Re: Chip & Pin @ Tescos

Alex wrote:

At 22:54:11 on 18/06/2006, Ronald Raygun delighted uk.finance by
announcing:

Alex wrote:

At 20:33:21 on 18/06/2006, clemenr@xxxxxxxxxx delighted uk.finance by
announcing:


Alex wrote:
At 09:47:34 on 18/06/2006, clemenr@xxxxxxxxxx delighted uk.finance
by announcing:

I used a chip and pin debit card at a self-service checkout at
Tescos. Not only did I not have to put the card into a chip
reader, I only swiped the strip on the back of the card, it didn't
even ask me for my pin number.

Good! Why do you think it should ask for a PIN with a mag stripe
read?

Security?

How secure do you think storing the PIN on the magnetic stripe would
be?

It isn't necessary to store the PIN on the magstripe in order to be able
to
perform PIN verification. Cash machines have managed this for ages
before chipped cards were even planned.

Cash machines work purely online.

Even though that might be the case now, it hasn't always been.
Nor does it mean the PIN is checked online, though it might be.

The point is that magstripe technology allows PIN checking to be
done locally, by reference to the card, *without* the PIN in fact
being stored on the card.

The way I understand it works (or worked) is that the PIN entered
by the user, together with other information on the card stripe,
such as account name and number, sort code, etc, is put through a
one way encrypting function, the result of which is compared with
a "should-be" result stored on the card. This allows match-checking
without allowing the PIN to be re-computed.

Moreover, if you changed your PIN, it would store on the card the
difference between the new and original PIN, thus making it possible
to support PIN-alteration without changing the aforementioned
should-be result. All you needed do was subtract the stored
difference from the PIN in fact keyed in, to generate the putative
original PIN, before plugging this value into the encrypting
function.

.

Relevant Pages

  • Re: UK Chip & Pin Readers - Panic PIN
    ... observe you typing your PIN number in ... Now, strangely, my new chip and PIN card STILL has a magnetic ... In the UK the pin has never been encoded on the mag stripe in any ...
    (sci.electronics.misc)
  • Re: UK Chip & Pin Readers - Wheres the PIN Stored ?
    ... we had magnetic 'stripes' and lo and behold the PIN number was ... Now, strangely, my new chip and PIN card STILL has a magnetic ... In the UK the pin has never been encoded on the mag stripe in any ...
    (sci.electronics.misc)
  • Re: Passwords et al.
    ... The set of three integers above might well become the numbers on an ‘atm’ card say or indeed on any device that is used to control access to anything. ... ciphertext of a single alphanumeric item – lower case letter e – ... midnight say) by the bank or other that owns it. ... might be used as the user's PIN in each case. ...
    (sci.crypt)
  • Re: SDS PROM-100 software
    ... 2708 EPROM and to consistently read the content of another used 2708 ... card which worked great with Dave Dunfield's RAMless ROM monitor ... socket) with the IA 1010B the 2708 simulator has been a disaster. ... First the original IA 1010B used a weird and probably damaged 24 pin ...
    (comp.os.cpm)
  • Re: HELP, Vulnerability in Debit PIN Encryption security, possibly
    ... > not the case where PIN encryption had to be ... > derived from the card number because the card PIN was checked at the ... It is unlikely that the banks should have been able to hide such ... Smartcard terminals are used in environments over which the ...
    (sci.crypt)