2

Everyone owns a card from the bank. Every card has 4 digit pin.

If someone steals / finds my card I know that this 10.000 combinations are silly stuff to crack. I presume with some piece of hardware (card reader) and brute force it's too easy.

Does the bank card have any other security other than 4 digit pin and how does it work?

Anders
  • 65,052
  • 24
  • 180
  • 218
Josip Ivic
  • 299
  • 2
  • 4
  • 19

3 Answers3

6

The chip on the card functions as a tiny computer communicating with the card reader. It never reveals the PIN to the reader, but instead use a crypto protocol. This means that the card itself can enforce rate limiting to prevent brute force - i.e. locking after X failed attempts. Not sure this is done everywhere, but I know it is in some countries/by some banks.

However, if you are in physical possession of a credit card, you already have enough information to perform purchases on the internet. All you need to know to max out the card on a bitcoin shopping spree is written on the card. So brute forcing the PIN is not nececarry to perform fraud.

Community
  • 1
Anders
  • 65,052
  • 24
  • 180
  • 218
  • The chip is not strictly necessary as the bank can enforce the retry limit. Esp, ATM transactions are always online and the PIN is verified directly by the bank instead of by the card. – billc.cn Aug 24 '16 at 12:37
  • @billc.cn This is more than I know. I assume the bank then has some kind of rate limiting to stop a fake ATM from brute forcing a PIN? – Anders Aug 24 '16 at 12:44
  • 1
    @Anders, I have yet to find a way to reliably purchase bitcoins without signing up on an exchange that requires personal information. Am I mistaken? – Verbal Kint Aug 24 '16 at 13:10
  • @VerbalKint Actually, I have never purchased bitcoins, so I have no idea. It was just an example. You could do any kind of purchase online. Granted, many of them would require giving up personal information (e.g. for shipping) to be meaningful, but not all. – Anders Aug 24 '16 at 13:12
  • @Anders, alright. Yea, this is actually an issue within the bitcoin community. Although it is a decentralized currency, centralized services like third-party exchanges control most of the flow of bitcoins, which in addition to defeating the point of a decentralized currency (governments can't bailout banks or regulate supply), is also an issue because these exchanges can often be hacked, causing uncertainty in the market. – Verbal Kint Aug 24 '16 at 13:17
  • Which is the reason you need to report stolen or lost creditcard as soon as possible. There is also terrible idea being deployed across EU where you can pay wirelessly without any authorisation whatsoever - you just wave your Visa and it gets charged. There is some limit (which gets worse with time) but still a terrible idea in name of making it "easier to use". So just report it stolen ASAP. – Matija Nalis Aug 24 '16 at 14:44
1

The four digit PIN isn't the only vulnerable component. The implementation has many issues too.

The Security Group at the University of Cambridge Computer Laboratory maintains a blog and they have explored many vulnerabilities in chip and pin system. Here is an article that they have written on chip and pin: https://www.lightbluetouchpaper.org/2009/04/09/chip-and-pin-on-trial/

And Register has another one about threats to researcher trying to highlight these issue: http://www.theregister.co.uk/2010/07/06/atm_security_talk_pulled/

Oz.
  • 11
  • 3
0

No, this is why it's important to shield your PIN and never use the same PIN on multiple cards, however the PIN itself is encrypted on the card so it cannot be read directly easily.

James Hyde
  • 1,071
  • 6
  • 9