NatWest PINs Compromised

Chip and PIN safety weakness for bank cardholders

December 2005

Chip and PIN is the new, and more secure way to pay with credit or debit cards in the UK. Instead of using your signature to verify payments, you are asked to enter a four-digit Personal Identification Number (PIN) - known only to you.

This article shows how banks are failing to keep PINs secure, which may help you to enforce your rights, should you become a victim of fraud.

NatWest PINs Can Be Intercepted

So, your PIN should only be known by you - but what if other people find out what it is? Well, most banks say that you are responsible for any losses that occur as a result of your own carelessness in divulging your PIN. But what if your own bank is careless enough to give away your PIN to scrupulous villains? I don't know the answer to that, but I can certainly point out how banks are failing to keep your PIN away from prying eyes.

NatWest distribute their PINs to cardholders in small envelopes like these, which are sent through the UK postal system. (click for larger image)

The envelopes feature a couple of security features to detect tampering and prevent the PIN being read. The envelope must be opened by tearing off the strip on the right and pulling out a thin sheet from inside. This sheet details the cardholder's account number and PIN, and the interior surfaces of the envelope are printed with strange patterns to make it impossible to read the PIN by holding the envelope up against a bright light.

The envelopes are already sealed before being printed on by an inkless dot-matrix impact printer. This causes the characters to be "carbon copied" onto the thin interior sheet by the front of the envelope.

A cardholder can tell if their secret PIN has been compromised, as the envelope will clearly have been tampered with - or at least, that's what NatWest think...

Non-Invasive Method of Revealing NatWest PINs

It is possible to intercept a cardholder's PIN using an easy, non-invasive method that leaves no trace of tampering. It is possible for your PIN to be compromised without you knowing.

The big flaw in NatWest's approach is that an impact printer has been used. This is required for the carbon copy process to work properly, however, the impact causes subtle damage to the front of the envelope. Under certain conditions, this damage is clearly visible and allows the PIN and account number to be retrieved (stolen?) in a non-intrusive manner.

This photo was taken using an off-camera flash placed out of shot at nearly the same level as the envelope. This causes the long shadows and helps to highlight any imperfections in the surface of the paper.

If you take a closer look, you can clearly see the impact marks left by each individual pin on the dot-matrix printer. Each character is formed with a 5x7 array of dots. This can even be read by the naked eye under the right lighting conditions.

Here's the same image, but with the characters clearly highlighted (fear my paintbrush skills). Note that the PIN is written in words - this is to make it easier for the cardholder to read the numbers, as the impact printing does not always print individual characters clearly. Unfortunately, this also makes it even easier for an attacker to steal the PIN without being discovered.

The PIN is also written slightly above this block of text, using four digits. It is also possible for an attacker to discover your account number using this same non-intrusive method, as it is written beneath the PIN text.

When the envelope is finally opened, there is no surprise as to what the PIN is, because we already know.

It is, however, worth noting some of the text on this sheet:

No one else should know your PIN, not even NatWest Bank staff or the Police.

... but if your PIN is visible without having to open the envelope, there is no way you can be sure that it isn't already known by a member of NatWest staff... or the Royal Mail... or your flatmates... and so on.

The text then continues:

If you suspect that the envelope has been opened or tampered with and the contents compromised, please change your PIN immediately [...]

Because the PIN can be compromised without opening the envelope, there is no way you can tell whether or not it has been compromised. Therefore, all NatWest cardholders should change their PIN immediately, even if they cannot see any evidence of tampering.


The Bank does not accept responsibility for the loss of any funds as a result of deliberate disclosure of the PIN to any other person, or as a result of gross negligence on the part of the cardholder.

Let's hope that they will accept responsibility for any unexplained loss of funds without passing the blame onto the cardholder. You could argue that it's impossible for the cardholder to keep their PIN a secret when its secrecy may have been compromised before the cardholder even knew what it was.

The PIN associated with this card was changed as soon as the envelope was received. Sounds like a wise move!

Defending against phantom withdrawals

If you are unfortunate enough to have your card stolen, and then suffer a phantom withdrawal, your bank may deny liability for the loss by claiming that you must have told someone your PIN, or had not taken reasonable steps to keep it secure. If your bank sent your PIN using the method described above, then you have clear reason to dispute their argument and get your money back.

Randomly-selected digits from your PIN are also used to gain access to NatWest Internet banking and telephone banking, so it would seem prudent for NatWest to adopt a more secure distribution method. My day job is more concerned with electronic security, so it's interesting to see how poor physical security can increase the number of attack vectors into electronic systems.


Search this site


Copyright Paul Mutton 2001-2013
Feedback welcomed

Web Hosting

Web Hosting