[Gllug] Chip and PIN
t.clarke
tim at seacon.co.uk
Wed May 10 15:22:33 UTC 2006
As to what may be a better option to Chip and PIN, its very hard to say as I
am, to say the last, very confused as to what exactly Chip and PIN currently
does !
I have read for example that the PIN is also held on the mag stripe.
This is surely completely bonkers, since the PIN would then be easily
established and a counterfeit card made. The counterfeit presumably would
not even need a working chip, since as I understand it, retailers will
accept cards if they fail to work in a reader for any reason ?
Whether or not the chips themselves can be reverse engineered and counterfeited
I have no idea !
If a Chip and PIN card is stolen, I would think that its is vital that the PIN
cannot be revealed by 'examining' the card in any way. Again, no idea whether
this is the case or not!
Personally, I think that the PIN should:
a) bemore than 4 digits
b) capable of being formed into a more easily remembered word on an alphanumeric
keypad (in the same way that telephone keypads used to have ABC/1 DEF/2 and
suchlike)
c) not stored on the card at all, but in a secure remote database in a
irreversible encrypted form
c) would mean that the entered PIN at the terminal would have to be effectively
transmitted over the network, using a very secure encryption protocol to
ensure it cannot be snooped. and ideally that encryption should take place
within the chip on the card, or the card-reader itself, such that the PIN
itself never 'leaves' the card reader. Oh and of coutrse the card readers
should be made completely tamper-proof !
Of course I am no security expert and this may a) be completely unworkable
or b) still insecure
There are, I guess, no perfect solutions, but I do think that the current
notion that Chip and PIN is perfect, therefore any fraud costs must accordingly
be result of negligence by the holder or the retailer and for their account
rather than the bank, is nonsense !
Tim
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list