I have been having a very long back and forth with Peugeot customer service over a problem with my real time traffic, and at one point I received an automatically-generated message informing me that my online services account had been deactivated because my car had changed owner. I immediately got Peugeot to look into it, and it appears that someone had created a Peugeot online services account with my VIN (vehicle identification number if that isn’t clear). I am not sure what Peugeot did next, but they managed to reach the other person and to sort it out.
But a month has passed and I find myself wondering about this again. What is the likelihood that someone would accidentally enter my VIN instead of their own, presumably through a typographical error? It is a 17-digit code, with a combination of letters and numerals. There must be trillions of possibilities. And on top of that, there are dozens of other automobile platforms they could have signed up for. The Peugeot people seemed rather surprised themselves (which is not saying much as they seem to be surprised by many things), but they managed to sort it out easily enough.
My car is still safely in my driveway one month later and nothing else odd has happened that might indicate vehicle theft or identity fraud, but I am intrigued.
Where I work our client IDs use a check digit as the last digit. It is simply the modulus 11 remainder for the rest of the digits - divide them by 11 and the remainder is the last digit. 0 is used for 10.
This prevents a single typo on an entry from matching a valid client ID. But once in a while someone makes multiple typos and comes up with a valid ID. Since the check digit it only the numbers 0-9 this can obviously happen no matter how complicated the calculation is.
Since a VIN uses the same basic method for the check digit in position 9, and much of the information is the same for the same make, model, manufacture plant and year of manufacture, only 6 digits are actually unique to the vehicle.
So, while it isn’t likely to happen very often it is by no means impossible.
Most VINs (but not all) have a check digit in the 9th position. It’s mandatory in North America but less rigorous in Europe. Google says Peugeot does use a check digit but in a Peugeot forum someone posted their VIN and it looked like it didn’t have one, so it’s not clear whether Peugeot has done this consistently or not outside the North American market.
Reason I mention this is that if the VIN includes a check digit it’s extremely unlikely that someone could make a typo and have it accepted as valid. There’s no way to tell for sure except by asking Peugeot, but you can look at position 9 of your VIN and if it’s a digit or the letter “X”, then it may be a check digit – if it’s not a numeral and is any letter other than “X”, then it definitely is not.
Years ago when I worked in insurance (claims, service, sales at various times) I was typing in VINs a LOT. What was worse, is so often it was over the phone, and I had to guide people through giving me a letter example, because of how similar many letters sound over the phone.
Sure it’s less likely if one is entering a VIN themselves on an online form, but given how fumble fingered I can be with a keyboard, much less an on-screen option (phone/tablet) I can imagine that incautious errors can still happen, or just someone misreading their own VIN off registration or in-car tags.
Given the sheer number of VINs out there, I suspect while it’s rare (many places make you type it in twice, which is a lot of help) it’s by no means unheard of to have the sort of error you report.
When I was transferring my insurance recently to a new car, the agent asked for the VIN. I said maybe I should email it to him as it was a long number and a mistake might be made. He said no worries, just read it to me, we have all kinds of verifications. I presume he meant more than just the check digit – the VIN is divided into specific fields that have a particular set of values, and a typo would likely generate an invalid field even if the check digit by some very unlikely happenstance happened to be correct.
thanks everyone. I checked my VIN and the character in the 9th position is a U, so I guess there is no check digit.
In case this was done deliberately, i.e. someone used my VIN on purpose, what sort of fraud might they commit? I guess the fact that people are willing to post their VINs on internet forums suggests that fraud isn’t a big concern?
As noted upthread, for those VINs which have check digits, the digit is a single value from 0 to 9, so 10 possibilities. Which means if you generate the serial portion + check digit completely at random, one in 10 will be valid by luck. IOW a check digit ought to catch about 9 of 10 honest typo errors, but will happily let 1 of 10 slip by.
Now for the implications of this point …
Given e.g. ten thousand cars of the same make, model, & year, so identical VINs except for the serial part, that suggests a lot of mistakes could get into a database uncaught.
Because check digit calcs are both simple and well-documented, they might represent a 90% success rate barrier to honest mistakes, but they represent a 0% success barrier to deliberate counterfeiting. They are in no sense security.
As to the OP’s latest question about what fraud might be committed by a deliberate VIN counterfeiter, I have no clue. I’m hard pressed to see how to profit from that.
Part of the problem is likely that VINs have a lot of structure. The first 8 digits are going to be identical for all cars of the same make model, build, and configuration. So expect many thousands, even tens/hundreds of thousands, of cars with the same first 8 digits. The last 8 digits denote the instance. Whether manufacturers bother to exploit the space available to make close clashes unlikely is up to them. If they just start at some number and keep incrementing, the likelihood of having two cars with trivially confused VINs becomes significant. When the check digit only catches 9 out of ten mistakes, it isn’t good.
My current car was allocated its VIN before it began manufacture. I got to track it from nothing but a number, to extant metal, shipping and delivery. I found it interesting they used the VIN for this.
One might hope manufacturers would add some additional internal checks into the structure of the instance component. They could easily do so, but it isn’t mandated. There are 1.4 trillion instance numbers. Even Toyota doesn’t build that many Corollas in a year. So there is wiggle room.
Are you sure that your VIN is your VIN? I see stories where someone will actually steal the little VIN plaque from the main location and put it in a different car. It only gets noticed if somebody checks it against the VIN from a different location in the car.
As noted, the primary plaque is near the lower driver’s side corner of the windshield. And oriented to be easy to read while standing outside the car facing aft. The VIN may also be stamped a couple of other places around the car, and may well be on a permanent sticker inside the engine compartment and another sticker on the driver’s door aft jamb along with the standard tire pressures.
They should all match. Having it in multiple places is a deterrent to thieves or shady repair shops chopping up two wrecked cars and welding the halves together to create one seemingly intact car.
There are also aftermarket “anti-theft” kits sold by dealers that mark major body parts of the car with the VIN. Under the dubious theory that thieves stealing cars to disassemble for parts will notice your markings and pass on stealing your particular car.
It’s easy enough to do, because most of it is not sequential or random; it’s informational. So for example, every car of a specific year, make, model, and trim is going to have certain segments that are identical.
For a Peugeot, it’s the first 11 digits that are informational, and the last six that are sequential and unique. So it’s possible that someone else with the same make, model, year, trim, etc… Peugeot as you just fat-fingered some part of their sequential VIN when they signed up with their online services account. That’s probably the most likely reason if I had to guess.
I don’t think this is correct. The calculation methodology is structured so that simple typos or transpositions are almost always caught. It will let by 10% of fully random VINs, but if your VIN is off by 1 digit, or by transposed digits, the check digit will almost always be different.
Small nitpick. Unlike credit card and many other check digits which use a mod10 algorithm, the VIN uses mod11 (with the letters translated to numerical values through a translation table). This means there are 11 possible values, not 10, ranging from 0 to 10. If the computed value is 10, it’s encoded as “X”.
Right. The Luhn algorithm is far from perfect, but its strength is that’s it’s very good at catching the kinds of errors that people commonly make. For example, there is zero possibility of single-digit typos being validated, and almost no chance of single-digit transpositions being validated. It will also detect most “twin” errors, where two digits in a row are identical but the wrong digit was entered. But yeah, for random complex errors or a completely random string, the chances of it getting through are 1 in 10 (mod10) or 1 in 11 (mod11).
Is it possible that a clever-but-stupid entry form somewhere detected an invalid VIN, and helpfully “fixed” it by changing the check digit to the “correct” one?
