NEW security feature for EVPL patrons: PINs

by professor.knowsitall@evpl on Friday, February 27 2009, 3:59pm. Viewed 21,093 times.
EVPL Blogs » Blogs » Research Blog » NEW security feature for EVPL patrons: PINs

PIN promptOn Tuesday, March 3, the EVPL will be implementing a new security feature to protect patron accounts: PINs.  Similar to using a PIN at the ATM, EVPL cardholders will be required to enter their name, library card number, & PIN when accessing their account online.  Since your library account displays your name, address, phone number, and any items checked out or on hold, your PIN protects your privacy in the event your card is lost or stolen.

When the feature is enabled on Tuesday afternoon, a third textbox prompting for you PIN will appear on the login page.  Refer to the image above to see what it'll look like.

What You Need to Do

Leave the PIN field blank!Once the PINs feature is enabled, you'll need to create a personalized PIN the first time you log in.  Here's how to do so:

  1. Access the My Account page.
  2. Type in your name & library card number, LEAVING THE PIN FIELD BLANK!  Click the "Submit" button.
  3. You'll be prompted to create a PIN.  PINs must be between 4-30 numeric digits and not be overly-repetitive.  Type your desired PIN in both boxes (to prevent against typos) and click the "Submit" button.

Once this is complete, your PIN has been set!  In the future, use it (along with your name & card number) to log in to your account.  For more information about PINs, including instructions on changing your PIN and what to do if you forget your PIN, visit our PINs Help page.

The EVPL cares about your privacy, and PINs are a way to safeguard it.  Beginning Tuesday, only the "My Account" section of our website will require you to log in with your PIN; in the future, your PIN will also be necessary to use in-library computers and self-checkout terminals.

If you have any questions or comments about PINs, please post them in the comments section below or contact us via Ask EVPL.

Filed under: , , , , ,

Comments (13)

Have something to say? Share your comments by signing in to your account, then returning to this page.

prowler wrote
on Wednesday, March 4 2009, 6:50pm

Just another bad brain idea from some computer geek at the Library to make it harder to access your account. I think my pin will be STUPID!

professor.knowsitall@evpl wrote
on Thursday, March 5 2009, 10:02am

prowler: Sorry to hear you're not liking PINs!

PINs were implemented for security & privacy reasons.  If your library card is lost or stolen, and someone finds it, they have your name (as long as your signature is legible) and your card number.  Unless you notify us (so we can block the card), they'd be able to access your account and library resources (databases, in-library computers).  PINs prevent this.

A lot of work (by a lot of people) was done prior to Tuesday's launch, from planning & new policies to final implementation.  Our goal was to make things as easy as possible, but we can only do what is possible with our software.

With this info, hopefully it makes sense why we implemented PINs.  It's been brought to my attention that some browsers will no longer save your login info, requiring you to type in all three fields every time, and that is a problem.  I'm working on a new login page, with a "Save my information" checkbox, that will remedy this problem.

Let me know if you have any additional questions or comments!  And, as I'm sure you found out, "STUPID" can't be your PIN...it has to be numeric.  Big Smile

Katasaki wrote
on Thursday, March 5 2009, 4:10pm

Does seem like a pointless security measure, who's out there stealing our plastic library cards?

oh, the horror.

area51 wrote
on Saturday, March 7 2009, 8:11am

ditto's

What is the statistics on the number of cards stolen and used, that necessitated this change?

Adding a PIN field to the db, and changing the login form is a 1-2 hour job.  (not exactly a lot of work)  Maybe add another 2 hours for other work like writing a web page of instructions.

I think you've overestimated the safety factor of PIN login. People know the PIN is a number.  Can't that be hacked or guessed?  Preventing unauthorized use and privacy is wonderful, but what safeguards are there at the library servers and desk interfaces anyway? What's the policy for employees for accessing private information?  Or what's preventing someone hacking the server wirelessly sitting in the parking lot gaining access to the DB. What's to prevent some government or political agency from taking the info?  Who goes home with a download of the database on their laptop every day?

