Is changing your PIN a good idea?

Thu, 21 Jan 2010

I read an article about a recent wave of card skimming attacks. The bit I found interesting was this bit:

NSW fraud squad head Detective Superintendent Colin Dyson:

"There is sometimes a lag between PINs being compromised and used," he said. "If someone whose details are skimmed changes their PIN quickly, the data can be useless to the criminal."

Now if my understanding of bank card security is correct, then changing your PIN will do absolutely nothing, and if your card has been skimmed, then you will want to speak to the bank. Of course, it is quite possible that I'm not quite with the times, and it is sound advice, so here goes with my explanation of how I think it works:

  1. You put your card into the ATM
  2. You type in your PIN
  3. The ATM reads the magnetic stripe on the card and reads:
    • The card number
    • Expiration date
    • A random number (a nonce)
    • Your "PIN offset"
  4. The ATM then takes most of the data it read (but not the PIN offset) and sends it to a special secure cryptoprocessor.
  5. The cryptoprocessor encrypts the data using 3DES, and a very secret "master PIN", known only to the bank.
  6. The encrypted data (longer than 4 digits) is converted into your card's "natural PIN" (4 digits), by a fairly straightforward process.
  7. The resulting "natural PIN" is output from the secure cryptoprocessor to the less secure innards of the ATM.
  8. The "PIN offset" is added to the "natural PIN" (without doing carries, so 2468 + 2468 = 4826)
  9. This number is compared to the number you typed into the ATM, if it matches you are authenticated.

When you go to an ATM and change your PIN, you are just changing the PIN offset, your cards natural PIN doesn't change, and you could even do it at home if you had a magnet and a steady hand :-). If your current PIN is 1234, and you want to change it to 2222, then you read the PIN offset on your card (lets say it was 6789) and (without carry) subtract the new PIN (6789 - 2222 = 4567) and add the old PIN (4567 + 1234 = 5791). Write this number as the PIN offset and you are done.

So, in the scenario that you have your card skimmed, then the attacker knows what PIN you typed in, and what the PIN offset was. When they reproduce the card, it will have the PIN offset from before you changed your PIN, so they can just use your old PIN.

So it is possible that they have changed how it all works. Or maybe just a slight change (e.g. store the nonce at the bank also, change it when the PIN changes, and check that it matches when authenticating). However, this slight change actually changes a whole lot of the security model, because in my model all authentication is done inside the ATM. I can't imagine that making this change would be easy.

/random Permalink
Name & email are optional. Email will not be obfuscated.
HTML tags will be removed except hyperlinks.
 

About

I'm a nerd living in Sydney. This is a place where I can write stuff about my interests and not care that no one else is reading.

I like music, maths, programming, pretty pictures, filters and other good things.

(more info)

It should be fairly obvious that this isn't connected to my employer at all.

Email me (not a catchpa)

Email policy

Subscribe

RSS Feed RSS

Get an aggregator

Liferea (Linux)

Vienna (OSX)

Feedreader (Windows)

Google Reader (Web based)

I've only used Liferea, so I can't vouch for the other ones.

About this site

This site runs a (modified) version of blosxom.

The host is GeekISP, and they seem to do an excellent job.