When the package is actually delivered, the
customer receives an email notification along with
a bar code to his smartphone and heads to the
7-Eleven. There he’ll stand in front of the
locker system, which looks like the offspring
between an ATM machine and a safety deposit box.
The machine will scan the bar code on his handset
to receive a PIN number. He’ll punch that PIN
number and retrieve the package.
I don't understand the purpose of the PIN. If I'm reading this right, it scans the bar code on my phone and gives me the PIN, and then I enter the PIN to get my package.
Why doesn't it just give me my package when it scans the bar code? The PIN doesn't seem to add any security.
I supposed the PIN could be an artifact of the implementation, rather than a security measure. For the prototype it might have been easier and cheaper just to use some stock keypad-based lockbox, and so they have to tell you the PIN, rather than to do some custom engineering to hook the locking system straight up to the barcode system.
Maybe they didn't feel safe wiring the mechanism that physically opens the doors up to a network. If you can't access that system via the network then you definitely can't exploit it. It's the old "the only secure system is a disconnected one" mantra.
They can focus all their efforts protecting the other end.
I'm betting that the journalist that wrote that post garbled the message and that the PIN is an alternative to using the bar code. Some of us still don't have smart phones.
I am fairly certain its because the PIN unlocks the specific box your package is in. They most likely have only one scanning kiosk and multiple lock boxes.
Since they tell you the PIN at the point of use when you present the bar code, the PIN is not "something you know" from a security point of view.
Two factor authentication requires that you have two separate items of evidence to attest to your identity. The PIN in the Amazon system as described in the article is just evidence that you knew the bar code, not evidence as to who you are, so their system is just one factor.
A good way to think about it when considering a purported two factor system is to ask how many things a bad guy has to steal to impersonate you. In a two factor system, he should have to steal two things.
Why doesn't it just give me my package when it scans the bar code? The PIN doesn't seem to add any security.
I supposed the PIN could be an artifact of the implementation, rather than a security measure. For the prototype it might have been easier and cheaper just to use some stock keypad-based lockbox, and so they have to tell you the PIN, rather than to do some custom engineering to hook the locking system straight up to the barcode system.