tag:blogger.com,1999:blog-3599452548077943366.post6778142400555895456..comments2011-08-29T21:19:12.389-03:00Shawn Crosbyhttp://www.blogger.com/profile/12093823138737535996noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-3599452548077943366.post-70042625289312949712011-08-29T21:19:12.389-03:002011-08-29T21:19:12.389-03:00The worrisome thing about chip and PIN is that it is backwards compatible. Chip gets damaged? you still need to be able to buy your twinkies so it will fallback to mag stripe. The information encoded on the stripe is not encrypted and the format is well known. Generally speaking all the black hat needs is your card number and your pin. <br /><br />In general the chip is given a PIN to verify and will return a code based on success or failure. This is done as an offline verification. After so many failures (generally 3 but can vary) the chip will lock itself until repined or a successful online verification. <br /><br />There have been hacks where a specially crafted card has a very thin cord coming out the opposite end of the card into a netbook. The netbook then responds with the PIN_CORRECT code, and the transaction is verified by CHIP and PIN (the banks wont tell you this, but they won&#39;t refund a chip and pin transaction as it is &#39;secure&#39;). Generally speaking a cashier is smart enough to notice the cord going down the black hat&#39;s sleeve, but with bulky coats and unmanned cash registers it can be done.<br /><br />The chip&#39;s are also fairly finnicky and break easily enough. At that point either the failback to mag stripe will wortk, or the cashier can manually enter the card number into the terminal and it will work like a credit card. <br /><br />Chip and pin is broken. WEP broken.<br /><br />Not to mention that most terminals are made in China and some have been shown to have malware and trojans in the PCB that skim the card number and PIN and dial home.<br /><br />The entire system is scary bad.openid.htmlhttp://tristandyer.ca/openid.htmlnoreply@blogger.com