Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Saturday 15 July 2017 at 3:54:07 PM, in
, Brad Rogers
wrote:-

> Card no. CVV & expiry date.


Sorry, tired when I wrote that. On the shopping website, the customer
keys in the long card number, the **expiry date** and the last three
digits from the signature strip. The chip on the card is not involved.



- --
Best regards

MFPA  

If you are afraid to speak against tyranny, then you are already a slave.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWW6NjV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5Od/AP9s4+XdlWRPv0NnmZkf7GGAX0qtOJwHy7SQkpdt+IuFnQEAnSj3pv+3TtSq
nUbqtEu1uIcUvUDVAHJxlPKAiU1dPQWJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWW6NoV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8PRBB/9y/RVTQzuCCyh1jdhcRRXiOaNq
Ua0q5rJ/QRO1Vn2IQmBoXr0KkeJteugIEQ/RvCu9oelwc6LowmjCJ4dug1uSNkkI
huVCKBk1g5uLt4UFH9wCG7LucIZ8UNsEGuL7iwBlfvz1aP3xEw17jMgQgKdZeo/j
En3uhMdBuWuyBLh9qVW0i+ZJ5GPlGYWxiRz0Qcvge1TArZZYcHfLMb9TywHVn+h4
o3v9HZ9+46ccZwAsoTRFQuThqYAc0RX3t611bg1jez51w2c2qq/pcRjEr9q0tvQZ
eQ8I84DXzsjlYbItriqlPs+ZdKikudbFQ9tYHs5PmzM0yL/PSZUhgJWkG/Dx
=igDE
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 15.07.2017 11:17, Andy Ruddock wrote:
> Just as a point of interest
> 
>> I am not sure if this is an intentional limitation of the cards (to
>> prevent users from choosing idiotic pins like 1234 or their birthday).
> 
> I know of somebody who had 1234 issued as their PIN for a UK bank
> account (it IS as random a selection as any other 4-digit number).
 

Yes, in a mathematical sense. Taking the human factor into account, that person 
has been very unlucky.

If you are interested in the details, please refer to my post from 2017-07-12 
08:09.

Regards,

Binarus



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 15.07.2017 16:40, MFPA wrote:
> 
> 
> On Thursday 13 July 2017 at 7:18:41 AM, in
> , Binarus wrote:-
> 
> 
>> I don't think so. Banking chip cards contain
>> mechanisms for local PIN
>> verification. You can see that an ATM (or the card)
>> immediately decides
>> if the PIN is correct or not even if the ATM's
>> network connection is
>> failing at that moment.
> 
>> Banking chip cards furthermore contain a processor
>> and software for
>> cryptographic operations, so that the endless
>> capabilities of modern
>> cryptography are at hand. Think of asymmetric methods
>> like RSA ...
> 
> All of which is irrelevant for online transactions. On the shopping
> website, the customer keys in the long card number, the PIN, and the
> last three digits from the signature strip. The chip on the card is
> not involved.
> 
> 

If a website would try to query my EC card's PIN, I would go to the police.

Maybe the situation might be different in other countries, but I have never 
entered any card number into a shopping website with the following exception: 
If paying via credit card (VISA and the like), the website queries the credit 
card's number (I think this is what you mean by "long number"), and *may* query 
additional three digits from a number which is on the back side of the card 
(near the signature strip, as you described).

Customers here in Germany can activate additional security for VISA cards (I 
don't know about other ones): If this is enabled, you have to enter an 
additional TAN (*NOT* PIN) besides the credit card number and the three digits 
when doing the payment. The TAN will be sent to your mobile phone. Perhaps it's 
that what you were referring to?

I know that there are combinations of credit and EC cards. In this case, the 
card *will* have a chip integrated (at least the newer ones). But still then, a 
shopping website must not ask for the PIN (which is only related to the EC card 
part). After all, you can't pay anything on a shopping website directly by EC 
cards (or the EC card part of a combined credit and EC card). At least, I never 
saw such a thing here in Germany (and I am doing a lot of online shopping).

The reason for the latter is that the PIN should *never* be transferred or be 
known in clear by any party (besides yourself and perhaps your bank, but see my 
previous posts for my opinion about that). The only method to pay by EC card 
would be using a certified card reader (which handles the payment safety 
independently from your PC). But since no consumer is ready to pay a lot of 
money for such a card reader, that payment option just does not exist when 
shopping online (at least, not here).

Regards,

Binarus



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 15.07.2017 12:36, MFPA wrote:
> 
> 
> On Wednesday 12 July 2017 at 11:01:35 AM, in
> , Binarus wrote:-
> 
> 
>> As far as I know, no bank will be able to tell you
>> your PIN if you have
>> forgotten it
> 
> They can in the UK. For example, see
> 
> and
> .
> 

That is interesting. I wouldn't have expected that. Perhaps somebody who is in 
cryptography deeper than me could comment if it is dangerous.

And perhaps somebody who has accounts with multiple German banks could tell us 
if this is possible with one of his banks as well? I am having all accounts 
with the same bank ...

