TOT disclose your PIN

Good point well made.

Are there any circumstances where the retailer (or card issuer etc) could decide to do a signature transaction instead of chin-n-pin? They might get suspicious of a mangled strip ...

I thought not using the chip and pin facility meant the bank would not guarantee payment.

The main reason that I have met is "the card reader is faulty"

Unlikely, since not adhering to C&P puts the liability on the retailer.

Anyway I don't damage the signature - just the CV2.

because there's no possibility of you changing it to a number that you can easily remember

tim

They normally only ask for a couple of characters IME...

(Although that is actually possibly more worrying since it suggests they have access to the plaintext password!)

The CV2 is supposed to only be used in Cardholder Not Present transactions - so its kind of like a (fairly weak form of) 2nd factor authentication. i.e. you need to physically have the card to use it. The number is not present on the data on the chip, mag stripe, or raised lettering, and so should not be readily accessed in an automated way during normal cardholder present transactions.

Needless to say a photo of the rear of the card or even just a good memory is going to defeat the extra security gained.

ISTR there is a Chip and Signature card available as well (required for some memory impaired users).

I always worry slightly about the banks that ask for a couple of digits of a longer pin. A keyboard logger is eventually going to harvest all the data, and provide some evidence of the order, thus reducing the number of options to be tried.

Also dexterity impaired. Though one might think this would also affect the signature, but not invariably.

Although thinking about that, I suppose they could salt and hash all the possible 2 character combinations and store those in the database - so verification is the same as for normal password - i.e. you don't need access to the plaintext to check if there is a match.

As with any of these things - no one defence is adequate on its own, but having multiple layers build up to a stronger defence. So asking for a subset is better than asking for the whole thing from the point of view of mitigating a "man in the middle" attack.

Most likely the guy on the end of the phone doesn't have access. What she can do is put in the two digits you supplied, and the computer will tell him if they are right.

Andy

But that means the PINs can be stolen.

Quite possibly - although one would still like to know that they have not stored them in their DB in plaintext...

we understand that

but that means the computer has the PW stored in plaintext form so that it can do that check

leaving that database vulnerable to being hacked (by internal or external actors)

I note John's possible way to avoid this. Plausible, but more work than most companies are going to want to do, IME

tim

Its quite possible to add encryption where the keys needed are never available to anything other than the program accessing the database. This makes it a lot harder for anyone to find the passwords.

It does mean that if you have to start the system from scratch that everyone would have to change their passwords as there would be no way to input the same keys that were generated previously so it may be a bit OTT just for a bank account.

Not necessarily. It can store something derived from the PW by a one way hash algorithm. Then hash your two characters in the same way, and check if the hashes match. Not that that will be very secure for just 2 digits!

And there I agree with you. Most of them will have stored the PINs in plain text or with some sort of simple algorithm.

Andy

Unless the CV2 is obliterated before the card is used.