[Gllug] OT - chip & pin

Paul Rayner paul at ylemsolutions.com
Mon Apr 3 12:20:25 UTC 2006

On 3 Apr 2006, at 12:03, Benedikt Heinen wrote:

>> I have to admit that I believe the notion of a simple 4-digit number 
>> as a
>> means of security is somewhat flawed.  A random number of characters 
>> using
>> a 'old style telephone' keypad with letters on each numeric key would 
>> seem
>> much better, since users could then use a more-easily remembered word 
>> as a
>> PIN  !
> What I found more worrying, is that apparently you don't need to have 
> the full/correct PIN to decrypt all important data from the card. When 
> I lived in Switzerland a few years back I also got a swiss EC card 
> (which had a 6 digit code on it). The first time I went back home to 
> Germany (where, like here, 4 digit codes are the norm), I tried to 
> withdraw money from a cash machine, but (inadvertently) entered a 
> wrong last digit for the pin - nevertheless, the machine let me 
> withdraw money from my account. I tried it again to see where the 
> problem was - and apparently, the machine correctly waited for 6 
> digits to be entered - but only checked the first 4!
> I would have assumed, that the banks / credit card companies would 
> have opted for a scheme, where the pin code is part of the 
> en-/decryption code for the card data - so that without the proper 
> code, you can't read the correct data on the card... :-(

The PIN (in encrypted form) *is* stored on the card (as not all readers 
can always be online - you can see this by the number of readers that 
return "PIN OK" immediately). I've always thought this makes a bit of a 
mockery of the security of the PIN (three strikes and you're out etc.) 
because all a crook would have to do is hack (or make) a terminal so 
that it allowed unlimited tries whilst offline. Brute forcing a 4 digit 
code when you have immediate validation isn't exactly hard!

Whilst a strong motive for the introduction of chip & PIN is the fact 
that the card issuer removes a chunk of their fraud liability, if you 
look after your card and report it immediately if it's stolen you 
*will* be safer under chip & PIN because whilst cloning a magstripe 
takes 30 seconds, I've not heard (although would the banks be likely to 
announce it?) of an easy way to clone a chip, so a would-be thief needs 
either the physical card, or magstripe + PIN, as opposed to just a 
swipe of the magstripe. The stripe has a code which states whether the 
card should contain a chip, so ATMs will reject cards with a stripe 
which should also contain a chip but don't. A TV (can't remember the 
channel or find a link on google) investigation found that it was 
possible to change this on cloned cards, but the banks have since fixed 
this I believe.

All this is from memory, google and TV, so it could all be wrong, but 
if it is I'd like to be corrected!

> Benedikt
>   ALLIANCE, n.  In international politics, the union of two thieves who
>     have their hands so deeply inserted in each other's pockets that
>     they cannot separately plunder a third.
> 			(Ambrose Bierce, The Devil's Dictionary)


Paul Rayner
Ylem Solutions Ltd ~  4-14 Tabernacle Street, London. EC2A 4LU
Office: 020 7074 0220 ~ Mobile: 07739 143 763 ~ 
Paul.Rayner at YlemSolutions.com

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list