Regards,

Binarus


 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Andrew Gallagher]

> On 15 Jul 2017, at 15:40, MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> 
> wrote:
> 
> On the shopping
> website, the customer keys in the long card number, the PIN, and the
> last three digits from the signature strip. The chip on the card is
> not involved.

No, the chip on the card is not involved. So no website should *ever* ask you 
for your PIN. Run away!

Andrew. 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Brad Rogers]

On Sat, 15 Jul 2017 15:40:25 +0100
MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:

Hello MFPA,

>All of which is irrelevant for online transactions. On the shopping
>website, the customer keys in the long card number, the PIN, and the

Entered a card *PIN* into a shopping web site?  Really?

Card no. CVV & expiry date.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
It's the age of destruction, in a world of corruption
Neuromancer - Billy Idol


pgplNdSpeYXen.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Thursday 13 July 2017 at 7:18:41 AM, in
, Binarus wrote:-


> I don't think so. Banking chip cards contain
> mechanisms for local PIN
> verification. You can see that an ATM (or the card)
> immediately decides
> if the PIN is correct or not even if the ATM's
> network connection is
> failing at that moment.

> Banking chip cards furthermore contain a processor
> and software for
> cryptographic operations, so that the endless
> capabilities of modern
> cryptography are at hand. Think of asymmetric methods
> like RSA ...

All of which is irrelevant for online transactions. On the shopping
website, the customer keys in the long card number, the PIN, and the
last three digits from the signature strip. The chip on the card is
not involved.

- --
Best regards

MFPA  

Eat well, stay fit - Die anyway
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWopX18UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5Cc7AP9j18Q8pCQkNqNJEEhOlSn6vpzwR3bMur1sUrs6VT3C4wEAvmMeibsVwvEm
a5omVlXoCSdTXDWwh7ePDqRUTTiLLAyJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWopa18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8HxmCACbE0YE0hekeCn9LKBUsUO1f9kU
icN3Yk3lJzqXiVJyFWzow2+chtlIfX7il+ei/++abbDtkbfe/4RoouUEwaVt++T0
2SBQJAtL+Iqx16N8O6BZ0EkMdOiqhvwXJBM5kZzb/NMnPhtEu2vxd3sN2+vEz01c
GiTF9mpQBjyL/OLwNiukR7dlmtjhIWWiNKq6lOTUgCSrw2y1rIww15Z9tfB/BJBt
kKyp9y9Hv5fcOxrhJCG6s+NywVi5o9mfR9LC8H1e1pccxmZ3fM151FP0TMe01n4S
VgDkVR1+Dc3VCDq1r+4nVEBSfA9Q0yv4WYJAYX5PQKgRKb/w/v9x/2UHXrY3
=mfLl
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Matthias Apitz]

On Saturday, 15 July 2017 11:17:18 CEST, Andy Ruddock 
 wrote:

Just as a point of interest


I am not sure if this is an intentional limitation of the cards (to
prevent users from choosing idiotic pins like 1234 or their birthday).


I know of somebody who had 1234 issued as their PIN for a UK bank
account (it IS as random a selection as any other 4-digit number).



One of every 10.000 will get this number, you need only luck to get ro know 
someone, as you had.


matthias



--
Sent from my Ubuntu phone
http://www.unixarea.de/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Andy Ruddock]

Just as a point of interest

> I am not sure if this is an intentional limitation of the cards (to
> prevent users from choosing idiotic pins like 1234 or their birthday).

I know of somebody who had 1234 issued as their PIN for a UK bank
account (it IS as random a selection as any other 4-digit number).

-- 
Andy Ruddock

andy.rudd...@rainydayz.org (OpenPGP Key ID 0xB0324245)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 12 July 2017 at 11:10:12 AM, in
, Peter
Lebbing wrote:-


> Also, back when you could do payments with the
> magstripe (which, AFAIK,
> can still be done in some countries, using your Dutch
> bank card, if you
> allow it), the PIN necessarily went to the bank,
> there was no way for a
> check by the chip in the card.

Same applies with online shopping.


- --
Best regards

MFPA  

Rose rose to put rose roes on her rows of roses.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWnxEl8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5D0eAPsEM2USNmcvWzC4AIg+3+fn3jhl/nmEBLuwsxP+fFWO/wEA4N/4BKbOZOvM
gyQxzHD83+S/3v/SUlsEXr2Z7D7G6wSJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWnxEl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8BwNB/0dVkuZP9A7kT+MbYLvo6Ov0LV1
jaFslkmdwCUxCiLTlvBzuIOuqZIguDXGwU3cwW45aOY25/ly51pDwfPqJ9NIlFSE
ujF+e75m9M+fz6SQpedSenE6ur1PoxeHiXDz/oxE04ESTIgUZtvohkX/OIhcBoBI
4Mh7raMU2bAMR3zvTTwbr6yVOdGHsuZ6/KAqfTxjHeBw6HpyjuzxCt7WJhK4LyjR
teLwdaXja/+U42BsjQ+uK+JLtXgpg7iYNxQ+tjkzAM2JmRp/T2ajTJBtd1N1fCzm
i35PBmeeAmKz+DrlbqRw1bRdLz407leQTot6omV4vxmqaPX35qi7y76KPYZW
=CuAo
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 12 July 2017 at 11:01:35 AM, in
, Binarus wrote:-


> As far as I know, no bank will be able to tell you
> your PIN if you have
> forgotten it

They can in the UK. For example, see

and
.


