1. Home
  2. UK Finance Discussions
  3. ATM fraud and C&P
  4. Page 6

ATM fraud and C&P

Without a hint of irony, Mike Scott astounded uk.finance on 13 Nov 2004 by announcing:

Basically, and missing out many steps here, the terminal powers up the card, sends certain information such as the terminal capabilities [1], transaction amount etc. to the card. The card then sends a CVM [2] list to the terminal. The terminal compares this list with its own list of supported CVMs and works down them in order [3]. Assuming PIN is supported on both, the terminal will ask for the PIN to be entered.

This PIN is then sent *unencrypted in the UK* to the card. The card then validates the PIN and returns a cryptogram. This cryptogram indicates whether the card has done one of the following:

  • Authorised offline
  • Requested online referral
  • Declined

The terminal then takes this and decides whether to accept the card's decision. The terminal can never authorise if the card hasn't - it can, however, decline or refer a card-authorised transaction for instance.

If the PIN is incorrect, and the PIN-try limit has been reached, the card will indicate that it is now blocked and the transaction should be declined.

Assuming the transaction goes online, the cryptogram is sent up to the host with the regular transaction data. The response will obviously state the decision but may also contain an Issuer Script [4]. Certain scripts are processed now. The response is then sent to the card and another cryptogram is returned with the final transaction status. Other scripts are processed now. The terminal then tells the card the transaction is complete and powers it down.

[1] This is how a card knows if it's being used in an ATM, regular merchant, unattended kiosk etc. [2] Cardholder Verification Method - includes Online PIN, Offline PIN, Signature [3] If the terminal supports Offline PIN and Sig and the card supports Online, Offline and Sig then it will request Offline PIN. If the terminal supports Offline PIN & Sig but the card supports Online PIN & Sig then Sig will be requested. [4] This is a set of instructions from the Cardholder's bank to the Card. It may be to increase/decrease the spending limit, block the card, change the PIN, change the CVM, etc.
Reply to
Alex
Loading thread data ...

Without a hint of irony, "rob." astounded uk.finance on 13 Nov 2004 by announcing:

I don't see why. Only debit cards were C&P in France.

Reply to
Alex

Without a hint of irony, Alex astounded uk.finance on 13 Nov 2004 by announcing:

And places where mag stripe hasn't made it either (which vastly outnumbered those where it had).

Reply to
Alex

Thanks for that. I can't say I'm filled with confidence though - phrases like "...achieved by encapsulating the security sensitive electronics in potting compound", even if there's anti-tamper provision, surely means we'll see criminals working carefully in their de-potting sheds. It only takes one to get at the "hidden" data......

Reply to
Mike Scott

I know - that's more-or-less the objection I raised with my banks. But given a PIN, you still need a card - nicked or cloned.

Reply to
Mike Scott

"Alex" wrote

Why can't you do that test, when the card is inserted into a different device?

If the two devices are connected, then the same situation should result. If the two devices *aren't* connected (and the test doesn't work) - then why would it need your PIN??!

Reply to
Tim

That's dangerous - if the designer(s) overlooked a potentially unsecure aspect when designing something, they'd likely miss it again when looking at it later!!

"Alex" wrote

You can easily see that it's possible for other people to "shoulder-surf". That's the big insecurity in the implementation...

Reply to
Tim

Without a hint of irony, Mike Scott astounded uk.finance on 13 Nov 2004 by announcing:

The only hidden data in an EMV transaction is that stored on the card, and at the bank. There is none on the terminal.

Reply to
Alex

But you have been told not to use your card where someone might see your PIN, haven't you? So you are liable if you use card at pretty much any shop, since there isn't sufficient privacy for entering your PIN anywhere I have seen.

Reply to
Steve

Self-destruct on tampering is not security by obscurity, just another layer to make the crooks' job harder.

Reply to
Steve

Hey, I think that's a great way to help you remember how old your children are, or at least how to work it out.

Reply to
Ronald Raygun

Keeping a key secret is not what is meant by "obscurity" in this context. Obscurity is trying to keep secret how the system works.

Reply to
Ronald Raygun

You are correct about that usual meaning of "security by obscurity".

Jonathan Bryce must, however, use a different non-standard meaning, since he thinks that my speculations about whether a device can keep an internally stored key safe against physical attacks constitute "security by obscurity".

Reply to
Henning Makholm

Can you talk me through that one please?

The chances of getting it right are 3/9999 for each card, I'm not quite sure how you end up with 63%?

Reply to
Guttorm Christensen

Scripsit Guttorm Christensen

The assumption must have been that each of the 10,000 cards were tested with only one PIN. Then the chance of *failure* for each card is 0.9999, and the chance of failing for all 10,000 cards is

0.9999^10000 = 0.3679

The chance that at least one of the attempts will be successful is therefore 1-0.3679 = 0.6321 = 63%.

Reply to
Henning Makholm

That does not necessarily mean he's using a non-standard meaning.

A person with detailed knowledge of how the self-destruct mechanism works could make good use of that knowledge in attempting to defeat it.

Unless the mechanism is absolutely foolproof, there is a small chance of such an approach succeeding, given the appropriate inside knowledge.

Therefore hoping it never happens is relying on not many people having the necessary knowledge (or trusting those who have it not to use it).

Reply to
Ronald Raygun

Without a hint of irony, Ronald Raygun astounded uk.finance on 13 Nov 2004 by announcing:

In EMV, the only secret knowledge is kept on the card and at the issuing bank.

Reply to
Alex

I wonder if any lawyers are rubbing their hands and thinking -"Unfair Contract Terms"? Could be an interesting case.

Reply to
rob.

Scripsit Ronald Raygun

If knowledge of how the self-destruct mechanism helps an attacker, then it is clearly an entirely different beast from the kind of self-destruct mechanism I was imagining.

Reply to
Henning Makholm

Well actually, no. Why - have you?

In fact, all the C&P literature tend to say "when paying at a C&P terminal, simply enter your PIN on the keypad" - I haven't seen any that say "don't enter your PIN if there is any chance that someone might spot it" !!

C&P card issuers *want* us to use C&P - they keep saying how "good" it is - so how could using it, in the manner in which they expect you to, possibly constitute "PIN negligence" ?

;-)

Reply to
Tim

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.