FYI:  Concerning the web page code, you've got lots of errors. The PIN creation process screen has 8-10 html BODY tags.  Seems like you've missed quite a few errors before rolling it out.  Due to this, I don't necessarily trust my information in your hands now.  Plus your code / server wouldn't even let me create the PIN last night, but today it works.  I've had other problems with the website.

I realize you're not perfect, but the testing process could be improved before you make changes.

professor.knowsitall@evpl wrote
on Monday, March 9 2009, 1:54pm

Katasaki & area51: PINs are being used to protect patron accounts (both online and at self-checkout terminals) and to provide a secure login when using in-library computers.  We've seen problems that PINs will resolve, hence the reason for implementing them.

area51: Our patron database is a small part of a larger software package, which includes our circulation & aquisitions software, along with the web-based software (catalogs, My Account, etc).  This software is purchased from a 3rd-party vendor and is highly-proprietary.  Significant changes were required in both the online & circulation modules.  New web forms had to be created, using proprietary code.  Some work had to be completed by our vendor on their end.  It was quite a bit of work, not a simple database edit as you've suggested.

Yes, a PIN could be guessed eventually.  But with a 4-digit PIN (the minimum length we require), the probability of guessing a random PIN correctly is 0.01%.  True, some folks may use their address/phone number as their PIN, which is not recommended.  Regardless, asking for a matching name, card number, & PIN is more secure than only a name & card number.

Regarding safeguards, patron records are on a server that's on a separate network than our public internet access.  There's no possibility of patrons on in-library computers, or using our public Wi-Fi, accessing this information.  As it's a proprietary database that cannot be directly accessed by functions outside of the software, no one "goes home with a download of the database on their laptop".

For your other concerns, please view our Privacy Policy and Terms of Use documents, both of which are linked to at the bottom of this page.

Thanks for informing me about the additional body tags...I'm counting 3 opening body tags (should only be 1) and 1 closing.  As I said previously, these pages use highly-proprietary code, and I'm assuming a template is being inserted into another template, causing the problem. I will fix it.  As 99% of our website is valid XHTML, this unintentional error should not be cause for alarm.

Please let me know what the other errors/problems you've run into are, and I'll look into them.

Earendil_Solo wrote
on Tuesday, March 10 2009, 3:23pm

professor.knowsitall: "PINs are being used to protect patron accounts (both online and at self-checkout terminals) and to provide a secure login when using in-library computers."

How do Pins help with using in-library computers since I wasn't ask for my Pin when I logged in to the computer?

professor.knowsitall@evpl wrote
on Tuesday, March 10 2009, 4:00pm

Earendil_Solo: We currently aren't requiring PINs on self-checkout terminals or in-library computers, but we will be soon.

We're waiting at least a month to give folks ample opportunity to create their PIN first.

DigeratiOhm wrote
on Wednesday, June 10 2009, 8:51pm

Okay, so if somebody steals my library card, they can access my account online. OMG! They might renew my materials, reserve a book, or heaven forbid... download an audiobook.

If they renew my materials, big deal.  I'm still returning them when I'm done with them.

Reserve a book?  I get a phone call saying it's in and I either call and say I didn't reserve it (and thus realize somebody knows my card number), or if it's something I think I like, I'll come down and get it.  Regardless, if the book is reserved you still go to the front desk to get and check it out.  My picture comes up on your terminal.

Download an audiobook?  Again, what's the big deal?  

I'm really sorry, I still fail to see the need.  I believe the library has a bigger problem with materials walking out (just an observation, as I find a number of your movies missing from the racks), and not being turned back in (judging from the amount of "billed" notices on various materials).  PINs are not going to solve this.  Heck, my online bank account just requires a username and password (and an occasional security question).  I think a name and card number is sufficient for an online session.