- --
Best regards

MFPA  

I would like to help you out. Which way did you come in?
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWnwOV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5F7tAQDahX3YXt78/ugOpbh8QPK2ModO2pVpvLY8V9KgMCWXkAEAvrmAl8AvHhnR
TaNn0oEcLbbdtaoEfn40m2/tDQaPewiJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWnwR18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8GYzB/4uY/UeWOI/bp02rvbn7UKNGtca
XZBgBX5i/kTfO6Q7Gje0srOcLVWJJVYsUGtD6/awqiJbycBozl2MF4KndmJjDemo
UhdAACsP9oFZjNxGiufy7kNcss6I09ojlhA7E4/Y5JkbzL+KLLnXlpSnm5EEraNU
LCoPfrpKk5q4KpP7kQuxG+1Bbmp7J7MXKmroqgMddbQFjp2GRVOU2b4fYngaBBBG
V2wRFqPSv12s1Xy0a34jee2+VvuhUhG8B31WiM+cS2TKGtp1W1bNfo8prCXEVCpI
mhf/5WSEt9tQUBdbDnfZvK4P2ikKgRz/UFhbjhOdsu7xZMy5OROQ5PKRM8o5
=kC7w
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 13.07.2017 01:19, MFPA wrote:
> 
> 
> On Wednesday 12 July 2017 at 6:51:42 AM, in
> , Binarus wrote:-
> 
> 
>> and this means that such software would
>> have to run on the
>> card.
> 
> Or The ATM.

You are right. The ATM will get hold of the PIN in clear in case the
user wants to change it, because the user has to type it then. The ATM
theoretically could check the PIN for certain criteria in that moment,
and refuse it if appropriate.

> But maybe chip and PIN cards have the capacity.
> 

Wherever it might run: I never have heard about a bank having
implemented such checks ...

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 13.07.2017 01:23, MFPA wrote:
> 
> 
> On Wednesday 12 July 2017 at 3:15:09 PM, in
> , Binarus wrote:-
> 
> 
> 
>> (if the
>> PIN needs to be
>> stored at all in some backend which I doubt).
> 
> The Bank must know the PIN (or a hash). Otherwise they would not know
> if you entered the correct PIN for online transactions.

I don't think so. Banking chip cards contain mechanisms for local PIN
verification. You can see that an ATM (or the card) immediately decides
if the PIN is correct or not even if the ATM's network connection is
failing at that moment.

Banking chip cards furthermore contain a processor and software for
cryptographic operations, so that the endless capabilities of modern
cryptography are at hand. Think of asymmetric methods like RSA ...

Regards,

Binarus



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 12 July 2017 at 3:15:09 PM, in
, Binarus wrote:-



> (if the
> PIN needs to be
> stored at all in some backend which I doubt).

The Bank must know the PIN (or a hash). Otherwise they would not know
if you entered the correct PIN for online transactions.


- --
Best regards

MFPA  

War is a matter of vital importance to the State.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWavfl8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5EszAPkBdc66gr6xgI+8/wFHlBwtPb+58kIumnL+XVILJ8EZBAD9HD2PgEEKU9j5
VfvdM0iCOzT7K3ZSoUVj9Nl5XyCsLw6JAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWavfl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8AeyB/4+7JPyR9ez4d2AsXzhS2icXOr8
kawHn5FozBjiwFaNdvzkwgUNP957+3eCOwF1+q/IXJyWwm0DuV76ZNfTbfKSqGAn
2RYNIvcnq85MeoYoV1tuSKUqHW3dZO67Dj5cYRzw/mZljRamDTBy7yh2ylwo15uk
F0Eo/cbxqfSKF2QE2oCz6jNeWAvN5RfgqAx0x8CiU4lcwN7GgmQR8HzDH3Sl7tev
glxl1XJq1+Ht2UNiHL2bDK8abWqdA5sRGnBwnwxXVkaE/dp77HpsMXcvH5+egnrN
YUW7jY1/COIvdyHzuU9CfTmss+GPnvC2jo77muBYd5b7onI2YRpFEVUfiaMk
=Wz8h
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 12 July 2017 at 6:51:42 AM, in
, Binarus wrote:-


>and this means that such software would
> have to run on the
> card.

Or The ATM.

But maybe chip and PIN cards have the capacity.


