[Gllug] OT - chip & pin

Paul Rayner paul at ylemsolutions.com
Mon Apr 3 13:31:25 UTC 2006 

On 3 Apr 2006, at 14:02, John Winters wrote:

> On Mon, 2006-04-03 at 13:20 +0100, Paul Rayner wrote:
> [snip]
>> The PIN (in encrypted form) *is* stored on the card (as not all 
>> readers
>> can always be online - you can see this by the number of readers that
>> return "PIN OK" immediately). I've always thought this makes a bit of 
>> a
>> mockery of the security of the PIN (three strikes and you're out etc.)
>> because all a crook would have to do is hack (or make) a terminal so
>> that it allowed unlimited tries whilst offline. Brute forcing a 4 
>> digit
>> code when you have immediate validation isn't exactly hard!
>
> It's a long time since I had any involvement with the workings of these
> things, so my information may be out of date, but the whole point of 
> the
> chip was meant to be to prevent this sort of thing.
>
> Yes, if your PIN is stored (even encrypted) on the mag stripe then
> extracting it is fairly straightforward.

As far as I know, the PIN has never been stored on the mag stripe.

>
> The point of the "Chip" part of the equation was meant to be that there
> is intelligence on the card.  This intelligence is only available (i.e.
> powered up) when the card is in a reader but the reader can only ask 
> the
> on-card processor questions (not instruct it) and the on-card processor
> can behave intelligently.
>
> Thus if a reader keeps saying, "Is this the PIN?", "How about this
> one?", "Well, how about this one?" the on-card processor eventually 
> goes
> into sulk mode and starts refusing all of them, regardless of whether
> they're right or not.
>
> Now whether it was actually implemented this way I don't know - perhaps
> they removed this intelligence to save money, but if they did it rather
> defeats the point of Chip and Pin.

It may well work this way now, but the experience of a friend of mine 
suggests otherwise. She couldn't remember the PIN on one of her cards, 
and so had two goes at 3 different places before saying "I can't 
remember my number can I sign please". She then found the piece of 
paper in her handbag (*sigh*) with the PIN on and entered it correctly 
with no problems in the next shop. This would suggest that the "3 
strikes and you're out" intelligence is implemented in the readers or 
in the bank's systems. This was when chip & PIN had just been 
introduced, and was not compulsary. Of course, it's perfectly possible 
that the banks made the system more lenient in the first few months to 
ease teething problems caused by people forgetting their PINs, or that 
the cards allow a couple of tries in a few readers before shutting 
themselves down. My guess is that you're right  - I don't think the 
banks would be stupid enough to store the actual PIN on the card in an 
easily brute force-able way if the chip is capable of working 
intelligently, and if they were that stupid we'd probably know about it 
by now.

> While the stripe does contain a code to say whether there is a chip 
> present,
> if the chip is unusable (eg, damaged by static shock - accidental or 
> delibrate),
> then the ATM will fallback to using the mag stripe. This makes a nice 
> easy
> attack vector. See chapter 3 in this PDF  
> http://chipandspin.co.uk/spin.pdf

Nice website. Something to read on the tube this evening :)

> John
>
> -- 
> Gllug mailing list  -  Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
>
--
Paul Rayner
Ylem Solutions Ltd ~  4-14 Tabernacle Street, London. EC2A 4LU
Office: 020 7074 0220 ~ Mobile: 07739 143 763 ~ 
Paul.Rayner at YlemSolutions.com

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list