[Gllug] Chip and PIN

Christopher Hunter chrisehunter at blueyonder.co.uk
Wed May 10 18:16:55 UTC 2006


On Wednesday 10 May 2006 16:07, John Winters wrote:

> I would certainly think twice about typing my PIN into any system where
> my card was swiped through a card reader.  The ones where only the end
> of the card goes into a closed slot (so that the chip can be activated)
> could potentially let someone discover your PIN, but there's no way they
> can read your mag-stripe.

The information on the mag stripe is, alas, duplicated on the chip.  

This "skimming" exercise seems to have more of a "social engineering" effort - 
the C&P readers were removed by "engineers", and returned with the extra 
electronics installed!

I've seen one of these nefarious "skimming" devices a few months ago over in 
the Netherlands.  It had been added to a C&P terminal, and sent its data by 
bluetooth!  As the range was limited, I assume that a member of staff at the 
premises was involved - all you'd need is a bluetooth-enabled PDA, and you 
could log all that the terminal did.  The hardware, incidentally, was just a 
bluetooth module and a 16F628 PIC.  The PIC stole its clock and power from 
the main PCB, and was just tagged on to the main PCB in about six places with 
bits of wire!

Chris

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list