Nationwide also to introduce "Card Reader Security"

Your posting doesn't make sense. Why would an incorrect PIN entry put you at risk?

"David M" wrote in message news: snipped-for-privacy@pepper.local.lan... | Nationwide Building Society are to impose Chip&PIN card readers onto | members who use internet banking and have a Visa Debit card. | | It sounds as though this will work in a similar fashion to the Barclays | Bank system previously mentioned by others in this newsgroup. | | For some internet banking transactions, Nationwide members will, it seems, | have to enter their PIN into the card reader to generate a passcode for | use on the internet banking site. | |

| | | I wonder whether this device will carry the same risks as the Barclays | device, whereby incorrect PIN entry will be explicitly noted as such, | therefore releasing yet another assisted-mugging-tool (ATM) into the | world: "Computer says no, now tell us your *real* PIN.." | | | Does anybody know whether there is any way for Nationwide members to | submit a motion to the board to demand they reconsider this move, if it | turns out the device can be used to compromise PIN (and cardholder!) | security? | | | David. | | -- | David M. -- Edinburgh, Scotland. --[en,fr,(de)

If the (potential) muggers have one of these devices, they can check (at the time of the mugging) that the cardholder has told them (under duress) the correct PIN.

I think that he means someone who has access to both your card and the machine can use the machine to establish your PIN by continuous attempts and then, when they know the PIN, can use the card in an ATM. I.E. that the 'home' machine tells you that you have entered the PIN wrongly and does not lock up after 3 wrong attempts.

If he does then he hasn't described it very well.

But if this is the case, he does have a point, the Swedish bank account that I had, that used a PIN machine, did lock up (forever) after three wrong attempts and issuing machines that did not do so, would be negligent of the Bank IMHO.

tim

Stickems. wrote in uk.finance about: Re: Nationwide also to introduce "Card Reader Security"

Read this (emphasised) paragraph again:

If you are mugged, and the mugger has one of these devices, and they force you to tell them your PIN, they can use the device to determine whether you were telling the truth or not, if the device returns "Incorrect PIN" rather than a spoof passcode (indistinguishable from a correct response) on incorrect PIN entry.

NB: Please quote properly and don't leave slug-trails..

I'd be astonished if it didn't lock up after three attempts as I'd assume that was a feature of the card, not the card reader.

No, the problem is that a mugger can force you to tell you the pin on your card, and can verify it is correct. google for rubber-hose cryptanalysis.

It wouldn't be completely trivial to fix this problem though. The card reader itself is very dumb and basically only responsible for getting the keypresses to the card and getting the answer from the card onto the screen. So the best that could probably be done is for the card reader to display a particular value rather than the "pin incorrect" message but any mugger would soon get to know about that anyway.

Tim.

So, if this mugger can extract the correct PIN by force, he/she can also extract other security data. The OP's fears about this new and unnecessary device are unfounded.

"David M" wrote in message news: snipped-for-privacy@pepper.local.lan... | Stickems. wrote in uk.finance | about: Re: Nationwide also to introduce "Card Reader Security" | | > Your posting doesn't make sense. Why would an incorrect PIN entry put you at | > risk? | | Read this (emphasised) paragraph again: | | >| I wonder whether this device will carry the same risks as the Barclays | >| device, whereby *INCORRECT PIN ENTRY WILL BE EXPLICITLY NOTED AS SUCH*, | >| therefore releasing yet another assisted-mugging-tool (ATM) into the | >| world: "Computer says no, now tell us your *real* PIN.." | | If you are mugged, and the mugger has one of these devices, and they | force you to tell them your PIN, they can use the device to determine | whether you were telling the truth or not, if the device returns | "Incorrect PIN" rather than a spoof passcode (indistinguishable from a | correct response) on incorrect PIN entry. | | | NB: Please quote properly and don't leave slug-trails.. | | -- | David M. -- Edinburgh, Scotland. --[en,fr,(de)

[...]

Don't know how this could be done but, if you're not aware already, I think the first place to asking might at the "Members Relations" dept at the Swindon HO.

The old way. In a dark alley. Mugger: What's your pin? You 6547. Mugger goes off to cashpoint

The new way. In a dark alley. Mugger: What's your pin? You 6547. Mugger: That's not right.

Tim.

Any half-way decent system would defeat this - there's no difficulty designing a system that acknowledges a correct PIN for normal use, plus a second one for use under duress that is accepted, but rings alarm bells at the bank. The muggers could then find the account locked down aftre using an apparently correct PIN.

yes but the banks arent introducing 'half way decent' systems :-(

It is claimed that the PIN dies not reside on the card, so a random PIN checking device would not work.

tim

The pin cannot be extracted from the chip, but you can make a "transaction" with the chip that will only succeed if the pin is correct.

So you only get three attempts to guess the pin. But with these devices it's become trivial to make those guesses with no possibility of being detected.

I have three cards in my wallet that will work with the PINsentry. That means, if I lose my wallet, the finder/thief can make 9 guesses safely away from detection.

While it was always possible to do this, it's now just got very easy and a fairly obvious thing for a wallet finder who isn't going to return it anyway and will keep the money, or a wallet thief, to try.

If there is an average of four cards in a wallet then it's going to be about one in 1000 lost wallets that will have a card where the pin is successfully guessed.

(If the thief is more brazen and prepared to try at a cashpoint as well then their odds are doubled. You get three attempts using PINsentry and then another three attempts at the cashpoint to unlock the card again)

Tim.

A few months ago Nationwide introduced a new security feature - an extra

10 questions to verify identity. I have yet to be asked any of them apart from the initial setup.

You didn't have to answer all of them, you picked a few (3 was it?) that suited you. being late middle aged I particularly liked "what do you want to be when you grow up".

Robert

I suppose it needed saying :-(

.. whereas if they do this at the cash point they risk getting their photograph taken by the ATM.

But surely no bank would release such a device would they (for the very good reason given by the OP)? Surely the card reader simply provides a number that the customer reads out to the bank person who in turn can check it?

Is it really the case that the Barclays one tells you if the PIN is wrong or is it an urban myth?

Robert

Except that I could not find five (it was 5) that suited me! I made up fake answers just to log in and hope I never get asked the questions!

Yes, all the questions seemed to be for children :-(

M.

Which, of course, will mean that by the time you are asked, you will have forgotten the answer that you gave.

Why do they send these people to the stupid security school?

tim

If you were mugged and forced to hand over your pin at a cashpoint who pays?

I could have about a 2k facility in my wallet. Have I lost the money or has the bank?