Chip & Pin @ Tescos

At 12:05:54 on 19/06/2006, Ronald Raygun delighted uk.finance by announcing:

But, since it has been for many years, it's safe to say we can forget about how it 'used to be' (which includes your latter 2 paragraphs of interesting, but obsolete, information).

No, it doesn't. See above.

In the case of a non-EMV card, the PINs are stored only in a secure module at the issuing bank. In the case of an EMV card the PIN is also stored encrypted on the chip. For an ATM transaction the PIN is requested from the cardholder, encrypted, and sent over the network to the issuing bank. The PIN is then verified and the result sent back to the ATM. EMV allows this process to be done locally, with the verification being done by the card, but I'm not sure whether or not this happens in practice. At no point is the PIN, or any hashing data, stored on the magnetic strip.

At 12:14:09 on 19/06/2006, Ronald Raygun delighted uk.finance by announcing:

It's not the reader that's more or less secure, but the data on the card.

No, it isn't safe to say that. The point is that the PIN is not stored on the stripe, and never has been (except possibly in the very earliest days), even when the PIN was checked off-line.

See *where* above? What you call my "interesting but obsolete information" explained how it is *possible* to do off-line PIN-checking on a non-chip card without the PIN being stored on the stripe. Whether that capability is or is not in fact made use of any longer doesn't change the fact that it is not *necessary* for the PIN to be there, and so it almost certainly isn't there.

What are we arguing about? We seem to be agreed that the PIN is not stored on the magstrip (all I'm saying is that this fact alone doesn't make it impossible to check PINS off line).

Now, given that the PIN is not stored in the stripe, I am therefore at a loss to understand what you think makes a stripe reader less secure than a chip reader.

What specific security problem(s) do you have in mind?

At 13:02:10 on 19/06/2006, Ronald Raygun delighted uk.finance by announcing:

I never said it was.

Again, I never said it was.

It's not as simple as you think. It is impossible to have both off-line operation and PIN security: the thing is, if you want offline operation, then even if you don't have the PIN on the card, you do have to have enough information to validate the PIN - a hash of the PIN or something. If an attacker gets hold of that, then since the PIN is a four-digit number, it's trivial to recover it: you just run through all the possible PINs and check whether they validate against the information on the card.

The only way to preclude that is to make the information on the card unavailable to an attacker; for example, you could encrypt the hash using a key which was known only to terminals, or you could store a hash of the PIN plus a secret salt, or something. However, to do this, you have to distribute the secret to the terminals; it's going to be very hard to do that while keeping it out of the hands of the villains. The current system works because the chips themselves keep the secrets, and the villains don't seem to have worked out how to break into them yet, or because the secrets are safe inside cryptographic modules at the bank.

There may be a way to get round this using really cunning cryptographic scheme, or using an asymmetric cipher, but i can't think of one myself. I have a feeling there provably isn't a way to do this if you can't assume that terminals won't be compromised - if an attacker can act like a terminal, it can validate PINs, and so crack them by brute force.

tom

Unless of course, the chip self destructs after a certain number of unsuccessful attempts, which might be possible to implement, and is probably also possible to circumvent.

At 16:56:50 on 19/06/2006, Jonathan Bryce delighted uk.finance by announcing:

Not self-destructs, as such, but either blocks further PIN entry attempts (reversible at an ATM) or blocks access to the card completely (only reversible with specialised terminals).

So possible, in fact, that the above is already implemented.

Possible, but probably really not worthwhile.

Well, if it is reversible at an ATM, it is reversible at some other place that pretends to be an ATM.

At 19:41:02 on 19/06/2006, Jonathan Bryce delighted uk.finance by announcing:

Erm, no. You see, ATMs go online to the issuing bank who then send an encrypted command back to the card to unbolck it. You'd need to know the exact command, and then you'd need to know the secret key to encrypt that command.

We were talking about doing it with a magstripe. That's the whole point - since a chip is active, it can do this, but a magstripe can't, which is why you *can* have secure, offline cards if you use a chip, but not if you use a stripe.

Anyway, roll on biometric security, i say. Or, alternatively, the post-scarcity economy. Show me the whuffie!

tom

No, it's perfectly possible, and was in fact done as standard before machines were routinely off line for much of the time.

No, it's not trivial, provided the validation method is itself secret. The actual *algorithm* for this need not necessarily be secret, but it may require a secret key, known only to the bank's cash machines.

No. Because it is known that the information on the stripe is readable by anyone with access to the right (and readily available) euqipment, it has been necessary to devise a scheme whereby this information is useless without additional keys which are very securely held off-card.

Exactly.

Accepted. That's why you can do stripe-based off-line PIN validation on cash machines (which it is assumed can keep the keys very safe, and erase them if they notice they're being broke into), but perhaps not on machines designed for use in shops and restaurants.

I think it's insecure as I wasn't asked for a pin, a signature, or any other form of identification. I swiped the card, and the shopping was paid for.

I'm tempted to buy an expensive item at Tescos to see what happens then, but there's no expensive item I need right now. Buying a plasma to test Tescos security further might be a bit extreme.

Cheers,

Ross-c

I thought you implied that it would have to be, if off-line PIN verification was to be possible. Now, although you said that with the fact in mind that cash machines nowadays generally authorise on-line, historically off-line PIN verification has, I understand, been common, and the implication of this is that either (by your implication) they are, or else they don't need to be.

I may have got your replies mixed up with clemenr's. Sorry.

Fair enough. I dare say it's Tesco's view that stolen cards are very unlikely to be used for routine shopping, and their experience with no-signature no-PIN petrol dispensers must have helped.

Did you also swipe your Clubcard? If so, I wonder if that helps them believe you're you.

In France chip to chip cloning is now a problem: You & Yours Mon 19 Jun 2006:

Readers might like to listen to today's You and Yours for some cases where people have lost money through fraudulent use of their Chip&PIN and had the experience of the bank refusing to pay up.

((The articel is 28 minutes into the broadcast))

""In France they can now clone chip to chip""

Sandara Quinn (the lady representing the card industry) and Nigel Evans MP failed to mention that consumers dont have to have PINs if they don't want them.

Chip & Signature cards are available for those who simply don't trust PINs

I don't have a clubcard. There are a lot of goods in that Tescos (a massive one on the outskirts of town) that are high-ticket items. I don't know what would happen if I tried to buy a plasma TV on one of the self-service checkouts.

When I had a credit card stolen (mugged), it was used at a self-service petrol station, for a purchase of about £40. This even though I had reported it stolen within minutes of being mugged, and the purchase at the petrol station was much later.

Cheers,

Ross-c

At 22:57:58 on 19/06/2006, Ronald Raygun delighted uk.finance by announcing:

And it is this that makes offline PIN with magstripe impractical in today's world. If you want to restrict your customers to your own ATMs then it's fine. If you want to be part of the LINK (or even worldwide) network then it requires you to share your key with all those ATM operators.

At 07:20:27 on 20/06/2006, snipped-for-privacy@wmin.ac.uk delighted uk.finance by announcing:

£40 was probably under the floor limit and the hotcard file is normally only updated daily.

At 09:47:34 on 18/06/2006, snipped-for-privacy@wmin.ac.uk delighted uk.finance by announcing:

-fraud