We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Are portable PIN code machines safe to use in banks?
Comments
-
VictimOfImpersonation wrote: »So how does it know that if the PIN isn't stored on the CHIP?
the PIN IS stored on the chip, but when communicating with the chip, you simply tell it what you think the pin is and it either says OK or Wrong PIN - if you get it wrong 3 times it won't let you try any more and it can only be unblocked with a signed cryptogram that only your bank can generate. The same applies when changing your PIN, the new PIN first has to be transmitted to your bank so they can sign it with their secret key and and then send that to your chip so that it performs the update - this is why you can generally only change your PIN in an ATM owned by your bank.
You seem to think the chip on your bank card is just a storage device like a CD ROM, it is not, it is a micro computer.
In order to dump the PIN from the device you would need to etch the package with acid to expose the silicon and then use a scanning electron microscope... they don't fit in a card reader.
As for your supermarket issue... that shows that communication with the chip was fine but it was unable to get online authorisation for the transaction, hence the transaction gets cancelled (in practical terms when you do online authorisation you first get the chip to generate an ARQC and submit it to the bank to obtain the authorisation, if the bank says OK you submit the bank's response to the chip, if you can't get a response or it's declined you send a Cancel command to the chip so that its internal state is restored)0 -
Well I can see it hasnt a CD ROM in it
My laptop doesn't have one either but it stores stuff! Microcomputers store data too don't they, else they are like an empty brain :rotfl:
But obviously in there somewhere is my PIN and there is obviously enough room to contain a rogue extra chip that could store all the PINs punched throughout a day at the bank, and possibly something that could anyway read the magnetic strip even though only half of it goes in the machine?
I have been told not to let even the bank people see what PIN I am putting in, but if they were complicit in passing other details that they see on my screen a PIN number collected secretly inside a PIN machine might help an accomplice electronics expert clone something using the rest of the data, mightnt it?
I have no idea what technology you need to make a cloned card, but I read that Metro Bank make and issue cards in the branch and I dont think they have electron microscopes.
So what we are really saying Olipro, is that yes there is a lot of data stored in the CHIP and on the magnetic stripe on the back, but the fraudsters won't be clever enough to know how to get at any of it?
As I saw at the supermarket this evening, the data on the card seems to be largely duplicated anyway (both in the CHIP and the magnetic stripe). Both must contain enough for a transaction to succeed?
I remain unconvinced of the safety of having these things on bank counters. At least if it was wired to something it might be less easy to tamper with, but I am concerned that it would be easy to plant a dodgy one and come back later and pocket it.0 -
VictimOfImpersonation wrote: »I remain unconvinced of the safety of having these things on bank counters. At least if it was wired to something it might be less easy to tamper with, but I am concerned that it would be easy to plant a dodgy one and come back later and pocket it.
Did you miss the bit where I said "bring your own card reader or don't give theirs back" - the readers are ten-a-penny, I doubt they'll care if you use one they give you and then insist on keeping it, if you like you can take it home and smash it up if it makes you feel better.
and no, there is no way you could fit a mag stripe reader in that form factor, not to mention the fact the card doesn't swipe through it making it impossible to read.
The chip generates unique cryptograms the bank can verify, the magstripe just contains the card number and some additional static data not on the Chip, hence even if someone were to make a little entry device that could log your PIN, it would be USELESS because they don't have the magstripe track data.
your comment about Metro bank is just daft, those cards are pre-programmed in a secure environment, all they do is emboss your name on it and the bank staff assign the card's number to your account, they don't get access to the RSA keys, I don't even know why you're trying to compare a bank authoring its own cards to a fraudster trying to copy one.0 -
VictimOfImpersonation wrote: »But obviously in there somewhere is my PIN and there is obviously enough room to contain a rogue extra chip that could store all the PINs punched throughout a day at the bank, and possibly something that could anyway read the magnetic strip even though only half of it goes in the machine?
The PIN is not stored on the chip.
When you type your PIN into a PED, the PED communicates with the chip and carries out some cryptographic functions on the data that you type into the PED.
The chip will then return and either say "OK" or "Not OK".
Your PIN is not stored on the chip as clear text.0 -
Fiddlestick, you first say that the PIN is not stored on the CHIP. Then you say it is stored on the CHIP but not in clear text which is another slightly split hair if I may say so? So the PIN is stored on the CHIP ready to be discovered.
Going back to last night's posts, I seem to have irritated you a bit, Olipro. Sorry about that. On the flipside I have learned a lot just by looking up PED EMV ARQC RSA, and as a result I think I understand a little more, so thanks.
