Before laughing at how stupid this is, remember that your debit card is secured by a password that consists of exactly four decimal digits. I really wonder when this is finally going to change, but I hear some futuristic banks allow up to six digits already.
Well, it's not like my card is hooked up to the internet for everybody to try and log in.
PIN isn't particularly vulnerable to brute force anyway, as number of failed authorisation attempts is strictly limited to something like 3, and a fraudster has to risk capture by being physically present at each attempt or 'trying out' a stolen card, and having their face recorded on cameras.
I haven't seen any advantages for using 6-digit or larger "passwords" for that particular scenario. The largest practical security benefit seems to come from enforcing random PINs and not allowing to choose - since the banks that allow to choose are vulnerable to "dictionary attacks" of trying the user's birthday (obvious from other stuff in a stolen wallet) and stuff like 1234.
Now, checking "signature" instead of chip&pin, now that's an example of blind trust.
> Now, checking "signature" instead of chip&pin, now that's an example of blind trust.
If even. I cannot find the original report, but there was a guy who tried all kinds of weird signatures including "I STOLE THIS CARD" and it only took purchasing 3 most expensive TVs and signing "NOT AUTHORIZED" for someone to question him.
Interestingly, the signature could be argued to be better in some cases:
Under British law, a forged signature is never your fault, and the bank/merchant/card processor are liable (I can't remember exactly which, I think it depends). One of the reason that card issuers were so keen to switch to Chip&PIN/EMV is that the liability was turned over to the user. As they thought EMV was "unhackable", always a dangerous thought, it was always assumed that the user had told someone their PIN. It wasn't until relatively recently that the Cambridge University security research group showed that it was crackable, and the banks/etc started taking liability in some cases again.
>> One of the reason that card issuers were so keen to switch to Chip&PIN/EMV is that the liability was turned over to the user.
Not really true.
The main reason was the switch in liability to the merchant, if the merchant accepted a transaction without using EMV and PIN.
AFAICT the Cambridge research isn't really that relevant, it doesn't really give you practical attacks, and it's not so much a crack on the chip security itself as it is a piece of Man-In-The-Middle hardware (IIRC, haven't read it for a couple of years).
Under UK law, with a credit card (debit is different), the liability is never with the user. The bank may claim that it was obviously you that did it, or that you gave away your PIN, but where credit is concerned they legally have to refund you the money pending an investigation.
Debit is less strongly protected and comes under banking rules and guidelines, and if you report unauthorised activity as fraud they will usually still take your side.
--edit-- I'm not trying to say EMV is bulletproof, nothing is bulletproof, but the primary method anyone's going to use to get your PIN is still social engineering, or possibly some sort of compromised terminal hardware, which they'd have to make from scratch because accredited devices disable themselves if they detect they've been tampered with.
I have no doubt you're right, and the banks absolutely should not reject fraud reports based on PIN.
I've had a read of the first paper there, the nopin one, and it reads like a really preventable flaw in the IAD, which (as it's issuer specific) could be very easily fixed without the involvement of terminal vendors. I agree with the conclusion that the TVR is a flawed concept though, I had always assumed (never having worked directly for an issuer) that there would be enough data in the IAD to marry up the terminal and card perspectives on what had happened.
And on the second one I'd be the first to agree that SDA and offline-plaintext PIN are a bad idea, I could have told you that when I did my first implementation in 2001!
--edit-- I had actually assumed that by now the cost differential between SDA/plaintext and DDA(or CDA)/encrypted cards would be so small that nobody would use the SDA cards any more. Guess I was wrong!
Actually that's subjective. If the overall fraud is lower then (potentially, I'm sure this doesn't actually happen) fees, charges, interest rates etc could be lower for all users, therefore they would benefit from security that lowered the overall cost of fraud and the overall number of incidences of fraud, even if individuals that directly experience fraud are worse off.
Yes, but "security" isn't "overall cost", its about risk. I am more secure, even if my expected cost is higher, if I don't directly bear any risk of unconsented loss even if the overall incidence of fraud is higher and I am paying a distributed share of those costs.
I was once refused a consumer credit application for a kitchen appliance because I'd forgotten to sign the back of my credit card. I had a passport and a photo driving license on me at the time but because there wasn't a signature they "couldn't be sure" it was me so they refused to process the application.
I signed it in front of them (which matched my passport signature BTW) but was politely declined as they'd seen the card unsigned.
