From: "Aztech"
Newsgroups: uk.finance
Subject: Re: Can C&P be cloned?
Date: Wed, 08 Sep 2004 16:48:58 GMT
"Marx Peterson" wrote in message
news:e56c4f73.0409080813.21d7166d@posting.google.com...
> OK, so you can't directly copy the PIN from one C&P card and create a
> clone but how hard would it be for someone just to make their own C&P
> card with their own PIN or maybe make the cards accept any PIN?
>
> Seems to me that if banks can make a chip with a card number and a PIN
> stored on it, whats to prevent someone making their own chips with a
> PIN of their choice?
It doesn't work like that IIRC, it operates on a challenge/response basis, when
a transaction starts the processing centre issues a challenge to the
terminal/card, this is combined with the PIN entered and encrypted with the key
held on the chip then the response is sent back to the processing centre where
it is checked against the response it expects back, if there's a match it's
OK'ed, otherwise not.
It doesn't matter if the challenge or response are intercepted because it's done
on a one-time basis, you will never encounter the same combination twice.
Theoretically they may be able to find some info if it's repeated millions of
times on an iterative basis, but the processing centre would notice this!
You can't retrieve the PIN from the chip, somebody you could get the hash
table/key if they stripped the chip down, but this would take millions of pounds
worth of kit and many hours of work, there are silicon measures in place to
prevent reverse engineering. Any information gleamed would only be useful for
that individual chip, assuming they haven't made a real really mess of the
implementation.
I'm told the old French chip & pin system does hold an encrypted version of the
PIN on the chip, they're now upgrading to 'our' chip & pin system, of course
since they've used this model for sometime their transition will be pretty
seamless, apart from issuing new cards and terminals, no pesky commercials
talking to people like children.
Az.
|