- --
Best regards

MFPA  

If you save the world too often, it begins to expect it
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWauiF8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5P3eAQD1OBo4LM/yLyQssGkVJEmgqn5OIpXCDt2coob3kzY5WQEA9ZhYPROmiMvt
WMpRAm0NREyj7rl8opW7BGnUjs2iogyJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWaupV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8EhLB/9zPxVUybSMna2DgDDn2oLyfRvy
jUh79wzyxmJKPCvny/IVt15ax6JaGY4nNbw2uZTgvnHpyPWS2SKNahrC6+gCR9Jz
YMYzctU42VoKvpCZQE+AouuJIAdCRy/hCkQ7r6wI4w5UC3fjvV6nfiObO0RMTf9H
o3eodkUVmbGaZBJnraa9Zl6aqoqhaUbqicbBckHdNqCgSRAGG9xKW44dmsnaIvdp
r/43xYLoVSJw1GTnfenaYChn9yD6/R0rSZB780qgu5+lmmUOqUETwZDteTnHoSKL
948ntbgD3XgfXZ5NFZkk+q+5pRbzRf/V4uMROSPNvVxuykcm2XQMYZvcVKDs
=gCEn
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 12.07.2017 12:10, Peter Lebbing wrote:
> On 12/07/17 07:51, Binarus wrote:
>> Furthermore (not being sure, so read with care), I think that the bank
>> does not know your pin
> 
> When my bank card is replaced because its validity is about to end, the
> new card has the same PIN as the old one. I can't readily think of a way
> to do that without the bank knowing my PIN, since the new card didn't
> physically exist yet when the old card got its copy of the PIN.[1]

See

https://security.stackexchange.com/questions/62306/a-second-bank-card-arrived-with-the-same-pin

and

https://security.stackexchange.com/questions/88711/how-can-my-bank-issue-a-new-credit-card-with-the-same-pin-number

> Furthermore, I see no use to the bank not knowing my PIN. If their
> backend got hacked, these random 4 digits being public knowledge are the
> least of the problems.
> 
> And since a pin has so low entropy, I don't see how to protect it with a
> hash. Any system that can verify correctness in the time it takes to do
> a PIN payment[2] can do 10,000 guesses in reasonable time.

Right, but no reason to not do it that way (if the PIN needs to be
stored at all in some backend which I doubt).
> Also, back when you could do payments with the magstripe (which, AFAIK,
> can still be done in some countries, using your Dutch bank card, if you
> allow it), the PIN necessarily went to the bank, there was no way for a
> check by the chip in the card.

I never did look into the magstripe technique ... so no clue here. I
only know that those cards could be copied easily.

> Anyway, I'm still writing this even though I questioned its usefulness.
> But let's consider whether this thread really needs to go on much
> longer, it seems it has run its course and is now turning into a wide
> trickling delta that is no longer hurrying towards its destination but
> rather seeking the path of least resistance in any random direction :-).

You are right - let's finish.

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 12.07.2017 12:27, NdK wrote:
> Il 12/07/2017 12:01, Binarus ha scritto:
> 
>> Not sure about that. Similar to serious websites which don't store your
>> password in clear text, but do store the password's hash instead, I
>> would expect that banks don't store your PIN in clear text as well.
> Even with 6-digits PIN it would take *seconds* to an attacker to brute
> force hashed PINs once he gets the hashed database. [...]

While this is correct, it is no reason for not doing it that way (if we
choose to ignore the endless possibilities cryptography offers and
decide to store the PIN in some form in a backend at all).

 Salted hashes would
> multiply the needed time by the number of PINs (approx).
> So keeping such a database would be a really stupid thing to do --
> unless it's kept in a HSM.

Of course, I was talking about salted hashes. Besides that:

https://security.stackexchange.com/questions/88711/how-can-my-bank-issue-a-new-credit-card-with-the-same-pin-number

https://security.stackexchange.com/questions/62306/a-second-bank-card-arrived-with-the-same-pin

Some comments / answers in the first one claim that the PIN might be
stored in hashed form in some database. Most comments / answers in the
second one claim that the PIN is stored on HSM (they don't seem to be
sure if it is in clear text or encrypted there) (if I had more time for
research, I probably had found better explanations ... the two links
basically were on the first result page on Google when searching the
respective keywords).

But whatever: My key point was that the PIN *never* is stored (or
transmitted) in clear text outside an HSM, meaning that software which
could examine the PIN according to certain criteria will have to run
inside that HSM. I do not think that any bank has implemented such a thing.

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[NdK]

Il 12/07/2017 12:01, Binarus ha scritto:

> Not sure about that. Similar to serious websites which don't store your
> password in clear text, but do store the password's hash instead, I
> would expect that banks don't store your PIN in clear text as well.
Even with 6-digits PIN it would take *seconds* to an attacker to brute
force hashed PINs once he gets the hashed database. Salted hashes would
multiply the needed time by the number of PINs (approx).
So keeping such a database would be a really stupid thing to do --
unless it's kept in a HSM.

Passwords have way larger key space (from 10^N for N digits of the PIN
to 64^N or more for the passwords -- considering uppercase, lowercase,
digits and symbols), hence salted hashes are quite secure.

