We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Are portable PIN code machines safe to use in banks?
VictimOfImpersonation
Posts: 334 Forumite
Many banks have issued portable pocket calculator looking devices to their internet banking customers in recent years.
I see what look like the same machines being used by bank staff in branches.
I know mine is relatively safe at home, and I know that unless an ATM machine has been fitted with a false front, then I should be quite safe from cloning if I use an ATM, but how do I know that the little pocket devices they use in the bank are safe?
I see what look like the same machines being used by bank staff in branches.
I know mine is relatively safe at home, and I know that unless an ATM machine has been fitted with a false front, then I should be quite safe from cloning if I use an ATM, but how do I know that the little pocket devices they use in the bank are safe?
0
Comments
-
I had one for my old barclays account, and my dad had another one from a different bank, i lost my barclays one and used his instead and it worked, so if someone knows your pin and doesn't even have a bank account with the same bank it doesn't really matter.100% G33K
:D:D:D:D0 -
I think that the question being posed is whether the machines are safe to use in banks, and not whether they are portable between banks.
Some banks (e.g. Barclays) get customers to authorise counter transactions using one of the online banking cardreaders.
Is it possible that the previous customer had replaced the machine with one that looks identical, but communicates the information (i.e. card number and PIN) to a third party?0 -
VictimOfImpersonation wrote: »Many banks have issued portable pocket calculator looking devices to their internet banking customers in recent years.
I see what look like the same machines being used by bank staff in branches.
I know mine is relatively safe at home, and I know that unless an ATM machine has been fitted with a false front, then I should be quite safe from cloning if I use an ATM, but how do I know that the little pocket devices they use in the bank are safe?
Assuming you mean the Pin Entry Devices rather than the online banking authenticators... you don't.
In fact, a group of well respected researchers at Cambridge has published successful attacks on some popular brands and models of PEDs.
It shouldn't be hard to find their research online.0 -
Fiddlestick wrote: »Assuming you mean the Pin Entry Devices rather than the online banking authenticators... you don't.
In fact, a group of well respected researchers at Cambridge has published successful attacks on some popular brands and models of PEDs.
It shouldn't be hard to find their research online.
they are not attacks on the entry device, they are attacks on the scheme and the user.
for example, using Respond with a ref number of 00000000 is the same as identify... using Sign with an amount of £0.00 is the same as respond.
The device does not contain a radio transmitter, when a code is generated it cannot be reused nor can it be used for a different operation. using it in a bank is completely safe even if you shouted the number out loudly enough for everyone else to hear it.0 -
I wasn't concerned about the code that appears on the screen as whether the machine could be used to clone card data and collect PIN numbers - in fact I asked a bank person the other day about what was the difference between mine and hers and she said nothing, and in fact sometimes customers leave theirs in the bank and they make use of them on the tills.
So could the innards of a machine from one bank be put inside the casing of another? I didn't realise they might all be the same under the skin.0 -
VictimOfImpersonation wrote: »So could the innards of a machine from one bank be put inside the casing of another? I didn't realise they might all be the same under the skin.
Pretty sure thats the way it works, not sure if they are made by the same company or not, i would imagine so.100% G33K:D:D:D:D0 -
VictimOfImpersonation wrote: »I wasn't concerned about the code that appears on the screen as whether the machine could be used to clone card data and collect PIN numbers - in fact I asked a bank person the other day about what was the difference between mine and hers and she said nothing, and in fact sometimes customers leave theirs in the bank and they make use of them on the tills.
So could the innards of a machine from one bank be put inside the casing of another? I didn't realise they might all be the same under the skin.
it is impossible to clone card data from the chip alone, you can sniff the pin but without the magstripe data it is useless, the chip also doesn't store the CVV number on the back of the card, so again, useless.
All the banks use the same devices made by Xiring except for Barclays who use ones made by Gemalto, the scheme is the same because all calculation is performed inside the chip on your bankcard, not the terminal.0 -
I just did some Googling at Olipros suggestion and found a Cambridge Uni paper talking about vulnerabilities in PEDs. It doesnt mention Xiring or Gemalto and I think it must be about retailers machines or at least the heavier ones connected by wires at some banks not the portable lightweight ones.
The paper also says that CHIP & PIN has more than enough data to create a clone card. If the more substantial machines are vulnerable to tampering, why not the lightweight ones?0 -
VictimOfImpersonation wrote: »The paper also says that CHIP & PIN has more than enough data to create a clone card. If the more substantial machines are vulnerable to tampering, why not the lightweight ones?
a lot of those papers are old, issuers *USED TO* put the magnetic strip data and/or CVV2 on the chip, they categorically DO NOT do this any more and have not for a fair few years now. the only remaining attacks are:
1) swiping the mag stripe beforehand and sniffing the PIN. (limited success as banks generally treat magstripe transactions with suspicion) or they can get the card number from your chip and read the CVV2 from the back of the card with their eyes.
2) having a terminal connected to the internet to act as a relay for a fraudster somewhere else in the world purchasing a high-value item (very difficult, requires fraudster to time his purchase so that he pays as you pay)
3) create a "yes" chipcard which can be used for offline transactions, however, since the fake chip can't generate a valid cryptogram your bank will report the authorisation as fake, you will never be debited and the merchant will lose out... as a result, merchants almost always perform authorisations online, fraudster has a good chance of getting nicked.
4) steal your card from you and use a shim to suppress sending of the PIN to the card while making a purchase, the terminal will see a normal transaction occuring, the bank will see it as a PIN bypass transaction, if it's a high value purchase, it will almost certainly be declined... assuming you haven't cancelled the card by then.
So to give you some finality on the issue: if you are worried about the cardreader being compromised, don't give it back, keep it or just bring your own along.0 -
Thanks for the information Olipro, but I am thoroughly confused now, not least because this evening the self service till at the supermarket declined my card via CHIP & PIN and requested that I use the magnetic strip reader instead. It declined it again. I rubbed the chip on my sleeve like I have seen people do and tried again in the CHIP & PIN. It said "Cancelled".
So then I used a different card in the CHIP & PIN reader and that worked.
When I got home I called the card company and they said yes the transaction was authorised but not taken and that the supermarket could still take it but 99% of the time they wouldn't. The card company couldn't kill it dead ... they said probably the supermarkets link to the bank was down and my second card worked because it was a different bank. They advised me not to worry, and just to check my statement if I remained so
Anyway, back to my concern about cloning my card using a rogue portable PIN machine.
I here what you say but when I put my card in the machine, press the keyhole button, enter my PIN, it says "PIN correct". So how does it know that if the PIN isn't stored on the CHIP? And I have tried a friend's machine from a different bank now. It also knows when my PIN is correct ! :rotfl: And both then give codes that can then be used to 100% ID me and my account :eek:
Now, never mind CVV codes and the magnetic strip, if I was any kind of electronics enthusiast, surely I could take one of these machines apart and discover the circuits which read the PIN on the CHIP and compare it with the PIN I just punched in?? This must especially be so if the circuits are unencrypted as I believe they might be from reading the Cambridge paper? And I tend to believe it must be unencrypted if another banks machine can give me a "PIN correct" message !
This all looks a bit worrying ... think how many PIN numbers and cards go through those little pocket(able) machines in one day at one till at the bank :eek:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards