Might this not work if the cash machine is offline? What would normally happen in this case (with a non-blocked card).
Bear in mind that one credit card company said they can block ATM withdrawls on secondary cards but not the main card. :-(
Mark.
At 22:46:57 on 21/12/2005, Cynic delighted uk.finance by announcing:
You're a little out there...
What details are communicated between the chip and the ATM? e.g. If the chip sends a "PIN ok" signal to the ATM, could a fraudster create a chip that always sends this signal?
Until someone discovers a way around this maybe?
Mark.
At 09:01:46 on 22/12/2005, Mark delighted uk.finance by announcing:
Transaction is refused. All ATM transactions are online.
At 09:27:22 on 22/12/2005, Mark delighted uk.finance by announcing:
There is no practical way around it*. The only way to attempt a PIN entry is to send the PIN to the card. It responds with 'yes' or 'no'. If it responds with 'no' it also decrements the retry counter. Once it hits zero, the card will not accept any further attempts. The counter is stored in private memory; it can be requested but not altered.
*Meaning spending more time & effort than would be rewarded."Mark" wrote
What happens if you ask for a 'secondary' card in your own name (and shred the 'main' card)?
Agreed.
It seems that proponents of the attitude that "it is unsafe to have a C+PIN card", want to believe that PINs are actually *insecure* (true) but that the banks/FOS/courts will believe that they are totally *secure* (this bit is untenable).
"Palindr?me" wrote
Where is this attitude coming from?
Everyone knows that PINs are not 100% safe. So what makes you think that the Financial Ombudsman, and the courts, would think so? And if the FOS and courts don't think so, the banks wouldn't have a leg to stand on - would they?
"Palindr?me" wrote
If this were actually true, then a fraudster giving their card to an accomplice (and then claiming they didn't authorise the transaction), would never be accused of the crime.
So why aren't all fraudsters swapping their cards with each other ... ? :-(
It isn't much of a career opportunity. I rather think the ccc might be reluctant to continue offering a card to someone who seemed particularly prone to unauthorised transactions.
But I dare say that a number of unauthorised sig transactions were rather more authorised than the card holder claimed. I don't think all the fraud reduction that chip and PIN was introduced to reduce was by third parties.
I am? Why?
That's where the pre-transaction handshaking comes into things. There is a complex exchange of encrypted data after the card is inserted so that the ATM or POS can verify that the chip is not fraudulent. Again, much of that data is data that cannot be extracted from the card.
Well, we shall see. IIUC, the banks already try to claim that many/most phantom ATM debit card withdrawals are bogus. Getting money refunded can be a hard battle.
The ccc will do the same.
Of course those that stick to their guns will probably win through, but how many people will not fight?
Incidently, I happily use a chip and PIN debit card in ATMs within a bank. I have never had any worries about doing so, in many countries, including this one.
The difference is that I do this at most once a month. I use credit cards many, many times a day, in all sorts of places.
Very, very few people ever see me use a chip and PIN card at the moment, to know that I have a card and a PIN. That is a situation I intend to continue. Rightly or wrongly, I associate a chip and PIN with its equivalent in hard cash that can be withdrawn anonymously from ATMs. Whereas chip and sig can mostly only be used for goods, by a female, in a shop.
I don't see much point in debating this further. I will use chip and PIN in situations where I feel happy to use a PINpad and chip and sig elsewhere.
The circuit design and silicon layout must be worth its weight in rice crispies to any one "seriously" planning to attack the chip. For example, it may be as "simple" as micro-etching and then hitting the right spot with a laser to set the chip to always generate "a PIN ok" flag - or even something as crude as a drill in a micro milling machine may achieve the same effect. I wonder if they have spent as much effort on making the chip proof from those sorts of attack as they have on its encryption algorithms and software?
The software on the chip may be set up to be easily changed to make it economically non-viable to try to defeat the PC+card hack - but I doubt that the real-estate of the private store can be re-designed all that easily or cheaply..
At 13:07:23 on 22/12/2005, Cynic delighted uk.finance by announcing:
Because you're assuming all 10 cards are using the same PIN.
At 13:10:07 on 22/12/2005, Cynic delighted uk.finance by announcing:
Oh, would that it were so. Unfortunately, DDA is a lot more expensive than SDA and so has not been implemented in UK cards yet. As a result, it's only a simple exchange of encrypted data ;-)
At 12:50:44 on 22/12/2005, Palindr?me delighted uk.finance by announcing:
It was primarily introduced to stop skimming.
"Alex" wrote
There's not much difference though, really, is there? [Between all same PIN or all different PINs.]
1 in 333.3 -or- 1 in 333.8 ...In article , =?UTF-
8?B?UGFsaW5kcuKYu21l?= writes
Yes, they have. Try reading the IC data sometime.
Chip is designed to self-destruct under all mechanical attacks including x-ray probing
At 14:36:01 on 22/12/2005, Mr X delighted uk.finance by announcing:
Where do you get that idea from?
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.