[Gllug] Chip and PIN

[John Winters]

On Wed, 2006-05-10 at 17:36 +0100, Chris Ebenezer wrote:
> On 5/10/06, t.clarke <tim at seacon.co.uk> wrote:
> > I have read for example that the PIN is also held on the mag stripe.
> > This is surely completely bonkers, since the PIN would then be easily
> > established and a counterfeit card made.
> 
> It is stored (encrypted) on the mag stripe

No it isn't.  You can buy the specification for what goes on the mag
stripe in a British Standard and there is no field for the PIN.

Think about it for a minute - if the PIN actually were held in the mag
stripe then there would be absolutely no point in all these elaborate
technical and social engineering schemes for finding out people's PINs.
Mag stripe readers are not high tech devices - I've got one in my bits
bin down in the shed and it will happily read the mag stripe from any
card you care to produce.

>  - [What is actually stored
> is the original PIN that was issued against that card plus an
> changeable 'offset' that maps the original PIN to the present pin].

With some schemes an *offset* has been held on the card, but not the
PIN.  This then enables the PIN to be apparently changed (at least as
far as the user perceives it) without needing to involve central
processing.

John

-- 
John Winters, Wallingford, Oxon, England
i = (free (NULL); i++);

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug