Prev: Question About Cryptographically Hashing a Hash (SHA-512), ThenHashing That Hash, Etc.
Next: Fallout 3 crypto?
From: Peter Fairbrother on 10 Jun 2010 08:48
unruh wrote:

>
> No an arbitrary number of tries per card. You just go to different atms
> and do two tries and then cancel. I have not tried it, (well I have) but
> I do not think that 10 bad tries on 5 different machines will trigger
> the confiscation routine.

Here in the UK where we have chips in cards it's three tries only, even
if the terminal is offline - there is a PIN-_retry counter in the chip.

When the card has locked up a special PIN counter reset number can be
used. This is supplied by the Bank as required. In effect this mechanism
can sometimes give a thief another try, though the number is different.

Where magstripes are used the issuing bank will usually note any failed
PIN entries, and it will be refuse online-verified transactions after
too many tries, usually three.

In this magstripe sort of PIN entry management the PIN counter at the
issuing bank is often reset at midnight - so if the thief steals the
card at 11.55 pm he can have six tries in a short time, hopefully before
the card has been reported stolen.



Incidentally, both these mechanisms leave the card subject to a PIN
guessing attack by a family member, roommate etc. The roommate steals
the card, tries two PINS and if they fail he replaces the card, then
steals it again later - either the next day for a magstripe card (though
he could easily clone one of those instead), or for a chip card after
the user has reset the counter by using the card in the normal way.


In the UK stolen chip cards are not very valuable, as the chips cannot
be economically cloned. However the thieves can try random PINs, offline
so no-one knows about it, and when they get lucky - about 1 in 3,000
lost/stolen cards, more often if they are clued-up - the poor user is
often screwed over by the Bank.


-- Peter Fairbrother
First  |  Prev  | 
Pages: 1 2 3 4
Prev: Question About Cryptographically Hashing a Hash (SHA-512), ThenHashing That Hash, Etc.
Next: Fallout 3 crypto?