NatWest card reader
in [UK Linux]
|
From: Martin Gregorie on 15 Jul 2007 16:53 Daniel James wrote: > In article news:<mh7nm4-ldu.ln1(a)zoogz.gregorie.org>, Martin Gregorie wrote: >> Does anybody know if there's anything in the card reader that's locked >> to the bank account, or can I use any Natwest card reader with my card >> and generate a valid authorization code? > > I've seen it stated (I forget where) that the reader is a generic device. > You will certainly be able to use the same reader with different cards from > the same bank, and probably with cards from other banks. > I thought so but haven't seen it said. >> If the card reader is not account-specific then the activation process >> boils down to a simple check can read your card and that it works >> correctly. > > No, absolutely not. The reader is just an interface, the number that is > generated for you to use to authorize a payment (etc) comes *from* the > card, and will be generated by some secure cryptographic process inside the > card. > That's what I was getting at - the 'test challenge' used in the activation process will not be correct if the reader isn't working correctly, connecting correctly to the card, or the card is faulty. > You would never be asked to provide your PIN itself online -- there's far > too much chance of a keylogger or other malware snooping the value. > Of course - but I HAVE been asked for the 3 digit reference code off the back of the card, which only means that the purchaser has the card, not that he's entitled to have it. > Note, too, that one could use the same reader with telephone banking: the > banking system could (digitally) 'speak' a number which you would enter > into the reader to generate a response, and the response could be entered > on the keypad of a tone-dialing phone and verified automatically by the > system (I don't know whether the banks propose to do this, but the idea > will not have escaped them). > Yes, I'd spotted that. It will be nice if the same reader works with Mastercard, but I'm not holding my breath. >> I've always thought the 4 digit PIN is too short for comfort. > > Unfortunately there are a very large number of ATMs and POS terminals > around the world that can't cope with anything longer (at least: not > without a ROM upgrade, which would be difficult to perform on a secure > tamper-resistent box). > Sure, but why use such a short PIN in the first place? Six or eight digits would be better or there really people who can remember their phone number but not another, similarly sized, PIN? -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
From: Folderol on 15 Jul 2007 17:22 On Sun, 15 Jul 2007 21:53:14 +0100 Martin Gregorie <martin(a)see.sig.for.address> wrote: > Sure, but why use such a short PIN in the first place? Six or eight > digits would be better or there really people who can remember their > phone number but not another, similarly sized, PIN? You would be surprised at the number of people who can't even remember their age (a figure that rarely exceeds 2 digits) let alone a phone number. The situation appears to be getting worse, according to an article I read recently. This postulates that with the reliance on electronic aids kids are not learning how to remember effectively. -- Will J G
From: Andy Cap on 16 Jul 2007 01:44 On Sun, 15 Jul 2007 22:22:02 +0100, Folderol <folderol(a)ukfsn.org> wrote: >On Sun, 15 Jul 2007 21:53:14 +0100 >Martin Gregorie <martin(a)see.sig.for.address> wrote: > >> Sure, but why use such a short PIN in the first place? Six or eight >> digits would be better or there really people who can remember their >> phone number but not another, similarly sized, PIN? > >You would be surprised at the number of people who can't even remember >their age (a figure that rarely exceeds 2 digits) let alone a phone >number. > >The situation appears to be getting worse, according to an article I >read recently. This postulates that with the reliance on electronic >aids kids are not learning how to remember effectively. Though to be fair I bet the average person now has to remember far more such details than any previous generation. I have 137 passwords in my copy of Password Corral and automatically remember quite a few of them. Still I occasionally get in the garage and think " Which card is this " and have very occasionally punched in the wrong pin. Life is far more complex in this respect than ever before and now there's yet another device about to arrive on the door mat.... Andy
From: Graham Murray on 16 Jul 2007 02:23 Folderol <folderol(a)ukfsn.org> writes: > The situation appears to be getting worse, according to an article I > read recently. This postulates that with the reliance on electronic > aids kids are not learning how to remember effectively. The other problem is that there are too many PINs, passwords, passphrases, and memorable words which you have to remember.
From: Daniel James on 16 Jul 2007 05:48
In article news:<33eqm4-k1e.ln1(a)zoogz.gregorie.org>, Martin Gregorie wrote: > ... the 'test challenge' used in the activation process will not be > correct if the reader isn't working correctly, connecting correctly > to the card, or the card is faulty. Of course. ... or if you inadvertently insert the wrong card ... > > You would never be asked to provide your PIN itself online -- there's > > far too much chance of a keylogger or other malware snooping the value. > > Of course - but I HAVE been asked for the 3 digit reference code off the > back of the card, which only means that the purchaser has the card, not > that he's entitled to have it. That's used to provide an extra element of security, but it doesn't prove much. Only that the person using the card has at some time seen the card, or has seen a record of a transaction in which those extra digits were recorded. A keylogger would get them for sure. > It will be nice if the same reader works with Mastercard, but I'm not > holding my breath. I'd be prepared to bet that the reader is making use of some standard functionality of Chip & PIN cards, and if so it would certainly "work with" a Mastercard card ... whether Mastercard have any infrastructure in place to make use of it is another matter. > Sure, but why use such a short PIN in the first place? Six or eight > digits would be better or there really people who can remember their > phone number but not another, similarly sized, PIN? http://news.bbc.co.uk/1/hi/business/6230194.stm (apparently). Chip & PIN *cards* that I've seen can handle a "secret code" of up to 8 binary bytes -- 16 packed BCD digits -- but many of the protocols used by banks for handling PIN data work with just 4 digits. It would be possible for a Chip & PIN card to have two PINs, one of 4 digits used in conventional transactions using the magstripe and a longer one used when working with the on-card chip. I expect the banks think that most people would find having two different PINs for one card terminally confusing. Cheers, Daniel. |