You seem to be implying that it's not possible to clone a "skimmed" C&P card -- is that the case? Is it possible to muck around with the magstripe content in the process to make it look like a non-C&P card, which would obviously be easier to manufacture?
Matti
Setting the PIN to something you can remember improves security!
What decreases security is places like Egg where you can log in and they will tell you your PIN online!
It's not the mag stripe which tells the reader to look for a chip, is it? Surely the reader will just try to talk to the chip anyway and if it notices that it seems to be talking to the proverbial brick wall, it will then fall back to using the info on the magstripe.
Chips are meant to be uncloneable, or at least very much more difficult to clone than magstripe cards.
Until such time as all cards are chipped, then all card readers will be susceptible to being fooled by cloned cards. Either the fraudsters must be able to get chipless blanks to clone onto, or perhaps the chip contacts can be lacquered over to make the reader think there is no chip.
Until such time as all readers are geared up to talk to chips, cards will continue to be made with magstripes. Only then will it be possible to phase out magstripes and thus eliminate cloning (provided the fraudsters haven't by then managed to crack the chip).
Talking of retaining backward-compatibility, I see that cards still come with raised-profile numbers, suitable for running through those carbon-copy roller-thingy manual machines. How many of those are still in circulation? Must be lots, since otherwise the raised profile would have been phased out.
Yes, but a cloned one without the chip will have it fail to talk to the chip, so having the magstripe say I'm supposed to have a chip, talk to it is a useful security feature.
Jim.
So you just need some tape or a sticky label over the chip?
I don't like this word uncloneable. Anything that can be created can be copied. The only question is how much it costs.
A lot of traders have them as a backup for when the electronic thing isn't working.
"Ronald Raygun" wrote
You don't really believe that, do you?
That would be an open invitation to fraudsters to simply "kill" the chip ...
"Ronald Raygun" wrote
!!
"Ronald Raygun" wrote
circulation?
We bought something last year, and the shop had only just received their (first) "roller-thingy manual machine". So (last year at least) they were still "rolling them out" (pun intended).
In message , Mike Scott writes
How can that happen?
Click on these links to read about recent cases of PIN based fraud and the outcomes both good and bad:
James
Scripsit Jonathan Bryce
Anything that can be created (reliably) can be re-created. The tricky thing is to figure out *what* to re-create. I'm not sure that there is any theoretical reason why it sould be impossible to create a device which destroys the information it holds if it is tampered with in an attempt to find said information.
So instead of trying 10000 times with the same card, try 10000 times with
10000 different cards. Obviously it isn't guaranteed that way, but you do have a 63% chance of striking it lucky.
I you have a policy of excluding certain numbers based on arbitrary features, you reduce the pool of available numbers and make it easier for someone else to guess your number.
Look at the size of the keyspace you are excluding
4 digits all the same: 10 eg 11113 digits together all the same: 200 eg 1112 or 1222
2 x 2 digits together all the same: 100 eg 1122Sequential: 16 eg 1234 or 4321
That's 326 keys, or just over 3% of the total keyspace.
They store an offset from the PIN separately from the base PIN itself. When you change the PIN, you are actually just changing the offset, so it takes the offset from the PIN you enter to see what the base PIN should be.
Security by obscurity is not security at all.
When designing a security system, we should always assume that the attacker will know how it works.
So what? The magstripe is re-writeable so wouldn't it be simple for a clever enough fraudster to make the magstripe tell the reader there is no chip?
The real problem is that this information about presence/absence of a chip would need to live in a part of the magstripe not previously used, after all, one would not want to confuse old chip-unaware readers.
On Thu, 11 Nov 2004 22:23:10 GMT, Ronald Raygun
The service code is encoded just after the expiry date on the strip and starts 1 for magstripe only cards and 2 for magstripe / chip cards.
In message , James writes
Arent these clone based fraud, not PIN based fraud?
There are such 'devices' but AFAIK they are still experimental.
Picked the above up from another forum on the net.
The whole point was it was PIN based fraud.
Follow these links for some very interesting reading:
In message , James writes
Quite, but what you are describing is really 'clone' based fraud.
Chip & Pin is designed to significantly reduce the ability of a fraudster to clone the card.
In each case to which you refer, a card has been cloned and used with a PIN which has been observed. In each case it is NOT a chip & pin card that has been used, or if it IS a Chip & Pin card it is not being used in Chip & Pin mode but on magstrip mode.
"Jonathan Bryce" wrote
Not so. If *all* fraudsters tried the combination "1234" first, then reducing the pool of available numbers by not choosing that one, definitely makes it *harder* for them to guess your number!
"Jonathan Bryce" wrote
But that's the 3% which a fraudster tries first!
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.