Another example of security policy getting in the way of actual security.
I had a slightly similar experience: I forgot to sign the back of my card, but the person just asked me to sign it and then made sure it matched my signature on the receipt.
You could have stolen the card of an homonym, so it kind of make sense. Printing a photo of the owner on credit cards would go a very long way and isn't too expensive, but this is a very high inertia industry.
Cards are way different. They combine something you have (the card) with something you know (the PIN). After three false attempts to enter the PIN you have to unlock the card going a different route. In such a scenario, 4 digits are fine.
You can't lock accounts only protected by a password and accessible by anyone (via internet) this way as this would invite for Denial-of-Service attacks (locking your account with three failed attempts).
I have had quite a few sites block my account for three bad password attempts and I had to actually call the company to unlock the account (this was always a financial services company).
It's quite annoying as none of the sites warned me about the impending account block after the first or second try. I guess it's an inconvenience that is worth it for the extra anti-brute-force security. Being locked out due to someone personally locking you out as you mentioned might also be annoying, but I honestly rather be locked out of my account and therefore alerted that someone is trying to gain access to my data than not.
Why these same sites limit my password to a specific number of characters and disallow special characters is beyond me though.
It's always annoyed me how people set the lockout after n attempts value to ~3 or 4. Why not 100? It makes almost no difference in your chances at brute forcing a password, but means that the real user trying all the passwords they might have used won't get locked out mid way.
If you type a wrong password in "su" on OpenBSD, the binary responds immediately telling me I'm wrong. On Linux, it does this stupid artificial 3 second penalty.
The Linux way sounds better, but the OpenBSD way is better. If you want people to use passwords, don't do petty nagging of them when they make a mistake.
On Linux when I mistype a password, I control-Z the "su" session and launch a new one instead of sitting around like a scolded schoolboy waiting for the binary to give me another chance.
> It makes almost no difference in your chances at brute forcing a password
Depends on how many people use a password in the top 100 most common vs. how many use one in the top 3. I would think it would be a sizeable difference.
> I have had quite a few sites block my account for three bad password attempts and I had to actually call the company to unlock the account (this was always a financial services company).
GoDaddy does this. It's the main reason I left them (before all the more recent shenanigans)
It's secured by a four digit password and self destruction after three consecutive invalid PIN entries. Which is plenty secure against brute force. Or is that just the way it works around here?
I actually rely on this self destruction, I have a scrap of paper in my wallet with "Pin Numbers" written on it along with 3 random four digit numbers, gives me minor peace of mind that if my wallet is lost and found by someone that wants to try and use them, hopefully they'll lose them to an atm rather than using them online.
Unfortunately it doesn't prevent them using them online as well. At least for my cards, if I lock out the PIN I can still use them for non-PIN purchases.
A tiny number of digits combined with the standard, visible input system is a recipe for 'shoulder surfing' attacks. I'm not proposing a superior system, just pointing out that brute-force attacks are not the only thing to beware.
it's not a password, and it doesn't give the same insurance.
There were some proposal of at home card readers in the 2000, but it never got very far, it was not really practical to secure either.
I think the current trend of scratch credit card could be onto something for online buying, it's a temporary credit card number valid just for a few hours, and then it's deleted from the bank system.
Mine is 10 digits. I thought the 4 digit limit was just a societal assumption? (I'm being serious, I thought it was (near) universally allowed to be longer, people just didn't bother.)
Not common, and using anything other than 4 digits is not wise if you want universal support especially when travelling - 6 digit cards are not 100% compatible with every ATM/card machine because some (most?) only allow 4 code entry. I've never heard of 10 digits and the compatibility must be even more limited. Where do you live and what happens if you try to use your card at ATM's abroad?
It's not the case, it depends on the issuing institution.
Also, there is a practical requirement to have it short; as physical merchants value quick processing, and having to type&re-type long passwords delays other people behind you - so they want long PINs to be unpopular.
You don't have to re-use passwords. In fact, don't re-use passwords. Keeping them in a password manager helps a lot with this. I have over 50 unique passwords which are all long, generated random strings. But there are a few websites, including British Gas, which get shitty weak passwords because they pull dumb crap like this in the name of "security".
The standards allow for up to 12. Not that people always implement them properly, but that's what you're supposed to support if (like me at the moment) you make credit-card terminals.