BYtE,
 Diego

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Peter Lebbing]

On 12/07/17 07:51, Binarus wrote:
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin

When my bank card is replaced because its validity is about to end, the
new card has the same PIN as the old one. I can't readily think of a way
to do that without the bank knowing my PIN, since the new card didn't
physically exist yet when the old card got its copy of the PIN.[1]
Furthermore, I see no use to the bank not knowing my PIN. If their
backend got hacked, these random 4 digits being public knowledge are the
least of the problems.

And since a pin has so low entropy, I don't see how to protect it with a
hash. Any system that can verify correctness in the time it takes to do
a PIN payment[2] can do 10,000 guesses in reasonable time.

Also, back when you could do payments with the magstripe (which, AFAIK,
can still be done in some countries, using your Dutch bank card, if you
allow it), the PIN necessarily went to the bank, there was no way for a
check by the chip in the card.

Anyway, I'm still writing this even though I questioned its usefulness.
But let's consider whether this thread really needs to go on much
longer, it seems it has run its course and is now turning into a wide
trickling delta that is no longer hurrying towards its destination but
rather seeking the path of least resistance in any random direction :-).

Cheers,

Peter.

[1] Barring any neat trickery like waiting for me to enter my PIN and
listening in so they can then program the new card.

[2] That's what they're called in The Netherlands. Well, PIN-betaling
actually, I did translate.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 12.07.2017 11:42, Guan Xin wrote:
> On Wed, Jul 12, 2017 at 1:51 PM, Binarus  > wrote:
> 
> On 11.07.2017 20:38, MFPA wrote:
> >
> >
> > On Tuesday 11 July 2017 at 8:44:48 AM, in
> >  >,
> Binarus wrote:-
> >
> >
> >> I am not sure if this is an intentional limitation of
> >> the cards (to
> >> prevent users from choosing idiotic pins like 1234 or
> >> their birthday).
> >
> >
> > Surely things like 1234 can be prevented by software.
> >
> 
> But birthdays and the like probably not.
> 
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin, but it is stored in the banks' backends as some
> sort of hash, and this means that such software would have to run on the
> card.
> 
> Such software can run on ATMs if that are the only places where one can
> change the PIN.
> And I don't think the bank needs the hash of the PIN. They may need the
> hash of the key(s) protected by the PIN, however.

Not sure about that. Similar to serious websites which don't store your
password in clear text, but do store the password's hash instead, I
would expect that banks don't store your PIN in clear text as well.

As far as I know, no bank will be able to tell you your PIN if you have
forgotten it even if you go there and show them your passport. They can
only generate a new one (or a new card), but they can't tell you the
existing one because they just don't know it.

That means that the bank's backend will never see the PIN you choose and
thus can never decide if it is insecure (i.e. something like ). If a
bank decides to handle the PINs that way, they probably won't allow the
ATM to get hold of the PIN in clear text as well.

I might be wrong, though.

Regards,

Binarus







___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Guan Xin]

On Wed, Jul 12, 2017 at 1:51 PM, Binarus  wrote:

> On 11.07.2017 20:38, MFPA wrote:
> >
> >
> > On Tuesday 11 July 2017 at 8:44:48 AM, in
> > , Binarus wrote:-
> >
> >
> >> I am not sure if this is an intentional limitation of
> >> the cards (to
> >> prevent users from choosing idiotic pins like 1234 or
> >> their birthday).
> >
> >
> > Surely things like 1234 can be prevented by software.
> >
>
> But birthdays and the like probably not.
>
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin, but it is stored in the banks' backends as some
> sort of hash, and this means that such software would have to run on the
> card.
>
> Such software can run on ATMs if that are the only places where one can
change the PIN.
And I don't think the bank needs the hash of the PIN. They may need the
hash of the key(s) protected by the PIN, however.

Guan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Julian H. Stacey]

> A little bit of statistics (your name sounds German):
> http://www.sueddeutsche.de/wissen/unsichere-pin-codes-erwischt-1.1486312

I read the German, here's English):
http://www.berklix.org/trans/   ->
https://translate.google.com/translate?sl=auto=en=y=_t=en=UTF-8=http%3A%2F%2Fwww.sueddeutsche.de%2Fwissen%2Funsichere-pin-codes-erwischt-1.1486312==url

Julian
-- 
Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#700k_stolen_votes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 11.07.2017 21:09, Matthias Apitz wrote:

> Why 1234 is an idiotic PIN? What are idiotic PINs? Of course, idiotic is
> any PIN which has in your pocket hints about this (like a sticker attached
> or your birthday). But remember, you normally have 3 tries only to test
> all "idiotic" PINs. 1234 is same idiotic as 2345 or as 3456 or  or as
> , or , or ...

According to my understanding, the most idiotic PIN exactly is the one
with the highest probability of being guessed, in other words, the one
that is most often used by other people as well.

You are right in a mathematical sense, but you leave out the human
factor. If all people would choose their PINs freely, PINs for sure were
not equally distributed. 10% of the pins would be , another 10%
1234, another 30% their owner's birthday and so on.

