Credit Cards/Chip and Pin/ATM withdrawls

bad boy

In message , Mark writes

The encryption technique.

Don't put too much faith in encryption. The latest Microsoft Challenge responce encryptions for logging into networks can have passowrd recovery done on them. Basically a bunch of people left lots of PC to work out every possible encryption. They the store the answer in a database, that can search very quickly. You enter your encryption (that is VERY easy to capture from the network), and it looks up the password that creates the encryption.

Its not so hard.

You can buy certain of these "databases" on eBay, allthough in the example above the database is very large.

Rick

At 23:57:19 on 05/01/2006, Rick delighted uk.finance by announcing:

And how does that help you with PKI?

Even knowing part of the plaintext, cracking a standard 72-bit DES key (symmetric encryption) has so far taken 1,130 days and got through only 0.287% of the keyspace. And that's with up to 70,000 participants (and many of those participants will be using more than one computer).

The PKI keylengths used in EMV are currently running at 1152 bits.

Why? If the only way anyone else can get your pin is from you telling them, what's the danger in using the same pin for everyone?

Jim.

What algorithm is used in EMV encryption?

Mark

At 10:13:05 on 06/01/2006, Mark delighted uk.finance by announcing:

Surely a pin collector card would not make the machine say "pin ok".

It's no more dangerous than me having one card with one pin. I just happen to have several cards (for the purposes of getting the best deal).

If the majority of customers have several cards and use the same PIN for each - then shoulder surfing followed by theft gives a potential immediate payout of many times the daily limit set for one card.

Which would increase the attractiveness of such a crime. Also, if such cards in a wallet include cards without chips, then those cards can be cloned and used together with the PIN.

If only a minority of customers use the same PIN, the odd thief will get lucky. But it would be a bonus rather than an expectation.

You can see why ccc discourage it.

But you can't see the obvious direct benefit to the consumer of having to remember more pin numbers and which cards they match.

Jim.

At 14:01:02 on 06/01/2006, Peter Hucker delighted uk.legal by announcing:

So how do you suggest this works?

The alternative is for the card to claim the PIN is incorrect. In which case, it either has to block itself after 3 attempts, or allow infinite retries. In the former case, as soon as the cardholder tries to unblock the card the game's up. In the latter case, they should realise something's up.

There's still the small matter of the thief having tracked this person and gain access to their card a second time.

Finally, there's the less small matter of the thief knowing the bank's secret key to start with so they can authenticate the card to a terminal. Unless, as I said above, they also had dodgy terminals everywhere.

"Jim Ley" wrote

Well - for one reason, because that is *not* "the only way anyone else can get your PIN" !

"Jim Ley" wrote

Just because something might be a "benefit to the consumer", does not make it a "good thing".

For instance, writing the PIN down in plain view on the card itself may be a "benefit to the consumer" (they'd never have to remember any PIN again!)

- but of course it is clearly a very *bad* thing to do!

Which is why it's prevented in the terms and Conditions, the every pin the same is not, so it's the consumers choice if they do it, as there's no direct benefit they'd be quite entitled to go for what is easiest for them, indeed I would encourage it.

Jim.

Every time I make an unusually large purchase, the bank gets worried - they must be watching out for these things. I even had one declined until I phoned them and authorised it.

What cards without chips?

It would be absolutely impossible for me to remember several pins.

I tried to remember 3. I kept getting them mixed up and locking cards all the time.

At 15:10:55 on 06/01/2006, Peter Hucker delighted uk.legal by announcing:

My Amex, for one. Expires next month though so let's see what I get in its place.

All mine have been going on and on about PINs for the last year or two.

What is an Amex? I see them listed in "cards we accept" in some shops occasioanlly, but I've never seen one. I've also noticed that some places charge you for using one.