[Gllug] OT - chip & pin

Alain Williams addw at phcomp.co.uk
Mon Apr 3 13:24:27 UTC 2006


On Mon, Apr 03, 2006 at 02:02:37PM +0100, John Winters wrote:
> The point of the "Chip" part of the equation was meant to be that there
> is intelligence on the card.  This intelligence is only available (i.e.
> powered up) when the card is in a reader but the reader can only ask the
> on-card processor questions (not instruct it) and the on-card processor
> can behave intelligently.
> 
> Thus if a reader keeps saying, "Is this the PIN?", "How about this
> one?", "Well, how about this one?" the on-card processor eventually goes
> into sulk mode and starts refusing all of them, regardless of whether
> they're right or not.

That is my understanding, the chip then somehow signs (or otherwise proves
that the chip was happy that the pin was correct). My point is that for
my security the method of delivery of the message "Is this the PIN?" must
be free from snooping. I will accept it if the card is plugged into the
numeric keypad, I am much more reluctant to do so if my PIN has to travel
down a wire into a till. I have worked with till s/ware and know how cr*p
a lot of them are; many of today's tills are basically PCs running some form
of MS Windows -- we all know how safe that is.

> Now whether it was actually implemented this way I don't know - perhaps
> they removed this intelligence to save money, but if they did it rather
> defeats the point of Chip and Pin.

-- 
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/

#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list