A little bit of statistics (your name sounds German):
http://www.sueddeutsche.de/wissen/unsichere-pin-codes-erwischt-1.1486312

I don't have time for a thorough research right now, but this article
gives us an idea. I don't think the situation has changed much since
2012 ...

Regards,

Binarus


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 11.07.2017 20:38, MFPA wrote:
> 
> 
> On Tuesday 11 July 2017 at 8:44:48 AM, in
> , Binarus wrote:-
> 
> 
>> I am not sure if this is an intentional limitation of
>> the cards (to
>> prevent users from choosing idiotic pins like 1234 or
>> their birthday).
> 
> 
> Surely things like 1234 can be prevented by software.
> 

But birthdays and the like probably not.

Furthermore (not being sure, so read with care), I think that the bank
does not know your pin, but it is stored in the banks' backends as some
sort of hash, and this means that such software would have to run on the
card.

Regards,

Binarus


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Matthias Apitz]

El día martes, julio 11, 2017 a las 07:38:08p. m. +0100, MFPA escribió:

> On Tuesday 11 July 2017 at 8:44:48 AM, in
> , Binarus wrote:-
> 
> 
> > I am not sure if this is an intentional limitation of
> > the cards (to
> > prevent users from choosing idiotic pins like 1234 or
> > their birthday).
> 
> 
> Surely things like 1234 can be prevented by software.

Why 1234 is an idiotic PIN? What are idiotic PINs? Of course, idiotic is
any PIN which has in your pocket hints about this (like a sticker attached
or your birthday). But remember, you normally have 3 tries only to test
all "idiotic" PINs. 1234 is same idiotic as 2345 or as 3456 or  or as
, or , or ...

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Brad Rogers]

On Tue, 11 Jul 2017 19:38:08 +0100
MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:

Hello MFPA,

>Surely things like 1234 can be prevented by software.

Sure.

The question is "Are they?"

I suspect(1) the answer, in many cases, is "No."

(1) My gut feeling - I have no evidence/proof.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
Chose to play the fool in a six piece band
What A Waste - Ian Dury And The Blockheads


pgpFQLKLGUaHZ.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 11 July 2017 at 8:44:48 AM, in
, Binarus wrote:-


> I am not sure if this is an intentional limitation of
> the cards (to
> prevent users from choosing idiotic pins like 1234 or
> their birthday).


Surely things like 1234 can be prevented by software.



- --
Best regards

MFPA  

Change is inevitable except from a vending machine
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWUbEV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5IqUAP9kGj8+HI9HZ64HHANDfjyg6g1bwSwwyp0yaArYioM95gD/eu+gvqI5zsnc
y2u1pnh07uR42LhQXV4GKv5liIfzswqJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWUbEV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8GiHCACz9RsSJ3Zn44MLi3SfEbD/n7yz
CWc55RaqMvSSp4Avpyxpbd/ITPkrVSspYdtAgUdq37YT3J+cDkcGGL6HBAhrTRJf
3oWSVZ1mBcLxzTsNEeurBpMROkembQRMOHeaMKf0iVT+Foe0UpHSDzm3bx7RAgav
k7EEB5A9QJVEEpdIcVPmVrU5uBbg5v3gNgszg1agi+KaXqs3i+E3n91Jtd4oRIdC
6LYarOZJdbhYOjAfG9ioAb1F+IeiB2xLviHDmzWAy+oT/Kw9QIWq/3S9BA+po2AE
eEXHydHVhgpqPbspA4MLX5Hkr8O8H2lj73uOrSKa8GkR2gyak3ehKA/rGomZ
=/Yyb
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 11 July 2017 at 11:23:06 AM, in
, Julian H.
Stacey wrote:-


> All UK cards I know of allow PIN change at the ATM.

Back in the 1980s I remember some that had no PIN change facility. And
at one time, NatWest only allowed a PIN change the first time the card
was used in one of their own ATMs.

- --
Best regards

MFPA  

A woman's mind is cleaner than a man's: She changes it more often.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWUZsV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5Du6AQDlRkHz9Q6DHWfTdBcGaQeWHt5+WJm1pHYY1nC7lJAyiwD6AxjVP0zyAMlu
OjGQd6koHrRsqrPqQYvfL9pfiLI+SQuJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWUZxV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8JK8B/0TIofXyXDj+YKzJzC122GnsmwY
5in84fDv0e1OBjRnjnfou5+EVQjD2HMOC5EYdPd/sqVk/StVaJCSln4eaKcFwpkt
CkWgWqh7nB6gi7N++zOky0ju+dmV/TvUDGzcwo+eNpQ3RE+oWTrub3Ru/MqYYdNI
5pMWPPBrY9kAUM14lR7WjntrfUfrmMp1V7A4ha3i6Asgj0vXZ+KKMuOedl3777dd
NCT1WS83RhzOLOsutQcZmXl095zh2/foHy0c5e17fnt01HQR5LvBdwFC4eQAZTWw
ngDXdCntKdX2vw5J2l8k/UCAjW0JQk4MzY20cnh3TYXe0hDN2OJmg4Bt4wX8
=oqCv
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 11.07.2017 14:38, Jerry wrote:
> On Tue, 11 Jul 2017 12:32:56 +0200, Binarus stated:
> 
> [...]
>> I am not completely sure if I got you right. Wouldn't that mean that I
>> have to lose my card, the bad person then makes two guesses, then I get
>> back my card and enter my correct pin, then I lose my card again, and
>> the same bad person finds it again and makes another two guesses, then
>> I get my card back again and so on?
>
> If you continually lose your card that often, you have more problems
> than just a lost/stolen card to deal with. I sincerely hope you are
> never trusted with confidential information.
>

