in reverse at an ATM will summon the police. It’s an interesting idea.  There are benefits to this everywhere… Passwords, PINs, Alarm Codes… Perhaps a push should be made to make it the new standard… […]

  4. Chris E Says:

    Heard about it a while back, here’s more info:
    http://www.snopes.com/business/bank/pinalert.asp

    While it sounds like a good idea in theory, it’s true that there would be a lot of coordination required with local law enforcement and even then, it’d be hard to locate the captor and victim in time. In most robbery attempts there is probably a very narrow window for rescue.

    I knew a guy personally who was robbed at gunpoint and coerced into verbally disclosing his ATM PIN. The robbers then attempted to withdraw money at several area ATM locations (not realizing there was a daily limit) before eventually succeeding. Then they drove him about 30 miles out of the city where they killed him. I’d like to think that the police would have had a chance here, if they had received a PIN-based panic message, but realistically the window of opportunity would have probably still been too short.

  5. kuza55 Says:

    Interesting idea, it could be extended even further to plant bogus data in web apps so you can detect when people have been hit with attacks.

    You could do things like plant fake admin accounts with easy password in your database which cannot for some hard to find reason (or even just manually hard code it), and since users should never have access to the admin panel, you can provie completely bogus data, of course you get issues when they try to delete things and its still there, but you have a way to detect the attack.

    I haven’t tested this, but if IE allows you to set two values for cookies (one httponly and one which isn’t httpOnly), and have the non-httpOnly cookie served to you via Javascript, so you can plant data in the cookies which you want an attacker to find when they execute a succesful XSS attack, but that is useful only in telling you someone tried to use the data to login or something.

  6. Sylvan von Stuppe Says:

    PIN number - Personal Identification Number Number? That’s RAS Syndrom (RAS being Redundant Acronym Syndrome).

    Heck - the home alarm system is a good enough reason to have it. I’ve never had a gun to my head, but wonder if when that happened, I would have the wherewithal to actually remember to type my digits backwards.

    Now the downside - how do you know if it works without trying it when you really need it? If it doesn’t work, a burglar who knows better would prolly kill you just for trying.

  7. Edward Z. Yang Says:

    kuza55: What you are referring to are called honeytokens

    Ah, while I’m at it: http://en.wikipedia.org/wiki/ATM_SafetyPIN_software

  8. Spikeman Says:

    I think this is a great idea and I’m now considering putting it to use on my website! I know not many people would be forced to log in by anyone, but it would be cool to have something where say, they post on the forum, and on their computer it shows up, but not to anyone else. I could even go as far as to have it post fake replies. The whole idea is very intriguing.

  9. kuza55 Says:

    @Sylvan

    I’m not sure a burglar would kill you, they might hit your or something if its not a public place, but I doubt they would kill you because its needless mess, more people investigating the crime, etc, and so much more chance of being caught, etc, and if they are ever brought to trial somehow they have more crimes to face.

    But anyway, yeah, if it doesn’t work, then you have a problem, especially since you can’t just say you entered it wrongly. The only solution to that is say add or subtract one so it looks like you just hit the wrong key.

    @Edward
    God I hate finding out everything I think of has already been done, but anyway, thanks for that, :)

  10. RSnake Says:

    @kuza55 - not to add salt into the wound, but I’ve actually blogged about honeytokens before too: http://ha.ckers.org/blog/20060708/honeytokens/

    @Sylvan - yah, I screwed up the title… alas, that’s what I get for typing titles in a hurry. ;)

  11. Luny Says:

    Imagine if you went to enter your security PIN and it was on the real site, however it was compromised (like paypal) with a xss + phishing attempt. ack!

  12. kuza55 Says:

    @RSnake
    Ahahaha, great, oh well, at least its more reading material :D

    Anyway, I only started really getting into security in september/october last year, and I’ve never gotten around to reading the archives here, so I think I’ll waste the next couple of hours/days doing that…..

    P.S. Its not really a wound, it just sucks when you tell people about your “great new idea” that they heard about years ago….it makes me feel like an idiot…..

  13. outkasted81 Says:

    not to be a downer but what if you had the pin 1221 or another palindrome? You would end up having to increase the number of numbers used in your pin to allow for this implementation. most people have trouble remembering 4 numbers let alone more numbers.

  14. RSnake Says:

    @outkasted81 - that’s why I said the original idea was flawed, but if you allowed for a second pin (different than the first) this could work.

    @kuza55 - haha, yah, a lot of people find themselves going way back into the archives to read the old stuff. It’s just as relevant for the most part so that’s not a bad idea. Sometimes I re-read at least the titles because sometimes it sparks my mind that I’d like to re-try some old exploit with the knowledge I have now.

