OK, so you can't directly copy the PIN from one C&P card and create a clone but how hard would it be for someone just to make their own C&P card with their own PIN or maybe make the cards accept any PIN?
Seems to me that if banks can make a chip with a card number and a PIN stored on it, whats to prevent someone making their own chips with a PIN of their choice?
Surely the pin would be stored on the banks computer rather than the card itself!
It doesn't work like that IIRC, it operates on a challenge/response basis, when a transaction starts the processing centre issues a challenge to the terminal/card, this is combined with the PIN entered and encrypted with the key held on the chip then the response is sent back to the processing centre where it is checked against the response it expects back, if there's a match it's OK'ed, otherwise not.
It doesn't matter if the challenge or response are intercepted because it's done on a one-time basis, you will never encounter the same combination twice. Theoretically they may be able to find some info if it's repeated millions of times on an iterative basis, but the processing centre would notice this!
You can't retrieve the PIN from the chip, somebody you could get the hash table/key if they stripped the chip down, but this would take millions of pounds worth of kit and many hours of work, there are silicon measures in place to prevent reverse engineering. Any information gleamed would only be useful for that individual chip, assuming they haven't made a real really mess of the implementation.
I'm told the old French chip & pin system does hold an encrypted version of the PIN on the chip, they're now upgrading to 'our' chip & pin system, of course since they've used this model for sometime their transition will be pretty seamless, apart from issuing new cards and terminals, no pesky commercials talking to people like children.
Az.
[snip informative explanation]
Far easier to shoulder-surf someone typing in their PIN, then mug them for their card upon leaving the store. After all, my PIN typed in by a mugger is indistinguishable from my PIN typed in by me. My signature probably is (if the minimum-wage cashier can be arsed to check).
C&P is nothing but risk-transference from the banks to the customers, as far as I'm concerned.
Best Regards, Alex.
In fairness C&P isn't designed to combat a criminal's career move, obviously there will some diversification into other fields such as card not present fraud, but the issuers aren't liable for such losses, some may move into rigging up cash point machines or cheque fraud, but you can't say this is the "fault" of C&P. Of course a minority may be foolish enough to move into more violent extremes.
<There doesn't have to be a transference between either entity to reduce fraud, the exponential rise in these figures certainly didn't result from a transference in the opposite direction, it's a bubble in and of itself (a market?).
Az.
The only trouble is that the outside of most stores are pretty public places, often with CCTV. I guess a mugger could follow someone they have shoulder surfed in the hope that they might go along some dark pedestrian underpass or a deserted park or across waste land, but it would be easier to just target those places in the first place and mug someone for their phone or cash.
Without a hint of irony, snipped-for-privacy@yahoo.com (Marx Peterson) astounded uk.finance on 08 Sep 2004 by announcing:
The PKI infrastructure.
Without a hint of irony, "Adrian Boliston" astounded uk.finance on 08 Sep 2004 by announcing:
It's stored on both.
Without a hint of irony, "Aztech" astounded uk.finance on 08 Sep 2004 by announcing:
Nope. As part of the authentication process, the PIN is requested from the user and then sent (in plain text) to the card. The card then verifies the PIN and decides (based on its rules) whether to authorise, decline or refer the transaction. The terminal then takes that response and decides (based on its own set of rules) whether to follow the card's request or go online if the card authorised offline. The terminal can always decide to go online, but cannot decide to stay offline if the card requested online auth. The responses from the card are in the form of authentication cryptograms and it is these which are sent to the processing centre if applicable. There is currently NO online PIN implementation for transactions in the UK.
That's hilarious. The French implementation of EMV is far from seamless.
"Alex Butcher" wrote
Even easier under ther old system - not to bother "shoulder-surfing" but simply go ahead and mug them for their card, have a quick look at the signature on the back and make a passable attempt at signing it when using it. So at least in the future the mugger will need to do more - ie the "shoulder-surfing" bit!
A TLA that's completely meaningless to anyone not familiar with cryptosystems. This is a finance newsgroup, not UKCRYPTO!
Jon
In message , Adrian Boliston writes
No this has been covered ad infinitum (well almost!) in uk.finance. The pin IS stored in the chip.
In message , Alex writes
True, but also a higher risk of getting caught (if they happen to try it on with a cashier that actually /does/ compare the signatures), so I'd reckon there's less chance of this being done compared with skimming etc.
Best Regards, Alex.
"Alex Butcher" wrote
Let me ask - does your signature on a receipt in a shop look exactly like your signature on the back of your card?
I think I can honestly say that mine looks different each time. And even with thousands of transactions made, I think I've only ever been asked to sign again *once* !!
This just shows that a cashier will accept it over 99.9% of the time, even if the signature only looks *similar*.
The UK system has the pin number on the chip. Typically the POS system will dial out to the bank less often, making transactions faster.
My signature normally occupies a space at least about 1 inch by 3 inches, and when I try and squash it onto that tiny thin strip it looks *nothing* like normal!
Without a hint of irony, snipped-for-privacy@altavista.co.uk (Fred Bloggs) astounded uk.finance on 09 Sep 2004 by announcing:
As does every EMV implementation.
It's enough information for interested parties to STFW if they desire.
Briefly, cracking the chip and pin protection is a very, very hard maths problem.
Bitstring , from the wonderful person Adrian Boliston said
Ditto. Even more so when it runs into the indentations on the back of the card and gets deflected. However a handwriting exper5t could probably still tell that a forgery was a forgery, whereas a 4 digit number is not open to such dispute .. if the criminal got the number right, then the bank's position is going to be that it's your fault, you did it.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.