[Gllug] OT - chip & pin

David Damerell damerell at chiark.greenend.org.uk
Tue Apr 4 10:46:00 UTC 2006


On Monday, 3 Apr 2006, Paul Rayner wrote:
>The PIN (in encrypted form) *is* stored on the card (as not all readers 
>can always be online - you can see this by the number of readers that 
>return "PIN OK" immediately).

That is not correct. It's simply the case that, for the large
supermarkets and similar organisations, it is cheaper to not check
PINs when they are offline and accept the possibility that stolen
cards can be used then than it is to stop doing business.

Of course there are various interesting attacks where you cut off a
particular supermarket and then come in with your collection of stolen
cards...

-- 
David Damerell <damerell at chiark.greenend.org.uk> Kill the tomato!
Today is Second Potmos, April.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list