  15. 2 PINs distintos, uno de ellos para emergencias - Miguel Angel Mata -Derecho y Tecnologia- Says:

    […] s una idea de RSnake que quizás mereciera la pena considerar.La reflexión parte de una especie de leyenda urbana, que afirma que si alguien teclea su PIN en un cajero al revés, además de permitir sacar dinero se realiza una llamada de emergencia a la policía. Así, un usuario en apuros (siendo atracado, por ejemplo) tendría una forma de pedir ayuda. […]

  16. meneame.net Says:

    Un PIN de emergencia en caso de un robo en el cajero…

    La reflexión parte de una especie de leyenda urbana, que afirma que si alguien teclea su PIN en un cajero al revés, además de permitir sacar dinero se realiza una llamada de emergencia a la policía. Así, un usuario en apuros (siendo atracado, por …

  17. Legionnaire Says:

    I am almost sure that this idea (having 2 PINs) is part of the ATM standard (as it was set a couple of decades ago). I’ll try to verify this. I guess Banks don’t really care about this or worry about the too-many fake “panic signals” from people trying to cheat :P

    I’m 100% sure that typing your PIN backwards works that way. Maybe in a very specific bank network but it certainly isn’t an ATM standard all over the world. Problems from this have already been discussed here (like the PIN “4334″ - RSnake).

    One thing that is not a problem is the number of possible combinations. Somebody said that by using two PINs per customer, there aren’t enough for everyone. 4-digit PINs don’t produce enough combinations anyway :)
    10^4 = 10000 combinations. They aren’t enough even for the population of a small town!
    The PIN is always combined with information located on the tamper-proof smart card (ATM card) you have with you. So that’s the “salt” someone talked about.

    The idea of “tripwires” in security isn’t such a breakthrough these days. In theory there have been so many articles, books and paper talking about it: you place something in your network/system that an outsider will try/use and therefore alert you that something is going on. That may be a second “fake” password, PIN or even an entire network (google “Honeypots”). In practice not many people do that since any technique must remain secret so few have to know but in large companies/networks security officers & admins come and go so these things should change constantly and always have one that remembers all of them. Imagine a company having a secret spot (like under a rubbish bin) where a spare key is hidden. Every time an (senior) employee leaves the company, the key will have to be relocated! That just doesn’t work.

  18. Alala Gueug Says:

    I think I just found a great place to store my PIN number.

    1551 : Visa pn
    gueugalala Hotmail Password

    I turned my cookies off so I can safely remove my histroy.

    Please do not copy

    Thanx

  19. Luiso Says:

    It’s a good idea, but I see a problem. It’s more easy to take the money from the bank account, there are two pin numbers.

  20. cynik Says:

    I have had 2 different alarm companies for my house, and both of them gave me a different number to use in-case I did have a gun to my head. When that different number is punched in, the alarm does not go on, but a silent alarm is set off at the alarm companies HQ and the local police dept. (there is no extra charge for this service) So this could be used for ATM’s too, although they might have to start using 5 or 6 pin numbers. I don’t think that using a standard extra ” 99″ after your regular pin number would work, because everyone would know about it.

  21. Dharmon Says:

    Has anyone actually tried this concept? Pretty dangerous to pass along fake info. if not.

  22. beth Says:

    can you tell me, is the reversed pin number dead in the dirt, was there ever any truth to it, I would like to know, please respond

  23. Joe Zingher Says:

    Here’s what’s really going on. http://www.pjstar.com/news/x1745367387/ATM-software-aimed-at-reversing-crime http://www.ilga.gov/legislation/BillStatus.asp?DocNum=1355&GAID=10&DocTypeID=SB&LegId=42570&SessionID=76&GA=96

  24. Joe Zingher Says:

    By the way, both Snopes and Forbes are full of crap. IBM has no competing patent. Snopes chose NOT to interview me and chose only the lobbyists’ side of the story. I have yet to meet a single banker who strapped on a sidearm and drove around the city streets in a car with a red and blue light on it looking for criminals. Their entire argument boils down to “If just one person can’t use it, then we should let them all die.” Wikipedia did a much better job because they allowed me to tell my side of the story so long as I backed it up.

  25. Claudio Jr. Says:

    ATMs can only withdraw a limited amount of cash. So just give them the money and dont give them your life. You can find a way to get cash back into an account. But we cant get life back to earth.
    But it would be nice if you can simply add 911 at the end of you PIN. (PIN+911 = ####911). Would be easier to remember at the time of a panic adrenalin.

    A very simple update to ATM’s Software may help increase the chances for the police to capturing the crook.

    Updated: (Los Angeles, CA.) Claudio Jr. March 19, 2009

  26. sk nyer Says:

    Idea is better, but the message is absolutely nonesense and a big spam. Suppose my PIN is 8888 who can I reverse it?