Whats the truth about C&P?

Without a hint of irony, Graham Murray astounded uk.finance on 11 Jan 2005 by announcing:

Indeed. I wonder how many card thieves would actually try '1111' or '1234'.

In message , Tim writes

And then they would have to go and nick the card and the owner not realise it was nicked and therefore not report its loss to the bank.

Would you like to share with us which bank issued the chip & sig card?

My neighbour's chip & pin card was stolen in the mail and used for several large purchases authorised by his PIN. Scary!

is interesting reading on chip & pin insecurity.

Natwest Switch.

How did they get the PIN, btw?

Interesting URL; I'd not seen that one. Followed a link to the Beeb

"We don't think they [rogue traders] can use fake machines because the machines themselves are engineered to read the chip so they must be reading the chip very carefully. "That makes the transaction itself extremely secure."

Sure thing :-)

Bitstring , from the wonderful person Mike Scott said

Is it possible to extort a 'chip, Pin AND Signature card'? That ought keep everyone happy - the bank gets their PIN, and you don't accept any debit unless authorised by a signature =as well=.

Brilliant! Except for one small detail. I don't think it *would* keep the concerned cardholder happy, since the PIN can still be shoulder-surfed and the card used to make unauthorised withdrawals at cash machines.

Or are you suggesting that this option would automatically exclude the card from the ability to be used in cash machines?

"Ronald Raygun" wrote

You could have a different PIN for cash machines? - Ie 2 separate PINs, one for retail C&P, the other for cash machines ...

Is this a feature which is already supported, or are you offering this up as a new idea which card issuers might consider (and reward you handsomely for suggesting it)?

Yes I agree.

So, how do we campaign to get this?

tim

Without a hint of irony, s snipped-for-privacy@yahoo.com astounded uk.finance on 15 Jan 2005 by announcing:

Although this is rubbish:

"The banks are training their customers to use PINs everywhere, so rogue merchants can use false terminals to harvest PIN and mag-strip data - cloned cards can then be used in ATMs overseas. This is a regulatory failure; the government must hold banks liable for their system security failures."

To clone a card you would need to have the private key which is inaccessible to your regular 'rogue merchant'. Sure, it may be possible to recover it using the laser scanning techniques et al discussed in a linked article but how many 'rogue merchants' will have access to this? It also requires destruction of the card itself (since the chip has to be extracted) and I'm sure the cardholder would notice if this happened. Much easier to steal the actual card itself. The best you could hope for with a rogue terminal is to capture the PIN and then capture the card from the cardholder (then hope the loss is not reported).

Without a hint of irony, Mike Scott astounded uk.finance on 15 Jan 2005 by announcing:

Using a chip reader costing a few dollars, sure.

"The sort of thing that I expect to go wrong is that villains will set up in business with equipment that will capture customer pins."

Then what? Guess the private key on the card?

"From 1 January, retailers can refuse to accept signatures if the customer has a chip and pin card."

Nonsense.

Without a hint of irony, GSV Three Minds in a Can astounded uk.finance on 15 Jan 2005 by announcing:

It is possible, yes. It's not even any more difficult than providing a C&P or C&S card.

Without a hint of irony, "Tim" astounded uk.finance on 15 Jan

2005 by announcing:

I don't believe this is currently supported.

No, but it seems to make sense, and ought to be trivial to support.

tim

failure; the

failures."

recover it

requires

terminal is to

You have misunderstood the article, I suggest you re-read the quote. it doesn't refer to cloning the chip, only the magstripe.

Peter

You dont even need a 'false terminal', all you need is the Mk1 Eye Ball, possibly supplemented by a web cam or similar. Its not like you have to capture *every* PIN, most customers are careless enough, or its just too difficult to hide, that you could capture a high percentage. I'm guessing, though I dont know, that the magstripe data could even be created from just knowing the basic card details. Anyone know if thats correct?

Without a hint of irony, snipped-for-privacy@ziplip.com astounded uk.finance on 16 Jan 2005 by announcing:

Oops!

In general its incorrect.

The magstripe stripe carries discretionary data that can not usually be determined from the details on the front/back of the card.

Of course a rouge worker could still use a old fashioned mag-stripe 'skimmer' and eye ball the PIN when its entered.

Peter

When I got sent my first Chip+Pin visa recently, they sent the Pin number 2 days later, I wasn't expecting and didn't need it of course since I knew the PIN, and they were simply advising me of the number I'd chosen (so was the same as other cards I owned.)

So imagine they just waited for the other mail to arrive.

Jim.