Credit Cards/Chip and Pin/ATM withdrawls

At 13:39:04 on 23/12/2005, Cynic delighted uk.finance by announcing:

It indicates retries remaining.

Not a chance. That's like saying that you could break an encryption key by having access to loads of encrypted messages. Can't be done (assuming a good algorithm).

Didn't last long though - Sky updated the system and the forged cards were junk. Encryting streaming video involves a range of problems that do not exist in the small amount of data required in a CC transaction.

Except that's been thought about *very* carefully so that it would be extremely difficult to achieve.

They leap-frog rather than being ahead or behind. A security measure is adopted. At first there is no fraud. Then a few people crack it and there is a small amount of fraud. Then the word spreads. Eventually the amount of fraud hurts enough to be worthwhile changing the system. Then it starts again.

Most systems these days have a built-in fallback security system so that in the event of a sudden spate of widespread fraud, the system can be changed almost immediately to give breathing space to update and re-issue. That's what Sky did at one time - although the fallback security cause some interference with the sound channel and viewers had to put up with some periodic background chirps until the new cards could be manufactured and distributed.

If you think about it in terms of discrete components (eg relays!), then having the detailed circuit diagram and the physical layout would allow you to go straight to the relay you wanted to jam the match-stick in. A silicon chip will need something a little more sophisticated than a match-stick, but the principle remains the same - if you can identify the gate you want to disable, and have the right tools, you can lock that gate to a desired state.

No, if you must use the disk drive analogy, it is knowing the exact platter, head and sector that holds the data. So you can go to that physical spot and read/write or change it without using the head array. Which does mean knowing the physical layout of the platters in detail.

Going back a bit, with a ferrite bead array, it is knowing which bead is mapped to which bit of which word or which address. You could then use an external method to change the state of that bead, independent of the sense wires and electronics. Ferrite beads were big enough so that you could actually do this by hand, with a magnifying visor and a steady hand. Silicon chips need somewhat more precise tools...

Why read the information? As you say, it would be of use only on that one card. But, if all cards store the encrypted PIN and the entered PIN in the same physical memory addresses? You could permanently set those memory locations to identical states and thus make all the cards work with any PIN. Load a card into the machine, get a reference point from the chip, fire a laser a few times at the right offsets, remove card and repeat with the next - all automated. 20 cards a minute all set to work with any PIN - must be worth something...

I am not saying that it can be done that way - but having access to the firmware and the physical chip layout would be the way to know..

At 10:52:30 on 23/12/2005, Mike Scott delighted uk.finance by announcing:

Umm, I don't see how unless they knew the bank's key. The fact that verifying this checksum wasn't (and perhaps still isn't) part of the transaction rules is the main problem.

No. The card *owner* is perfectly entitled to clone a card.

Cynic wrote

Which is approximately what is done with home banking access; two of the three stages of mine use something similar, and always require, or allow me to choose, different data.

Cynic wrote

There is another factor, that I have been with the same bank, (sorry B.S.), for many years, likewise with my CC, and I have no doubt that those who switch banks and/or CC companies frequently to chase interest rates might well have more difficulty with regard to credibility. ;-)

Palindr?me wrote

I am also sceptical about that! I have been aware (and amazed) at the number of people who allow family members to use their cards. Not this family!

My guess is that the banks sometimes cough up for 'phantom withdrawals' which are complicit. Hopefully there is inter-bank info exchange on suspicious cases.

If entering just two digits the odds are much higher you could guess them.

1 in 10 * 10 if I remember back to GCSE maths.

However most banking sites will lock our your access if you get the details wrong a few times.

In message , Gordon writes

In my direct experience you are right.

Good!

I agree, this has happened many times.

Sadly there is no such collusion (data protection etc.,) but I have know a bank refuse to renew cards that it knew was being used by people other than the cardholder.

And mine, but it is three digits from six, rather than two from four.

Plus one item of "memorable data", which you must give them three of when you sign up, but you choose which to enter when logging in.

Plus of course, your customer number (which is NOT the same as any of your account numbers).

Alex Heney wrote

I guess we are with the same organisation. ;-)

I'm constantly forgetting pins. When are they going to get it through their thick skulls that I cannot remember a different number for each card? I need to change them!

You'd get done for impersonating yourself.

At 21:48:45 on 26/12/2005, Peter Hucker delighted uk.finance by announcing:

Then do it.

I'm constantly forgetting pins. When are they going to get it through their thick skulls that I cannot remember a different number for each card? I need to change them!

Snap! My solution is that you cannot comply with the T&Cs of the card, (guarantee PIN security) and that you are taking advice from Card Watch "Don't use the same PIN for every card."

5 I suggest you use one card and one card only with a PIN, (maybe your debit card). Send a letter to all your other card issuers saying you have difficulty with PINs (they've no legal rights to ask why) and can you be furnished with Chip & Signature Cards.

This worked for me.

wrote

What T&Cs require you to "guarantee PIN security"?

If a bank did try to do this, surely it would be considered an "Unfair Term" and hence be void?

I do not wish to travel 50 miles to find a bank machine to match each card. Why are we using an antiquated system of ATMs to change the pin?

At 13:48:40 on 27/12/2005, Peter Hucker delighted uk.finance by announcing:

I've no idea why you'd wish to do this either. I changed all my PINs at the same ATM in the Asda approximately 1/2 mile away.