Credit Cards/Chip and Pin/ATM withdrawls

At 20:56:28 on 22/12/2005, Palindr?me delighted uk.finance by announcing:

By 'very high' I meant within range...

On the contrary. Timings are critical to sales of PINpads and cards. Tesco, for instance, calculated something like 1 second at the checkout was worth £1m or something.

I rather thought that any delay in internal processing would sort of fade into insignificance compared to the delays in data transmission and data entry.. Especially if it is me - I use a PIN pad so infrequently that I have to look at the keys.

Say, leap year?

Something like that?

DG

What about "Swipe only" (not insert) readers, often seen of portable (hotel/pub/filling station) ATMs.

DG

Hmm. Where does 299/300 come from? The first card is wrong 9997 times out of 10000, or about 2999/3000.

Try 0.997.

Close. Try 1 in 333.78.

The subtleties which distinguish a result of 1 in 333.78 from one of

1 in 333.33 are to do with the attacker's strategy.

If the attacker assumes the PINs are all the same, then his number-picking strategy must be one of taking 30 different guesses to find that one number. He will therefore never guess a number he's tried before.

If the PINs in fact are all the same, then the result of applying this strategy are that the first guess has an (N-1)/N chance of being wrong (where N000), the 2nd guess (N-2)/(N-1) of being wrong, etc, and the

30th guess (N-30)/(N-29) of being wrong. The chance of all 30 guesses being wrong is exactly (N-30)/N because all the terms (N-1) to (N-29) cancel out pairwise. So the chance of at least one guess being correct is exactly 3 in 1000, or about 1 in 333.33.

If, however, the PINs are all different, the 2nd card's PIN has a 3/N chance of being one of the 1st card's 3 guesses, and since the attacker won't try any of those, the 4th/5th/6th guesses stand a 3/N chance of being wrong no matter which number is tried, and so card 2 stands only an (N-3)/N chance of standing a 3/(N-3) chance of being right. So: Card 1 wrong: (N-3)/N. Card 2 wrong: 3/N + (N-6)/N = same as card 1, so chance of all 10 cards wrong: [(N-3)/N]^10, of at least one right: 1 in 333.78.

Next, look at what happens if the attacker believes the PINs all to be different, and so modifies his strategy so as *not* to avoid re-using numbers (except those that have been tried on the same card). Will you expect different success rates depending on whether they in fact are all the same or all different?

What if the assumption and/or the facts are that the PINs are neither the same nor different?

At 21:23:41 on 22/12/2005, Derek ^ delighted uk.finance by announcing:

I would hope they'll now be liable for any fraud.

In message , Tumbleweed writes

Are you saying that the TV cloned the C&P card? wasnt it that they just cloned the magstripe card?

AIUI, the PIN will still be checked by the chip. If the chip is disabled the transaction will fail without further reference notwithstanding the existence of the cloned magstripe.

Oh bugger factor of 10 out :-)

AIUI they cloned the magstripe from a C&P card, the new card (with the cloned magstripe) was then accepted by an ATM. I dont know if they altered the magstripe after copying it.

In article , Alex writes

Not an acid. There are solvents.

Please don't keep displaying your ignorance of this particular subject. Don't make the common mistake of thinking your particular expertise in a particular narrow subject area equates to knowing all about wider subjects.

There are many solvents around. The IC/Transistor manufacturers themselves are often able to supply a solvent for a particular plastic packaging so that the IC/Transistor can be examined to work out the failure mode.

Been there, done that.

In article , Derek ^ writes

What about them? Many readers are incapable of swallowing a card.

I didn't know that hard drives had got small (and cheap) enough to embed them in cards! :-)

Tumbleweed wrote: ...

See my arithmetic elsewhere in the thread. Chance of cracking at least one of 10 cards, when allowed 3 goes per card, is about 0.002996

Tumbleweed wrote: ...

They did alter the data. There was a flag on the stripe to say "chip card". The cloning software gave the opportunity to clear this - and presumably recalculate any checksums before writing the new card.

But we were assured during the program that this was "impossible". You can guess by whom :-)

BTW is it an offense to clone one's /own/ card?

So until ATMs phone home and check if this is a C&P card, this is going to be an issue.

I'm going to hazard a guess its not ones own card, its the banks and you are licensed to use it whilst you follow a certain set of conditions.

Yes, and if all the cards use a PIN that you decide in advance not to try on any of the 30 attempts, you'll also have zero possibility that you will get it right. That's why the chance is only a *probability* and can make absolutely no assumptions whatsoever. The more you know about the PIN, the higher are your chances of guessing it correctly.

If you know for a fact that all the cards have the same PIN then the probability of guessing it correctly is *very slightly* increased because the chance increases slightly for each guess - because you have reduced the number of possibilities by 1 each time by eliminating the number you guessed incorrectly. Obviously if you have 9999 guesses that are all incorrect, then it is certain that your next guess will be correct because you will have eliminated all other possibilities. Similarly, after 9998 incorrect guesses, you have a

50/50 chance of getting it right on the next guess. etc.

Not sure where you get those figures, but they are totally incorrect!

On first card: Chance of 1st guess being right is 1:10000 Chance of 2nd guess being right is 1:9999 Chance of 3rd guess being right is 1:9998

Then it makes a difference if all the PINS are the same or not. If not, then the chances of the 3 guesses are the same as above for each of the rest of the cards (and you could use the same 3 guesses for each card without affecting your chances). If the PINS are the same, the probability continues to decrease - i.e.

Chance of 4th guess being right is 1:9997 Chance of 5th guess being right is 1:9996 Chance of 6th guess being right is 1:9995 etc.

So you may as well use different random numbers for each guess *in case* the PINS are all the same.

Whichever is the case, it makes very little difference to the end result which, as I have said, is approximately 1:333.

Would leave a standard silicon microchip. I cannot think of any way that the physical structure could be designed to destruct under X-rays

- maybe it is but I don't see a lot of point in doing so because the information needed by a fraudster is in the memory data, not the physical construction or circuit. Most memory elements would be erased under ionising radiation, but I don't think that's relevant.

It's akin to taking a hard disk drive and meticulously working out the circuit of its control board and analysing all the physical components. That will not assist you in the slightest way to retrieve a password or other information from the drive.

There are instruments that can read microscopic charge distribution on a memory array of a silicon chip and so be able to expose the contents of the entire firmware and private data area, but nothing that would be available to even an extraordinary fraudster, and it would take a

*huge* amount of time & effort even with the right equipment. And at the end of all that effort, the fraudster would have information from the private area of *one* card, and so be able to steal a few thousand pounds maximum.

Depends whether it is a down-counter or an up-counter!