Not sure if you eventually have misunderstood me. I was just trying to
understand the previous speaker by asking him what exactly he was
meaning ...

>> The only way to abuse the fail counter reset feature would be to steal
>> the card, to copy it and to return it to its owner, and to do this in a
>> way that the owner would not notice it. But again, the adversary would
>> then still have to observe the card owner to see when the counter is
>> reset and to start his next tries.
> 
> I was told, although not confirmed, that cards with embedded chips
> cannot be copied and still be usable. If anyone would like to comment
> on that, it would be welcomed.

No idea about the U.S., but talking about Germany: The main problem with
ATMs here is skimming (I am not sure if this wording is correct in the
U.S., so let me shortly explain: Skimming means that some adversary
manipulates an ATM in that he mounts an own user interface onto it,
perfectly imitating the original interface (mechanically - own
electronics, own keyboard), intercepting the data stream and the
keystrokes (pin), or mounts a pinhole camera to record people entering
their pins)).

AFAIK, at least until one or two years ago, the skimmers used to copy
the cards, but recently banks upgraded their ATMs and their customers'
cards so that they can't be copied any more. But for compatibility, the
ATMs still won't refuse old cards which can be copied.

But please don't take this as bare truth; I am really not sure.

>>> The probability to guess the correct code during the 5-years life of
>>> the card is definitely non-negligible.>  
 And there is one more very important thing most people don't think
 of: What happens if you have an accident or if you die? Your heirs
 will have all sorts of troubles if something happens to you and
 they can't access your electronic accounts because they don't have
 the passwords.  
>>
>>> Usually there are other, non-technical ways. For example they just
>>> go to the bank with a death certificate.  
> 
> I have actually seen that happen. The estate lawyer had to fill out
> some paper work, but it was really no big deal. Basically, it is the
> same procedure used to get access to a deceased safe deposit box.

No chance to have it that ease here in Germany ... at least with certain
banks.

>> I already have seen cases where it was not that easy in Germany.
>> Usually, presenting a death certificate to the bank is not enough. I
>> have seen that the bank had to make sure that the people presenting the
>> death certificate actually were the legal heirs. That meant that those
>> people had to acquire all sorts of documents from all sorts of
>> authorities which has been very expensive (several hundreds of EUR),
>> but more important, was very unpleasant and time consuming, especially
>> in the situation they were.
> 
> Good for them. They should make absolutely sure before releasing the
> funds.

I agree.

>> AFAIK, there is only one thing you could do to avoid that hassle: The
>> testator and the heirs should make a contract of inheritance. Such a
>> contract must be made by a notary, so this will also have its cost, but
>> when you present such a contract to the bank (in addition to the death
>> certificate), you will have no problems.
> 
> The cost of a notary is a few dollars; therefore, negligible. Honestly,
> I would hope that it would NOT be that easy.

Here in Germany, a notary even won't take his pencil without earning a
significant amount of money. As far as I can remember, the inheritance
contract did cost about 500 EUR (about US $560) many years ago, but that
was still a small amount of money compared to the hassle the heirs would
have had if they did not have that contract.

By the way, there is no competition in this field because the money a
notary charges for an action is defined by law. There is a detailed
catalogue which lists every action a notary could (may) do, even the
most exotic ones, and how much money he will get for that. Any notary is
prohibited by law from charging less; he will lose his approbation and
get into serious trouble if he does.

Is the situation in the U.S. similar?

> I have all of my important papers, including passwords to accounts that
> have to be kept secure, in a bank safe deposit box. If I were to die,
> it wouldn't matter who had the key if they 

Re: Changing PINs of German bank card

[Peter Lebbing]

On 11/07/17 12:32, Binarus wrote:
> I am not completely sure if I got you right. Wouldn't that mean that I
> have to lose my card, the bad person then makes two guesses, then I get
> back my card and enter my correct pin, then I lose my card again, and
> the same bad person finds it again and makes another two guesses, then I
> get my card back again and so on?

But you were discussing both card PINs as well as web passwords with low
entropy, right? You said earlier:

> - If somebody tries to brute force the pin (or online banking password),
> the access will be permanently denied if there are more than 3 failures
> (the exact number may vary).

