RBS card reader

Heofz · 4 Sep 2007 at 11:11

Received a natwest card reader this morning, I'm a bit puzzled as to how it knows whether my pin number is correct. I assume from this that the pin verification data is stored on the chip of the card itself? I only say that because it uses 2 coin cell batteries so evidently no remote link is used (hence why mobiles need hefty batteries)

So if i were to change my pin in any scenario (e.g. if natwest sent me a new one) how would my card reader know about it or would I have to update my card somehow, like at an ATM or something similar? Or would natwest have to send me another card reader? (or a new card??) :S

gumbald · 4 Sep 2007 at 11:17

It generates a verification number based upon your PIN and card details. When you enter that number on the site, they know whether the PIN you entered is right...

DanTheMan · 4 Sep 2007 at 11:18

Heofz said:
Received a natwest card reader this morning, I'm a bit puzzled as to how it knows whether my pin number is correct. I assume from this that the pin verification data is stored on the chip of the card itself? I only say that because it uses 2 coin cell batteries so evidently no remote link is used (hence why mobiles need hefty batteries)

So if i were to change my pin in any scenario (e.g. if natwest sent me a new one) how would my card reader know about it or would I have to update my card somehow, like at an ATM or something similar? Or would natwest have to send me another card reader? (or a new card??) :S

The PIN which you use for ATM machines will be the same PIN that you use for your card reader, so if it ever changes, it will change for the card reader too.

The data is stored in the chip within the card.

Heofz · 4 Sep 2007 at 11:18

gumbald said:
It generates a verification number based upon your PIN and card details. When you enter that number on the site, they know whether the PIN you entered is right...

But when you enter your PIN wrong on the card reader, it immediately recognises if I've entered the wrong PIN because I tested it.

"Incorrect PIN. 2 tries left"

gumbald · 4 Sep 2007 at 11:20

Heofz said:
But when you enter your PIN wrong on the card reader, it immediately recognises if I've entered the wrong PIN because I tested it.

"Incorrect PIN. 2 tries left"

That wasn't the way I expected it to be done, I apologise

Must be stored on the chip then.

Dave M · 4 Sep 2007 at 11:21

Heofz said:
Received a natwest card reader this morning, I'm a bit puzzled as to how it knows whether my pin number is correct. I assume from this that the pin verification data is stored on the chip of the card itself? I only say that because it uses 2 coin cell batteries so evidently no remote link is used (hence why mobiles need hefty batteries)

So if i were to change my pin in any scenario (e.g. if natwest sent me a new one) how would my card reader know about it or would I have to update my card somehow, like at an ATM or something similar? Or would natwest have to send me another card reader? (or a new card??) :S

The pin is on the chip, encrypted, thats why it's chip and pin.

When you enter your pin on a chip+pin terminal your pin code goes from the keypad to the chip on your card - no further.

I understand these devices somehow randomise the code every time, obviously based on your number and pin, but adding something else to it which the bank will know is correct (maybe just like the posh car alarm remotes that step through codes).

Heofz · 4 Sep 2007 at 11:23

Telescopi said:
The pin is on the chip, encrypted, thats why it's chip and pin.

When you enter your pin on a chip+pin terminal your pin code goes from the keypad to the chip on your card - no further.

I understand these devices somehow randomise the code every time, obviously based on your number and pin, but adding something else to it which the bank will know is correct (maybe just like the posh car alarm remotes that step through codes).

Similar to the RSA keyfobs I presume

(clicky for all who dunno what it is)

So in that case, does that mean that since the introduction of chip & pin, banks are no longer able to change your pin number remotely unless they send you a new card along with it?

Dave M · 4 Sep 2007 at 11:24

Redrum said:
I would be interested to see if there is any statistics on how much it has reduced fraud for the sites that have implemented it.

OcUK has used it for 2 years now, hasn't reduced fraud.

We have to work harder than ever to stop fraud now because the banks stopped offering name and address checks over the phone - said 3D Secure replaced it.

It would have if they had securely registered their card holders. As it stands an authenticated payment (3d secure registered and correct password used) is no less likely to be fraud than one that is not.

Infact I think fraudsters if anything are more likely to use it - they do everything they can to appear legit after all.

ste_bla · 4 Sep 2007 at 11:25

Telescopi said:
The pin is on the chip, encrypted, that's why it's chip and pin.

