Chip n Pin
- Thread starter Loki
- Start date
Cueball said:
Not this **** again.
Yes, we know CnP isnt 100% secure, but it *is* a darn sight more secure than the old system.
Just because it isnt the pinnacle of security isnt a valid criticism. The security attached to it is commensurate with the risks/costs involved, and thats all that really matters.
Cueball said:
You can decrypt the pin in the card? Could you point me to this software because afaik it has not, and cannot be broken by any reasonable level of equipment, expertise and time.
Unless you mean people typing their pin into tampered terminals - but thats no different to tampered cash points.
Cueball said:
It's not that easy - and if this software was so easy to setup and use then the ATM fraudsters about would not worry about setting up surveillance to get PIN's being entered or should surf.
If Chip n Pin is so insecure why has it already saved millions in the short time we used it - why did it cut France fraud costs by something silly like 90%
As i have repeated time and time and time again the majority of card fraud comes when you just loose a card / wallet and someone picks it up and goes to use it - or from muggings (where the bag/wallet is stolen) not organised ATM theft where they get PIN's also - meaning people simple cant find a card and go use it without hastle by signing a piece of paper that isnt even checked...now they have to go an guess a PIN - not gonna happen.
Same logic as when a card is found/stolen they dont try it at the ATM because they know itll retain after 3 attempts.
IT IS MORE SECURE
Associate
- Joined
- 18 Oct 2002
- Posts
- 792
- Location
- Darwin, Australia
Wasnt this on the news yesterday?? There was one of the Cambridge universities that have made a device to read all the data off a C&P card. They made the whole thing for less than £100 and then put all the data back onto an O2 topup card and the presenter drew a tenner from an ATM on it.Cueball said:
As Cueball says, everywhere else that uses C&P encrypt the PIN data, here in the UK they cut corners and leave the PIN un-encrypted. Saved the banks £1.5 per card.
Back on topic. I was in South Africa in Jan just before C&P enforcement in the UK and it was hit and miss as to whether i was asked to enter a pin. I did get some really funny looks from some of the people there when it prompted for my pin number!
Cueball said:
So you are telling me that all of these gangs setting up surveillance and confidence trickery around ATM machines etc.
Setting up small cameras and the like didn't need to and all they had to do was steal the card and they would have all the information they would require with the aid of some cheap hardware and some free software.
Not only that but whereas before Chip & Pin in the UK the theft of a card meant no taking money from an ATM without the PIN as after 3 attempts you lose the card - so all they could do was attempt to copy the signature and use it in a shop.
But now, the PIN is totally unencrypted and so they can also empty your account via an ATM as well because once the card is stolen they also have your ATM PIN?
What you are basically saying is:
If I was to steal a chip & pin card. With the aid of very cheap hardware and free software I could have "in effect" the same card with the PIN number written accross the back meaning I can use it in an ATM machine or to make purchases.
Sorry, I cannot believe this.
Yes of course, the PIN we're not allowed to tell our bank, the PIN they send you in a seperate letter on a seperate day, is stored totally unencrypted on the chip.
I also heard Lord Lucan spearheaded the project, but elvis was the brains behind it.
I also heard Lord Lucan spearheaded the project, but elvis was the brains behind it.
After all the fraud etc with chip and pin, I think we should have the choice to have photo ID on the debit card. If it's not you, can't be used. Obviously wouldn't solve all the problems but it's a start.
Think this was done in the US already
Think this was done in the US already
Telescopi said:
Don't forget the guy from Grassy Knoll Tx financed it
Unluckyalf, let me guess they used a magnetic swipe card and an older (non chip) cashmachine that read the card, then entered the number on the o2 phone?
None of which require access to the chip, and can all be done very easily hence the reason new machines check the chip and C&P isn't meant to stop cardholder not present fraud, that is a totally diferent kettle of fish (how many mail order firms, or pre-pay top-ups ask for the pin?).
The idea of the pin being stored unencrypted on the card is pretty silly.
Pretty much everything I've heard with regards to C&P fraud suggests it's much much harder than the old signature only fraud - no matter what you do to the card there will be weaknesses with the system, even using 256bit encyption for the check of the Pin stored on the card's chip doesn't help if someone has set up a camera watching the terminals, or has tampered with a terminal and is reading the pin as entered on the keypad.
C&P when properly implimented stops most/all casual fraud when used in person as you can't just pick up a card and use it, you need to have obtained the pin first which unless the cardholder is a tad silly isn't particulary easy.
From what i understood your pin number is stored on the magstrip, but is encrypted like the rest of the information...but still can be decrypted with the right software!
But one of the biggest points that people seam to not notice about C&P is on the hand devices...there is no offical recognised sign or logo that you are using an authenticate SECURE device...when you use any C&P handset how do you know that cable is going to the right place
(a cash machine stuck in a wall is a little harder to fake, lol)
But one of the biggest points that people seam to not notice about C&P is on the hand devices...there is no offical recognised sign or logo that you are using an authenticate SECURE device...when you use any C&P handset how do you know that cable is going to the right place
(a cash machine stuck in a wall is a little harder to fake, lol)
Associate
- Joined
- 18 Oct 2002
- Posts
- 792
- Location
- Darwin, Australia
No, they literally cloned the card. He used the O2 topup card in exactly the same manner as he would with his ordinary Switch card, i.e. entered his normal PIN number and withdrew cash. As to the age of the cashmachine, i cannot comment. All i could see of it was that it was an Alliance and Leicester machine outside an Alliance and Leicester branch in Cambridge.Werewolf said:Don't forget the guy from Grassy Knoll Tx financed it
Unluckyalf, let me guess they used a magnetic swipe card and an older (non chip) cashmachine that read the card, then entered the number on the o2 phone?
None of which require access to the chip, and can all be done very easily hence the reason new machines check the chip and C&P isn't meant to stop cardholder not present fraud, that is a totally diferent kettle of fish (how many mail order firms, or pre-pay top-ups ask for the pin?).
.
I have been looking for some reference to the news program on tv and all i can find so far is an article from last week in the Daily Mail
HERE
