Re: PIN fraud

Go To Mortgage 101

Return To Group Index

From: Alex 
Newsgroups: uk.finance
Subject: Re: PIN fraud
Date: 19 Apr 2004 12:24:38 GMT

Without a hint of irony, Ronald Raygun 
astounded uk.finance on 17 Apr 2004 by announcing: 

>>> In the old days the cash card PINs were stored on the swipe stripe,
>>> no doubt in encrypted form, together with a record of recent
>>> withdrawals and balances, so they could enforce at least daily limits
>>> even when the machine was off line.  Now, the PIN will be in the chip,
>>> but more securely, not only encrypted but unreadable too.  What
>>> happens is that the machine into which you type the PIN will ask the
>>> chip whether this PIN is correct and will simply get a yes/no answer,
>>> instead of asking the chip to tell it the encrypted PIN so that
>>> it can do the comparison itself.
>> 
>> Thats incorrect, and provably so. Firstly, why do you need to be online
>> to tell if the PIN is correct,
> 
> Do you?  I'm not convinced.  It's desirable to be online, but not,
> I would have thought, mandatory.  Big shops are capable of being
> on line full-time, but surely the chip technology is intended to be
> capable of being used in, say, small B&Bs, where there's no way they
> will dial up each time.  You could say one falls back to signatures
> in such circumstacnes, but I expect the intention is that they will
> be phased out completely in due course.

The UK is using offline PIN for the forseeable future.  That is, the 
connection to the bank will only be used to authorise the transaction where 
needed - the PIN verification will be performed by the card.

>> Oh, and thirdly, if the card is doing the
>> authorisation, all I need do is make my own cards and have them always
>> say 'yes this transacion is valid'.
> 
> I think you'll find "saying yes" is not as easy as simply pulsing a
> wire one way or the other.  The chip will send a verifiably secure
> packet to the machine, which will contain the yes/no somewhere in it,
> but loads of proof of "I am genuine" in there as well.

The card generates a cryptogram.  The cryptogram contains the information 
necessary to instruct the terminal to authorise/reject/refer the transaction.