How can two debit cards share same PIN

grumbler

I will check 0000 out of curiosity, but for all others, including 1234, does 'common' not mean that they aren't disallowed?

Cornucopia

Yolina wrote: »

I'd guess stuff like 0000

I don't know for sure, but I would expect all of them where all 4 digits are the same - these would be far too easy to spot when "shoulder surfing".

I'd probably add any PIN where there are 3 consecutive identical digits.

Add 1234 and 4321, and that's probably it.

On a tangent... are personal card readers issued by the Bank a potential security vulnerability? (They can tell you whether the PIN entered is correct or not).

Paul_Herring

grumbler wrote: »

does 'common' not mean that they aren't disallowed?

Certainly in the survey they carried out (otherwise they wouldn't have been listed to begin with!):

To come up with these findings, Berry drew from 3.4 million PINs made available through "released/exposed/discovered password tables and security breaches."

REDDDRAGGON

Cornucopia wrote: »

On a tangent... are personal card readers issued by the Bank a potential security vulnerability? (They can tell you whether the PIN entered is correct or not).

You have a different pin though for each card or device surely?

Paul_Herring

Cornucopia wrote: »

On a tangent... are personal card readers issued by the Bank a potential security vulnerability? (They can tell you whether the PIN entered is correct or not).

In offline mode, I'd bet that 3 incorrect entries using those readers renders the chip on the card inoperative.

Cornucopia

REDDDRAGGON wrote: »

You have a different pin though for each card or device surely?

Yes - but my Nationwide card reader (for example) can read my other cards and identify whether the correct PIN for that card has been entered.

Paul_Herring wrote: »

In offline mode, I'd bet that 3 incorrect entries using those readers renders the chip on the card inoperative.

I'm reluctant to post how I see this being used for criminal purposes, so I leave that to other FMs' imagination.

3 tries would be good, though wouldn't necessarily prevent what I have in mind.

grumbler

Cornucopia wrote: »

On a tangent... are personal card readers issued by the Bank a potential security vulnerability? (They can tell you whether the PIN entered is correct or not).

So do all ATMs and shop terminals. What's the difference? Whatever device you use the card locks itself after 3 (4?) incorrect attempts.

Cornucopia

The difference is that shop card readers and ATMs are used in public places. A handheld reader can be used anywhere.

grumbler

I don't see any difference as you have just 3 attempts anyway.

Cornucopia wrote: »

Yes - but my Nationwide card reader (for example) can read my other cards and identify whether the correct PIN for that card has been entered.

It can't *read* anything. It can only ask the card whether the entered PIN is correct.

Paul_Herring

Cornucopia wrote: »

Paul_Herring wrote: »

In offline mode, I'd bet that 3 incorrect entries using those readers renders the chip on the card inoperative.

I'm reluctant to post how I see this being used for criminal purposes, so I leave that to other FMs' imagination.

3 tries would be good, though wouldn't necessarily prevent what I have in mind.

Card reader to card: Is 0000 the right PIN?
Card to Reader: Nope. 2 chances left
Reader to Card: Is 1234 the right PIN?
Card to Reader: Nope. 1 chance left
Reader to Card: Is 4242 the right PIN?
Card to Reader: Nope. 0 chances left
[card wipes the PIN and sets some flags]
Reader to Card: Is 9999 the right PIN?
Card to Reader: [drools happily in the corner]

Well you get the idea...

Unless you have a way of asking the card without the card realising it's been asked, you can't really get round it.


Previous methods mentioned about getting the PIN usually involve inserting 3rd party stuff into the conversation above and getting the card's owner to input the correct number first time, and listening.