Chip & Pin Fraud

[ai_Droid]

Mag stripes contain an offset of the pin for verification

 

now:

 

The PIN isn't encrypted at all. The PIN isn't on the card.

 

Says it all really.

 

Yes, that does say it all. Both statements are correct.

 

You couldn't grasp this simple point in your biometrics rants either. You don't need the original to verify it. It's a very basic principle of authentication. The pin isn't on the mag stripe, it's an offset, a verification value, not the pin itself. You can't reconstruct the pin from the verification value, same as you can't reconstruct a thumbprint from scanner systems.

[Cambon]

Yes, that does say it all. Both statements are correct.

 

You couldn't grasp this simple point in your biometrics rants either. You don't need the original to verify it. It's a very basic principle of authentication. The pin isn't on the mag stripe, it's an offset, a verification value, not the pin itself. You can't reconstruct the pin from the verification value, same as you can't reconstruct a thumbprint from scanner systems.

 

So if 10 people have a PIN of 1234, that will be represented in an identical fashion on each card's magnetic strip. Agreed?

[ai_Droid]

So if 10 people have a PIN of 1234, that will be represented in an identical fashion on each card's magnetic strip. Agreed?

 

Nope. That would be stupid. The cypher that creates the PVV uses other information unique to the user, such as account number or that little cvv number on the back of your card, etc.

 

Also once the verification offset is generated, it's not used in its entirety. You can't reform a pin from the verification value, that's the point. You can verify the pin against the verifcation value, but that's a one way process.

 

This is a system that's been in place for a long time, and it's never reportedly been compromised. It's the reason fraudsters use cameras as pointed out to you. It's the reason they rely on sniffers to get the pin out of poorly thought out commuications used during the authentication process, its the reason most card fraud is 'cardholder not present' which doesn't require a pin.

 

The PIN isn't on the mag stripe cambon, you can argue it back and forward, it's pointless. That value isn't on the card. In most modern implimentations, offset isn't even stored on the mag stripe, and the mag reader can only do online verification as the PVV is stored with the bank, and you can't do offline verification vs the magnetic stripe. Early chip and pin could, but this was stopped.

[jimbms]

Let's explain it in simple terms:

When you change or dont change your pin on your C&P card your pin is added to a 4 digit code generated by mathematical calculation based on 27 steps by your account number and sort code this then has a 4 figure number subtracted based on another mathematical code with a similar number of steps based on a portion of your personal details, this then goes on to have 5 more stages of similar calculations, the resulting number is the code on the card that can be up to 17 numbers, the permutations of working your pin out from the card would take 12 super krays over 3,000 years unless you also have the full details of the persons account and the details of the mathematical variations of which there are 26,700,000 permutations. In other words unless someone watches the person use the pin code before they clone the card or has a machine to record the input they are fucked, now for the new technology that bases the pin on pattern recognition then each time you put a pin in it is based on a square made up of random numbers which you input the 4 digits according to your pattern and as each digit is repeated 3 times it is almost impossible to learn the pin from monitoring numbers input as the number matrix is on screen.

As you see it is a quite simple mathematical solution, hope this clarifies matters for you.