NOW... if your talking about needing a PIN for the self-check, maybe there is a need.  But I never use them.  Typically if I pick up something that you do allow to be self-checked out, I'll also have something that can't.  Now if you are planning on allowing ALL materials in the library to be self-checked out, then I'll agree with your PIN policy, but until then I see it as yet another password I need to remember (because heaven forbid, you don't want to use the same password in more than one place!  That's not secure!), and another step to bog down the online service.

professor.knowsitall@evpl wrote
on Thursday, June 11 2009, 1:26pm

DigeratiOhm: We respect the privacy of our patrons, which includes the titles they check out and their personal information.  Anyone who gains access to your library card has your name & card number, which in our previous setup would give them access to your address/phone number/email address and checked-out/on-hold materials.  PINs prevent this.

There are limits on downloadable items & in-library computer use, and usage of them cannot be verified by a patron's photo as it's completely automated.  When a patron hits the limit due to unauthorized usage of their account, there is a problem.  PINs prevent this.

We ARE planning on allowing all material types to be self-checked out in the future.  This influenced our PINs policies.  We didn't want to completely change our policy when this happens.

I agree with your comments about bank websites being easier to use.  We are looking at ways of making PIN usage on our website more user-friendly.  As we're using software created by a 3rd-party vendor, unfortunately we can only offer the options that they provide.

DigeratiOhm wrote
on Thursday, June 11 2009, 6:16pm

My address and phone number are in the phone book.  If not there, odds are really good that a simple Google search will bring that up in addition to several email addresses.

If PINs will allow me to avoid the long line at the checkout counter by allowing me to self-check all materials, then I'm all for it.  Otherwise, it's an inconvenience in the manner that I use the library services.  

ginfor wrote
on Tuesday, June 16 2009, 5:34pm

I agree with those who think that adding a PIN borders on paranoia, but there are bigger problems.  I notice that the explanations for problems keep going back to the third party vendor issue.  That makes it rather clear that whoever picked this vendor and their program made a really poor decision.  Then again, it's not as if I've ever felt that the rest of the site was actually well-designed either.

A big part of the insanity here is that it has to be numeric.  Unlike phones and many ATMs, a computer keyboard doesn't have letters that correspond to the numbers. That forces many people to use something they can easily remember, which means they use codes that others can figure out.

Then to top it off, I need another username and password just for the communities.  Sheesh!

Of course, I imagine that the person stuck answering these questions had little to do with the vendor choice, or I hope that's the case.  

Just keep in mind that there's a limit to how many roadblocks you can put up in the name of security before it reduces library use.  

Forrest

professor.knowsitall@evpl wrote
on Wednesday, June 17 2009, 3:52pm

DigeratiOhm: Yes, we do plan on opening up self-check to all material types in the future.

ginfor: Just like ANY kind of software, there are inherent limitations...the software can only do what the designers have allowed it to do.

In the library world, the Holy Grail is having a website like Amazon...but libraries don't have the kind of funding that Amazon has.  There are a handful of vendors out there that make ILS's (integrated library software), each with their own strengths & weaknesses.  We picked our ILS/vendor at least 10-15 years ago (long before I was here Smile) and are still happy with that choice.

Regarding our site not being well-designed, I would like to discuss with you what you find troublesome.  Without specific feedback, improvements cannot be made.  I invite you to contact me via Ask EVPL to discuss this further.

We are looking into allowing PINs to be alpha-numeric, like a standard password.  I've also been exploring the possibility of single sign-on, where someone would sign in with their community username/password and they'd also be signed into their library account.  These are possibilities, but cannot confirm if/when they will be implemented.

We've attempted to be as user-friendly as possible with implementing PINs, and we realize that some improvements can be made.  That's something we'll continue working on.

professor.knowsitall@evpl wrote
on Wednesday, June 17 2009, 4:03pm

At this point, I have fully commented on this matter to the best of my ability.  I do not see further posting being beneficial, so I am closing the comments section on this post.

Additional feedback regarding PINs can be submitted to library administration.