Credit card "unblocking"

You may enter one PIN to get it blocked. Find the correct PIN and unblock it. Easy if you think about it.

See above.

I think you meant to say "you don't need to enter your pin to get access to the unblocking option - you just put your card in, choose unblock pin, and *then* enter your pin".

Why would he want to "enter one PIN to get it blocked" and what does it mean, exactly?

But in fact you *have* to enter the correct PIN at the ATM to get the option to Unblock Pin. That makes no sense unless the card can be blocked for transactions but not for ATM use? In which case anyone with the PIN could unblock it at the ATM. What's the sense of blocking/unblocking in that context?

Please Mr S!

At 14:57:30 on 07/08/2006, Colum Mylod delighted uk.finance by announcing:

Because in the case of an ATM the PIN is verified online.

At 02:45:20 on 08/08/2006, Colum Mylod delighted uk.finance by announcing:

That's correct. ATMs use the online PIN capability of the card, normal transactions use offline PIN.

The ATM is online so if the card has been reported lost/stolen the card is kept by the ATM.

He would have used the wrong PIN and that would have resulted in it becoming blocked. He would then enter the correct PIN to get it unblocked.

I didn't say he would WANT to enter the PIN which resulted in the card being blocked. He would do it in error when he was mistaken about his PIN.

I don't think anyone has considered the possibility that the wrong PIN can be used which results in the blocking. To unblock at the ATM the correct PIN would need to be used.

It really is easy!

And it's so easy to do. I "remembered" that the third digit of my PIN was one less than the second. It was rejected twice. Then I found the original PIN notification. (Slaps hand - should have destroyed that.) The third digit was in fact one *more* than the second!

Stick the card in an ATM, enter the correct PIN (there is only one), and select "unlock card". Done.

I had kept up with chips and pins, and using ATMs to change PINs but didn't know ATMs could unblock too. Something had given me the idea that the merchant's gizmo could do more with PIN failures than block the card - call home maybe to tell the issuer?

In any event the merchants whose terminals could not use the card would swipe & sign, or just say "call the issuer". None knew the card could be unblocked at an ATM so this ignorance is not only mine.

Chip and PIN is a lot less sophisticated than the impression card issuers give.

They are waiting staff after all. They wouldn't be bothered about whether you had the real PIN at home.

The ATM menus can be misleading. They give a lot of options and then when you use them you'll get a message saying that they can't be used with the particular card.

At 02:07:13 on 09/08/2006, Colum Mylod delighted uk.finance by announcing:

Any terminal can potentially unblock *if* it's just the PIN that's blocked but it does require online enciphered PIN which is not used on terminals in the UK right now. If it's the card that's blocked then only dedicated terminals can unblock it; since these are expensive there are none in the UK and therefore truly blocked cards are nothing more than ice-scrapers.

To remove the PIN block, you enter your PIN which is verified online with the issuer (you can't do this with a card block since it's rejected even before PIN entry). The unblock request is then sent to your issuer who responds with an encrypted script which is decoded by the card. It's not the ATM itself giving the instruction; that does nothing more than pass the information straight through to the card.

It doesn't do this.

If they do the former then they are accepting all the liability if the transaction is fraudulent. It would require them to ignore the terminal telling them to use the chip and to 'pretend' that the chip was faulty.

At 02:31:02 on 09/08/2006, Peter Saxton delighted uk.finance by announcing:

On the contrary. The *implementation* in the UK is less sophisticated than the specification allows.

So we are not receiving the maximum security possible then?

What sort of areas are less sophisticated in the UK?

I don't think it phones home. The microchip just locks the card until you unlock it. I'm sure it's such a common occurrence that the card issuers expect it to happen. I've also had my correctly entered PIN rejected by a faulty chip and PIN reader.

Shell no longer use chip and PIN, due to major fraud a few months ago. Tesco for some reason occasionally produce a signature slip. The checkout operator had no idea why. ("It happens sometimes.") Then my card issuer helpfully emails me. "We've noticed that you didn't use your PIN. If you don't know it or have forgotten it..." So much for chip and PIN being mandatory.

At 13:02:01 on 09/08/2006, Colin Forrester delighted uk.finance by announcing:

Of course we are. It's called don't use money at all. Anything else has varying levels of risk and related cost.

Static vs. dynamic authentication of the card, for one.

At 13:35:38 on 09/08/2006, BrianW delighted uk.finance by announcing:

Because there was some sort of problem. If the receipt makes reference to an AID then it still used the chip data.

What are they?

At 15:46:13 on 09/08/2006, Peter Saxton delighted uk.finance by announcing:

Static Data Authentication is what allows Prof. Anderson to record and replay a transaction thereby fooling a terminal into thinking he's using a valid card - assuming, of course, that the transaction stays offline.

Dynamic Data Authentication uses random data to dynamically authenticate the card using the card's encryption functionality; if the card's private key doesn't match the public key on the terminal then the authentication fails. The terminal therefore knows that this is a genuine (or *extremely* expensively forged, if indeed it's possible right now) card without the transaction needing to go online.

DDA cards are, of course, a lot more expensive. The banks will switch when it makes financial sense to do so.