[Gllug] OT - chip & pin

[Benedikt Heinen]

> I have to admit that I believe the notion of a simple 4-digit number as a
> means of security is somewhat flawed.  A random number of characters using
> a 'old style telephone' keypad with letters on each numeric key would seem
> much better, since users could then use a more-easily remembered word as a
> PIN  !

What I found more worrying, is that apparently you don't need to have the 
full/correct PIN to decrypt all important data from the card. When I lived 
in Switzerland a few years back I also got a swiss EC card (which had a 6 
digit code on it). The first time I went back home to Germany (where, like 
here, 4 digit codes are the norm), I tried to withdraw money from a cash 
machine, but (inadvertently) entered a wrong last digit for the pin - 
nevertheless, the machine let me withdraw money from my account. I tried 
it again to see where the problem was - and apparently, the machine 
correctly waited for 6 digits to be entered - but only checked the first 
4!


I would have assumed, that the banks / credit card companies would have 
opted for a scheme, where the pin code is part of the en-/decryption code 
for the card data - so that without the proper code, you can't read the 
correct data on the card... :-(




Benedikt

   ALLIANCE, n.  In international politics, the union of two thieves who
     have their hands so deeply inserted in each other's pockets that
     they cannot separately plunder a third.
 			(Ambrose Bierce, The Devil's Dictionary)
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug