Chip and PIN

First beware this is already an old blog article from the 10th of August 2013.<p>To me, the article seems (at least) incorrect at two points:<p>1. The number of PIN retries cannot be reset. The command described to perform this reset in the blog post is the same as for checking the tries. Checking the tries just doesn&#x27;t reset the number of tries, only providing the correct PIN does. But please prove me wrong by supplying the correct command to reset the PIN tries...<p>The original paper about this <a href="http://fc13.ifca.ai/proc/9-2.pdf" rel="nofollow">http:&#x2F;&#x2F;fc13.ifca.ai&#x2F;proc&#x2F;9-2.pdf</a> describes a way to have 2 &#x27;free&#x27; guesses, but after those 2 guesses, you&#x27;ll need to try again with a correct PIN. On a hacked reader, you could eventually find out someones PIN if the person uses the reader enough. Once the retries are exhausted, the card is blocked. Beware you&#x27;ll need up-to 10.000 guesses, so up-to 5000 usages of the card. (note it is actually a little bit less, because not all PIN codes are allowed on production cards)<p>2. With EMV cards issued the last few years, the Track2 equivalent data on the EMV chip does not contain correct, usable data to create a magstripe card from. The Pin Verification Value in the EMV Track2 Equivalent data record is set to all zeros instead of the original PVV on the magstripe, rendering it pretty useless. So in short, you cannot create a working magstripe card with PIN by using data from the EMV chip.

&gt; This is the cardholder’s name and all of the track one and track two data7. These records provide all that’s needed to clone an EMV smart card. See appendix section 0 for complete records.<p>It provides all that you need to create a magstripe card from the PAN stored in the Chip. That is ALL you can do. You can&#x27;t clone the card and can&#x27;t get cryptograms. Any sane issuer will decline transactions made with the magstripe at a chip-capable terminal, so this doesn&#x27;t help much. In any event, a lot of the information you need to clone the magstripe is... on the magstripe.<p>The rest of the attacks are on the offline functionality of the card which won&#x27;t be used in almost any US implementations and is being phased out of most of the other places where it is in use.

The lack of security surrounding Chip and PIN doesn&#x27;t surprise me. A friend of mine is dyslexic, and one of the symptoms is that she has a real hard time remembering arbitrary sequences of numbers, like PINs tend to be. As such, she&#x27;s one of the few people on chip and sign, and has no PIN attached to her card. Even with that, she &#x2F;still&#x2F; has to deal with fraud departments every few years saying that someone used her card and &quot;PIN&quot; in some obscure location, and this is obviously all her fault. It takes quite a bit of frustration for her before the fraud department finally comprehends that there is no pin to clone there.<p>Of course, me being stateside, I still have to deal with antiquated magstrips and &#x2F;their&#x2F; various faults. I&#x27;ve got cards with chips in them, but no one is taking them yet, and the bank I&#x27;m with (Wells Fargo) isn&#x27;t even planning on rolling out chips on their debit card line until the end of the year, and even then, by request only. The whole financial security system is just ridiculous.

It is worrying that there is a PIN try counter that can be reset so easily.

related to EMV security, Andrea Barisani gave a talk at 31C3 last December: &quot;Practical EMV PIN interception and fraud detection&quot;<p><a href="http://media.ccc.de/browse/congress/2014/31c3_-_6120_-_en_-_saal_1_-_201412271600_-_practical_emv_pin_interception_and_fraud_detection_-_andrea_barisani.html#video" rel="nofollow">http:&#x2F;&#x2F;media.ccc.de&#x2F;browse&#x2F;congress&#x2F;2014&#x2F;31c3_-_6120_-_en_-_...</a>

IMHO Chip and Pin is a huge fucking joke.<p>There have been multiple posts showing how to get around it or otherwise compromise these cards. That coupled with banks trying to move all liability to the user makes me sick. All of this coming at a time that I swipe my card (physically) way less than ever before. Chip and Pin seems to mean nothing for online purchases AFAICT, feels a lot like failing to solve a problem that is slowly going away and ignoring online purchases.....

&gt; having the ability to verify a PIN and the ability to reset the ‘tries’ counter, one can trivially check every possible PIN automatically until the correct PIN is found.<p>This is the key part for me. Being able to brute-force a pin is a huge vulnerability.

&quot;Chip and PIN is broken&quot; is old news: <a href="http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf" rel="nofollow">http:&#x2F;&#x2F;www.cl.cam.ac.uk&#x2F;research&#x2F;security&#x2F;banking&#x2F;nopin&#x2F;oakl...</a><p>Here&#x27;s a video of them applying the exploit: <a href="https://www.youtube.com/watch?v=JPAX32lgkrw" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=JPAX32lgkrw</a>

Interesting article, but would greatly benefit from a &quot;TL;DR&quot; summary at the top.