You might have gleaned from my username that I do have a particular interest in avoiding for the future the enormous hassle which besets those of us who get targeted using the vulnerabilities of the existing EMV card system.
So this CHIP & PIN thing is now a five year old idea. When all is said and done, it relies on miniaturisation and a certain amount of encryption for it to remain untouchable by the fraudsters.
I mentioned Metrobank because they clearly have a machine which communicates with a blank card (apart from its number and ability to produce apparently unique cryptograms) and makes that card immediately usable.
That sounds to me a little bit like flashing firmware on a mobile phone. There is a huge cottage industry providing hacked unofficial firmware versions for those which clearly still work when connected to official networks.
From what I now read of EMV standards, the basic chips firmwares and card readers are all the same. Even the part of Xiring that makes the card readers is now part of Gemalto. Since my Gemalto machine is now around 5 years old and since it functions the same as my friend's new Xiring machine, I presume the main chips in both are the same and have remained so for some time. The fact the things are made in China doesnt exactly fill me with a warm glow.
I accept that the introduction of a standard for new chip-bound miniaturisation and use of cryptology in 2005 was then quite as secure as it was new, but isn't 5 years rather a long time to leave the technology "out there" for organised criminals to dissassemble using ever faster computers and hacking tools?
I read that part of the rationale of the extra cost of producing these cards (one US estimate was 16 dollars in 2005 versus a mag strip card cost of 12 dollars) was that it was offset by the ability for the new cards to remain in our possession for months or years longer because instead of having to stop and replace cards after changes to accounts, they could be "updated" with new limits etc. via the networks we all plug into daily when we use an ATM or pay for something.
As I said earlier, I have good reason to suspect that so-called secure systems are more vulnerable than we may be led to expect, and the vulnerabilities are not necessarily in the technology but in the interfaces. And if I am right, that compromises the security of the technology.
A less technological analogy might be the security of a front door on a house - most of us think that setting the standard for the lock is the way to do it.
Burglars and locksmiths alike know the locks inside out. But instead of giving up immediately if the door has a top of the range Banham lock, then to get the prize, a burglar may cast their eye to the other side of the door where the hinges may be vulnerable, or to the windows, or to where the houseowner hides the key under the pot, or maybe creeps through an open door when the houseowner is home, or maybe even changes one of the locks and comes back later.
It doesnt help homeowners any, if the the burglar himself has locks identical to the homeowner and a bunch of typical keys to play around with in his own locks or a host of other locks that no-one seems particularly bothered about him trying his keys in, or if he can even find a way to get other people to put their keys in his locks.
Before we know it, people will be obligingly pressing both side of their keys into the burglars plasticine because someone authoratively tells them its ok
0 -
VictimOfImpersonation wrote: »Fiddlestick, you first say that the PIN is not stored on the CHIP. Then you say it is stored on the CHIP but not in clear text which is another slightly split hair if I may say so? So the CHIP is stored on the CHIP to be discovered.
No, the chip performs a cryptographic function using the PIN that you type into the PED.
The chip then either says that the PIN that was entered was OK or Not OK.
At no point does it take the actual PIN that you enter and compare it with a stored value - the input is used as part of a cryptographic function.
If you steal someone's card, it is in no way possible to extract the PIN from the chip.
Is that clearer?As I said earlier, I have good reason to suspect that so-called secure systems are more vulnerable than we may be led to expect, and the vulnerabilities are not necessarily in the technology but in the interfaces. And if I am right, that compromises the security of the technology.
Pretty much.
The most recent Cambridge research revolves around compromising the PEDs.A less technological analogy might be the security of a front door on a house - most of us think that setting the standard for the lock is the way to do it.
Burglars and locksmiths alike know the locks inside out. But instead of giving up immediately if the door has a top of the range Banham lock, then to get the prize, a burglar may cast their eye to the other side of the door where the hinges may be vulnerable, or to the windows, or to where the houseowner hides the key under the pot, or maybe creeps through an open door when the houseowner is home, or maybe even changes one of the locks and comes back later.
That's a reasonable analogy
Before we know it, people will be obligingly pressing both side of their keys into the burglars plasticine because someone authoratively tells them its ok
Hehe, human weakness has always been an issue.0 -
VictimOfImpersonation wrote: »Fiddlestick, you first say that the PIN is not stored on the CHIP. Then you say it is stored on the CHIP but not in clear text which is another slightly split hair if I may say so? So the CHIP is stored on the CHIP to be discovered.
