[LINK] City launches fingerprint payment program
Craig Sanders
cas at taz.net.au
Tue Oct 16 10:18:34 AEST 2007
On Tue, Oct 16, 2007 at 09:41:23AM +1000, Daniel Rose wrote:
> The PIN is not on the card. I've looked!
>
> This doesn't say it's not, but it doesn't say it is either.
> http://en.wikipedia.org/wiki/Magnetic_stripe_card
>
> Perhaps you're seeing confirmation bias,
i suspect that's the case because even if the PIN is stored on the card in
some encrypted form, then with only 10,000 possible PINs (4 digits), any
modern computer could brute-force crack it in seconds.
and a computer 10 or 15 years old wouldn't take much longer.
and that's assuming that a 10,000 entry lookup table isn't possible due to
using variable data (like account info) as the "salt" to the encryption.
if a lookup table was possible, you would only have to crypt those
10,000 PINs once (to build the table) and from then on you can instantly
get the plaintext of any crypted PIN you can read.
ATM card security is bad, but not that bad.
if the PIN were on the card then criminals wouldn't need to come up with
elaborate schemes (like putting fake ATMs in shopping malls, or placing
their own reader in front of the slot of an existing ATM) to get it.
they'd just steal the card and read the PIN from it. and mag-stripe
readers would be extremely common posessions for criminals - they're
cheap enough that even petty muggers can afford them.
craig
--
craig sanders <cas at taz.net.au>
BOFH excuse #142:
new guy cross-connected phone lines with ac power bus.
More information about the Link
mailing list