PIN fraud

Got sent the PIN yesterday for my new card. It does not have a chip and the letter only talks about cash machine use - which is not what I want to use the card for anyway. Filed letter safely with security flap intact - I don't expect any problems, but if there were I could prove that I did not reveal the PIN.

I'm sure these PIN pads at POS have been around for a few years in other countries. I was asked in 98/99 if I had a PIN to enter when I bought petrol on CC in Sweden. There should be quite a bit of european data around on what has happened in practice.

common sense (of the people that designed it)

tim

You will therefore be disappointed to hear that somebody once tried that defense (though only at the ombudsman I think). They lost.

tim

In message , Tumbleweed writes

From what you say, The PIN is obtained fomr the keypad then encrypted with the account details and the HSM uses an algorithm to see if the encryption is valid thereby proving the Accuracy of the PIN input. Therefore the IN isnt stored anywhere. Or have I missed something? Also didnt one very large bank have the system you suggest in its branch controllers (i.e. local servers) which didnt need to be online?.

FWIW that same very large bank was still storing PINsd on its cards in early 1990s which is when my direct knowledge of it ceased.

"Tumbleweed" wrote

The last Chip-n-PIN leaflet I had through the post & actually read (!), said you'll only get *two* attempts before the card will lock itself. You then need to "unlock" it, eg at an ATM - but you'll then need to get it right first time!!

"tim" wrote

If it can be *proven* that both yourself & no-one else could have discovered the PIN from the notification (which still has the security flap intact, which presumably the CC issuer takes to mean that it has never been read), then how can you be held liable for negligence with the PIN?

Of course, if when you come back to the PIN notification the security flap

*has* been opened, then that *would* classs as negligence (leaving the PIN around for anyone to read!).

If the issuer really is claiming that you knew & were negligent with the PIN, then they must, therefore, be agreeing that an *intact* security flap does **not** *prove* that no-one has ever read the notification. If this is so, then they cannot claim that no-one has read *any* PIN before being received by the rightful owner - so *everyone* would have a valid defense for PIN fraud! :-(

In the example cooked up by Tim, to which I was referring, it *does* take a year (on average) to get a card that works, assuming you can steal about ten cards a day.

Yah, but for the jackpot you need to guess the PIN.

Huh?

Surely the designers must have thought of that, and encrypted the count too.

Encryption is easy, doesn't take many "smarts".

Yes I do. With Public Key crypto-methods you can use a non-secret algorithm with a non-secret key to encrypt a message that no-one but the owner of the secret anti-key can decrypt.

No idea. But basically the ombudsman decided that just because you still had *one*, apparently, unopened envelope there was insufficient proof that you did not know your pin. I got this from a newspaper (so it must be right!) and perhaps they just missed out the bit where the bank said they sent two letters :-)

perhaps?

tim

"Ronald Raygun" schrieb im Newsbeitrag news:WyCfc.178$ snipped-for-privacy@news-text.cableinet.net...

This scheme has been used in France for years and they are quite satisfied with it. It is no longer possible to copy cards and banks were able reduce costs for card abuse. This also makes offline transactions possible which reduces costs for dial up. Credit card commissions are too high anyway.

Tumbleweed said on 17.04.04:

Assuming the card doesn't lock down or self-destruct after three failed attempts, of course.

Chris

tim said on 18.04.04:

Any source for that? Sounds interesting!

Chris

Sorry no, I read it in a newspaper (so it could be bollux) many years ago.

tim

In message , Tumbleweed writes

I have now researched the EMV 1 & 2 protocols being used for Chip & Pin.

It is quite clear. Authentication (for ID) is validated OFFLINE. Online authentication may be sought if floor limit or other parameters are exceeded, but PIN checking is local, and offline. Changing of PIN is only available via ATMs that are online at the time otherwise you have to keep using your old pin till you get a 'wrong pin' message. If you enter it three times incorrectly, even at three separate shops or ATMs then you are locked out by the card. BUT if you go to an ATM then you have another chance to re-establish your original PIN, but only once,

In particular Barclays say this "The technology checks the PIN you entered in the keypad against the PIN held on the chip. This is used to verify your identity instead of someone checking your signature on a receipt.

Many cards already carry a chip, identified by a gold or silver contact pad on the front left. However, all cards are being re-issued with chips that are PIN-enabled."

But the best bit is from the official "chip & pin" web site,,, and I quote

"Will criminals be able to access the PIN if it is contained on my card? No. The PIN is securely encrypted (held in a secure memory) within the chip, meaning that it is extremely difficult and time consuming for a criminal to access the PIN if your card is stolen, and they would be likely to destroy the card in the process"

So it would appear that the PIN is held on the card after all.

Googling ' chip & Pin ', provided all this.

The following sites may be of interest.

and A similar system has been running in France for years, note I said similar as the French are always different but even they will be moving to an EMV solution shortly. I expect chip&pin to be rolled out and being used widely in the UK by Jan05 if only because after that date the retailers become liable for fraud if they are not using an approved chip&pin solution. Mag strip cards will die very quickly.

Tumbleweed - Were you aware that a Chip & Signature Card vice Chip & PIN is an option. A Chip & Signature Card when inserted into a new type card reader will inform the cashier that a signature is required vice a PIN. This the banking industry will tell you is to accomodate those who are unable to handle a PIN, although nothing specific has been publicised. I am not surprised as this is a delicate subject.

Chip & Signature Cards will be accepted for many a year, or until a better means of proving you are who you say you are is established. The essence of a Chip and Signature Card is that liability remains at £50 maximum. As I've said before, I can see no reason why anyone would want a PIN with their credit card that is unless they wish to draw cash at an ATM. The card industry should be a wee bit more honest when it comes to PINs with credit cards and liability shift. The majority of colleagues I've asked have no idea what their credit card PIN is or the what the implications of having a PIN.

The card industry couldn't have come out with a better catch phrase than 'Safety in Numbers,' it certainly is for the industry. James

These are the same people that designed C&P PIN pads that are completely open for anyone to see what number is being entered, right?

AFAICR the HSM did the same operation and compared the two so it had the PINS as well.

Dunno, but now we are talking about where the computer is that stores the PIN, Could be an ATM, could be a branch system, could be a central system. Not the card though.

ARe you sure, or do you just know that the card mag strip specification allowed for a PIN?

Who is 'they'? Is it the banks, who indeed would be satisfied as they can blame more thefts onto their customers who have to pay up rather than the banks!

Itdoesnt make offline transaction more possible, except to verify that the card is real rather than cloned. You would still have to go online to check the PIN.

Which they dont, why else do ATMs steal your PIN after 3 failed PIN entries in a row?