Please show me where I told you that it's not stored in the chip. I did say that banks do not store the mag stripe or CVV2 data in the chip any more, but NOWHERE did I say the PIN is not stored in the chip.VictimOfImpersonation wrote: »I mentioned Metrobank because they clearly have a machine which communicates with a blank card (apart from its number and ability to produce apparently unique cryptograms) and makes that card immediately usable.
wrong, the chip is not blank, it is pre-programmed with all encryption keys already, the computer simply provisions your name and PIN onto it using the same security method as when you change your PIN.VictimOfImpersonation wrote: »From what I now read of EMV standards, the basic chips firmwares and card readers are all the same. Even the part of Xiring that makes the card readers is now part of Gemalto. Since my Gemalto machine is now around 5 years old and since it functions the same as my friend's new Xiring machine, I presume the main chips in both are the same and have remained so for some time. The fact the things are made in China doesnt exactly fill me with a warm glow.
EMV is a standard, just as your card works with all different brands of merchant terminal, so too does it work with different brands of cardreaders... they simply send commands to the card and get responses, I wrote a software version of the CAP/DPA specification, the fact these things are made in china is irrelevant because there's nothing you can compromise.VictimOfImpersonation wrote: »I accept that the introduction of a standard for new chip-bound miniaturisation and use of cryptology in 2005 was then quite as secure as it was new, but isn't 5 years rather a long time to leave the technology "out there" for organised criminals to dissassemble using ever faster computers and hacking tools?
sure someone can take their own card apart, etch it, stick it through a scanning electron microscope and retrieve the keys for his card but it's not going to help in stealing anyone else's money.VictimOfImpersonation wrote: »As I said earlier, I have good reason to suspect that so-called secure systems are more vulnerable than we may be led to expect, and the vulnerabilities are not necessarily in the technology but in the interfaces. And if I am right, that compromises the security of the technology.
I don't see how a lack of understanding of the fundamental concepts of cryptography gives you "good reason to suspect that so called systems are more vulnerable than we may be led to expect" short of proving P=NP, I don't think so. the EMV standard is an openly published standard, anyone can look at it and see how it works. If you think it's not secure and you think you're qualified to make that assertion in the first place, I invite you to read the EMV standard and identify the holes.
When you talk about "the burglar targetting the window" that's basically what I already outlined; sniffing the PIN and obtaining the magstripe.
Again, I have already stated what attacks can be undertaken against an EMV chip, if you have failed to understand them or how they are mitigated, then there's not a lot that can be done about it, I imagine Galileo felt like this when trying to prove the earth orbits the sun.0 -
Fiddlestick wrote: »At no point does it take the actual PIN that you enter and compare it with a stored value - the input is used as part of a cryptographic function.
Actually it does, the PIN is stored in the chip, but it cannot be read from the chip.
However, you are correct about the PIN forming part of a crypto function: for example, when generating an ARQC, if the PIN has not been successfully submitted to the device, the chip will still generate an ARQC but it will do it with different internal data and the bank will know that the ARQC was generated without successful PIN entry.0 -
Crikey, Olipro, this is interesting stuff !
I am racing to keep up with your very generous sprinklings of industry abbreviations - that CAP/DPA one yields up a wonderful Wiki page. So I see that the correct term for these little machines is perhaps "CAP device" not "PED" which latter description I guess refers to the wired ones on retail and bank counters?
I have to correct one of my earlier assertions - I see my Gemalto machine arrived sometime after April 2007 so it is three and a bit years old not five.
One paragraph on the Wiki Chip_Authentication_Program page does indicate a vulnerability which you touched on earlier:
In plain language, what do we look out for and how do we protect ourselves from that one?In the identify mode, the response depends only on the required bits from the IAI as the amount and reference number are set to zero - this also means that selecting respond and entering a number of "00000000" will in fact generate a valid sign response. More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of "0.00" will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a "test" challenge response for an amount of £0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim's account - currently this attack is only possible with the Gemalto made EZIO CAP devices (Barclays PINsentry) as the Xiring made devices will not procced until an amount of at least 0.01 is entered.0 -
VictimOfImpersonation wrote: »In plain language, what do we look out for and how do we protect ourselves from that one?
if someone asks you to do a respond with a ref of 00000000, don't trust them, if they ask you to do a Sign with an amount of £0.00, don't trust them. I should add that only the Barclays PIN Sentry devices will allow an amount of £0.00
When entering the ref number, on a respond or sign transaction, make sure it corresponds properly with the account number you're paying, some banks use the whole account number, some use the last 4 digits and 4 random; familiarise yourself with your bank's scheme.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards