D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT surveillance

 

On Thu, 27 Jun 2013, Philip Hudson wrote:

On 27 Jun, 2013, at 10:02 am, Philip Hudson wrote:

- Your PIN

Here's an interesting sub-topic: does GCHQ know your PIN?

The PIN is stored on the chip on the card. There is no transaction to the bank to validate the PIN - it merely tells the equipment reading the card that the card owner is present.

e.g. my NatWest card readers can authenticate my PIN without a connection to any network at all, and I can also use them to change the PIN on any card I own.

So in-theory, other than the initial PIN they set on your card when they sent it to you, the banks don't know your PIN.

The authorities don't need to know the PIN - they just go direct to the bank and say: Give me all of Mr. Hendersons bank statements.


And yes, I know what you're thiking. It's been done:

http://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

or

http://url.drogon.net/1j

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq