You misunderstood him. Maybe you should read the spec, at 770 pages, its slightly more comprehensive than your guesses at what might happen or what should happen in particular circumstances. FWIW it blocks after 3
*consecutive* fails, and resets if it gets a good one after 1 or 2 consecutive fails.
Well, when t'other Alex wrote:
"No. Have it block after three failed attempts full stop."
in response to my:
"If the chip is sophisticated enough to have the capability to maintain state between transactions, great - have the chip self-block after three failed attempts within a given time period"
I think my interpretation of 'full stop' as having no time restriction was reasonable. If he'd simply removed 'full stop' and inserted 'consecutive' as you did, that would have been Useful Information.
Heh. Exactly why I didn't bother reading it for a five minute post that was intended to answer an entirely different question. *This* thread only developed because someone took exception to my hypothetical C&P design, and/or thought that it was supposed to be exactly the same as the actual C&P implementation, which is precisely the sort of thing I was hoping to avoid by inventing a hypothetical, but comparable system for use as an example.
OK, that's Useful Information. For interest, what happens after 3 consecutive fails? Do those consecutive fails need to be within a certain time period to count?
Best Regards, Alex.
At 20:54:54 on 14/02/2006, Alex Butcher delighted uk.finance by announcing:
The merchant will accept liability for any fraud and process a magstripe/manual transaction, or they won't and another form of payment will be required.
I don't think it even got that far. Minimal transaction times, after all, are the whole point of having EFT in the first place.
The state is reset after a successful PIN entry. If the card's PIN blocked you visit an ATM to unblock it.
Exactly.
14 years ago?At 00:18:57 on 15/02/2006, Alex Butcher delighted uk.finance by announcing:
The card is PIN blocked. It needs to be reset at an ATM.
No.
Exactly; regardless of why the PIN fails to be authenticated by the card, the retailer handles the situation in the same way - either take a chance, or ask for an alternative form of payment.
[snip]
Googling for 'panama unisys id cards' will reveal dozens of articles about the situation. Essentially, a Colombian was found in posession of 500 blanks, and Unisys was found in posession of 30000 blanks. Now, in this context, 'blanks' is left somewhat vague. By virtue of the Panamanian government cancelling Unisys' contract, this suggests that this was more of a security risk than your description above of the procedure for CC/Debit card issuance. This could, of course, be due to extremely different issuing procedures.
Best Regards, Alex.
"Alex Butcher" wrote
GSV Three Minds in a Can wrote in uk.finance
Idle (hypothetical) thought: If I were to wipe [1] the magstripe on my bank cards, I presume this would then protect them from this type of fraud?
[1] How strong a magnet would you need to do this? Would doing so also fry the chip in the process, or is it impervious to this..? :-(Do C&P-aware ATMs check for the magstripe or the chip first? If they check for the magstripe first, this would obviously cause difficulties in getting money out of the bank.. :-(
Obviously doing this would prevent the use of the card in non-C&P ATMs or card readers, but this might be a price worth paying..
Just leave it next to a couple of other cards on a regular basis - works for me every time - alas :-(
Hi guys,
Forgive me for jumping in (and especially if I've missed something).
Not sure how many of you know this but there are 2 different PIN's on the IC, one known as the offline PIN and the other known as the online PIN. Now when you enter your PIN incorrectly 3 times, eg at a merchant, it is the offline PIN that is "blocked" (because at this point the IC has not had to communicate with it's issuer for PIN verification). That's why you can go to an ATM and request a "PIN unlock". From a system point both PINs are kept in sync. at all times, through the Issuer scripting mechanisim. There is an exception to this rule which has been proven this in the past - unfortunately it trashes your card and you then have to request a new ICC from your issuer.
Anyway hope this helps - in some small way.
In message , snipped-for-privacy@zeda.co.uk writes
But for C&P there is no communication with the issuer for the purpose of Pin verification.
At 20:10:11 on 17/03/2006, john boyle delighted uk.finance by announcing:
That is the point. And I'd probably amend your statement to read "But for C&P in the UK there is currently no communication with the issuer for the purpose of PIN verification in 'regular' merchant transactions."
I would like to clarify my earlier statement...By PIN I of course meant it's the offline PIN that gets verified at the merchant terminal - at that point in the transaction lifecycle. The (offline) PIN would be "verified" by the Issuer once the auth. request had been passed to the Issuer. This "double verification" boils down to a matter of trust - which is the whole ethos of C&P.
Regards,
Steve.
At 08:14:44 on 22/03/2006, Steve Devonport delighted uk.finance by announcing:
Although only indirectly. The offline PIN itself, encrypted or not, isn't sent to the issuer.
In message , Steve Devonport writes
That doesnr clarify it for me I'm afraid.
With C&P there is NO PIN verification by the 'issuer' at all. The (offline) PIN is NOT "verified" by the Issuer once the auth. request had been passed to the Issuer.
At 19:15:38 on 22/03/2006, john boyle delighted uk.finance by announcing:
Yes there is. Indirectly in the case of offline PIN (non-ATM transactions in the UK) and directly in the case of online PIN (ATM transactions in the UK).
It certainly is, but indirectly. The cryptograms sent to the issuer will indicate whether the PIN was verified by the card or not. Also, since the card belongs to the issuer and is programmed by the issuer, the issuer has verified the PIN offline whether the transaction itself goes online or not.
In message , Alex writes
I should have used the word 'directly'
But in this latter case isnt that still magstripe technolgu
Yes, I take your point but I am sure you know my meaning was that the pin isnt sent down the line to HO.
At 21:05:25 on 22/03/2006, john boyle delighted uk.finance by announcing:
And also specified that you were referring to the UK and non-ATM transactions.
In an increasingly small number of cases; i.e. those ATMs yet to be upgraded.
It is with online PIN - that's what online PIN means. In the case of magstripe, the PIN is encrypted by the ATM before it goes over the network. In the case of EMV (C&P) it is encrypted by the card. Online PIN is only used for ATM transactions in the UK at present, but it may well be used more fully in other countries.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.