I never understood why. How is this more secure than the normal swipe and pin? In new zealand since at least 1996 (when i remember it) they have been swiping and then you enter you pin and they don't seem to have any issues

just confuses me why surely its less secure as someone could change the pin on the card at home and then use you card how would they stop that?

Dave M · 4 Sep 2007 at 11:25

Heofz said:
Similar to the RSA keyfobs I presume (clicky for all who dunno what it is)

So in that case, does that mean that since the introduction of chip & pin, banks are no longer able to change your pin number remotely unless they send you a new card along with it?

Don't know, I presume when you change it in a cash machine it can chang the pin on the chip. There's no way they could do it without physical contact with your card though.

caff · 4 Sep 2007 at 11:26

Got mine from Natwest today (they sent me a new card and a couple of letters about it)

Looks like a mini fisher price calculator

Heofz · 4 Sep 2007 at 11:26

Telescopi said:
There's no way they could do it without physical contact with your card though.

Ah that makes sense then, thanks

Dave M · 4 Sep 2007 at 11:28

ste_bla said:
I never understood why. How is this more secure than the normal swipe and pin? In new zealand since at least 1996 (when i remember it) they have been swiping and then you enter you pin and they don't seem to have any issues

magnetic swipe cards can be rcopied very easily and a huge number of payment terminals (in shops) are not online - i.e. they don't dial the bank when you pay, so they cannot check the pin that way.

just confuses me why surely its less secure as someone could change the pin on the card at home and then use you card how would they stop that?

They can't, nobody has been able to crack the encryption used on the chip, it would be a major problem if they did.

I guess if / when the chip gets cracked they'll require everyone using pin terminals to get online - be it via phone line, isdn, or gprs.

Heofz · 4 Sep 2007 at 11:47

Telescopi said:
They can't, nobody has been able to crack the encryption used on the chip, it would be a major problem if they did.

Surely we can't know that for sure though

For example if I were one of the people who successfully cracked it, I sure as hell wouldn't tell my fellow fraudsters as it would lead to my cover being blown.

Might explain why some fraud is still occurring despite chip+pin?

ste_bla · 4 Sep 2007 at 13:36

Heofz said:
Might explain why some fraud is still occurring despite chip+pin?

Mail Interception/Redirection
Internet Ordering
Theft + Written Down
Theft + Seeing Pin

Clarkey · 4 Sep 2007 at 13:38

had my natwest one ages, never used it mind.

Dave M · 4 Sep 2007 at 13:46

Heofz said:
Surely we can't know that for sure though For example if I were one of the people who successfully cracked it, I sure as hell wouldn't tell my fellow fraudsters as it would lead to my cover being blown.

Might explain why some fraud is still occurring despite chip+pin?

Cracking encryption isn't that simple.

Heofz · 4 Sep 2007 at 13:47

ste_bla said:
Mail Interception/Redirection
Internet Ordering
Theft + Written Down
Theft + Seeing Pin

Sorry, I meant to say "some of the fraud", as opposed to "some fraud". I agree though that most fraud is probably done this way

bigredshark · 4 Sep 2007 at 13:59

Telescopi said:
They can't, nobody has been able to crack the encryption used on the chip, it would be a major problem if they did.

I guess if / when the chip gets cracked they'll require everyone using pin terminals to get online - be it via phone line, isdn, or gprs.

Unlikely, the system is likely two factor public/private key encryption. So even if you cracked the chip and worked out what encryption it was using you still wouldn't be able to get the pin out of the end result.

You could write a program that if you put in the PIN it would give you the secure code but not the other way round. Thats the beauty of public/privaet keys.

It's quite a cute system and as I understand netwest will use it to verify certain internet transactions (like adding a payee to an account, so you can send money to someone who's already been added without the reading but to add someone new, as a criminal might like to do to empty your account, you'd need the secure code from the reader.)

I don't think it's a tremedous hassle and it might help a little. Then again I've always thought it's strange banks over here don't copy the US and put ID photos on bank cards, it'd surely cut down massively on fraud in shops (wouldn't do anything for online fraud obviously). It seems a big move sending out all the readers to people but I don't know the scale of the problem.

gumbald · 4 Sep 2007 at 14:06

Just got mine delivered today, yet to use it though. It does look like a cheap calculator