I still don't think you could brute-force it with just two tries in
between your regular logins. However, this seems like a nice DoS if
someone dislikes you and is mean-spirited. They get a hold of your bank
account number, attempt to log in with the three password guesses "say",
"bye" and "now" and you need to phone up your bank, they need to send
you a new letter with a new password, etcetera. Or is there some other
secret or semi-secret, like a card number, that an attacker needs to
enter in order to decrement the failure counter?

This "three strikes and you're out" scheme is generally for two-factor
auth, not for regular web passwords. For a reason.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 11.07.2017 11:48, Matthias Mansfeld wrote:
> On 11 Jul 2017 at 9:44, Binarus wrote:
> 
>> On 10.07.2017 17:42, Guan Xin wrote:
>>> This is probably a general question --
>>>
>>> I have never seen a German bank that allows changing the PIN of a card.
>>
>> I am not sure if this is an intentional limitation of the cards (to
>> prevent users from choosing idiotic pins like 1234 or their birthday).
> 
> [..]
> At least Sparkasse and HypoVereinsbank and IIRC also Postbank allow 
> changing at the ATM terminal.
> 
> And a birthday isn't as idiotic as 1234 or , as long you assume a 
> standard pickpocket doesn't know you personal data (OK, your ID-card 
> within the same wallet... maybe no good idea. Then not your own 
> birthday but from a person or your cat you can remember, or better 
> your wedding day, which normally would be forgotten always ;-) 

You are right, but experience tells us (no, not us, but the banks) that
people won't think about it. I have no doubt that people like you and me
would choose a secure pin, but from a bank's point of view, most people
would choose pins like 1234 or their birthday.

It might be only a matter of time until there is the first case of a
bank refusing to compensate a customer because his pin was his birthday.

>> Now, this is a completely different question which does not have to do
>> anything with the pin's length. The answer to this question completely
>> depends on your environment and your intentions. I will explain this by
>> two examples with contrary conclusions:
>>
>> Example 1:
>>
> [...]
>>
>> Example 2:
> [..]
> 
> Example 3
> 
> MY use case would be: I have, let's say two bank accounts at 
> Sparkasse, one at Postbank, one at HypoVereinsbank (possible reason: 
> two bussines accounts and one private account and one from a 
> inherited account) and I can remember ONE good "random-like" 
> 4-digit-PIN, but would mangle definitely four different PINs (been 
> there, done that...). Then I chose one and the same "good" PIN for 
> all four cards which I don't need to write down anywhere and 
> everything is OK.

This is a good point as long as we are discussing only banking card
pins. My examples were more general (an electronic password safe will
store all sorts of other secrets / web passwords). Since the OP had
asked about banking card pins, I eventually should have restricted my
answers to that.

On the other hand, I can image a bunch of cases where somebody would
like to take web passwords (and not only banking card pins) along when
going out (e.g. doing web based email in an internet cafe during
vacation). In such cases, I think there is no reason why the pins
shouldn't be stored in the password safe as well.

Thinking about your use case, I am not sure if I would try to make all
pins the same, given the fact that nowadays skimming is the main problem
(and not stealing and trying to brute-force). I am not sure if banks
will compensate if something very bad happens and all four of your
accounts get emptied when the respective cards have the same pin.
Probably most banks disallow this in their terms of service (AGBs).

After all, you don't use the same password for your eBay, Facebook and
Paypal account, do you (unfair question, because those accounts won't be
disabled after three wrong password entries, but nevertheless ...)?

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Jerry]

On Tue, 11 Jul 2017 12:32:56 +0200, Binarus stated:

>On 11.07.2017 10:14, NdK wrote:
>> Il 11/07/2017 09:44, Binarus ha scritto:
>>   
>>> - If somebody tries to brute force the pin (or online banking
>>> password), the access will be permanently denied if there are more
>>> than 3 failures (the exact number may vary). That means that the
>>> length of the pin / password is not as important as one might
>>> think, because it is practically impossible to brute force a 4
>>> digit pin with only 3 tries.  
>
>> If you routinely use your card twice a day, they can make two or four
>> guesses each day: every correct PIN you insert resets the counter.  
>
>I am not completely sure if I got you right. Wouldn't that mean that I
>have to lose my card, the bad person then makes two guesses, then I get
>back my card and enter my correct pin, then I lose my card again, and
>the same bad person finds it again and makes another two guesses, then
>I get my card back again and so on?

If you continually lose your card that often, you have more problems
than just a lost/stolen card to deal with. I sincerely hope you are
never trusted with confidential information.

>This is practically impossible (unless I have missed something
>obvious). How could the correct pin be entered and the counter be
>reset if I didn't get the card back?

In theory, it couldn't.

>Or did you refer to an adversary who copied the card? In that case, he
>still would have to know when I actually have entered the correct pin
>(which would mean that he permanently had to observe me) to start his
>next two tries.
>
>Furthermore, people usually call their bank to make their card invalid
>as soon as they notice they have lost it. This means that they usually
>won't enter the correct pin again after having lost the card.

That is the general idea.

>The only way to abuse the fail counter reset feature would be to steal
>the card, to copy it and to return it to its owner, and to do this in a
>way that the owner would not notice it. But again, the adversary would
>then still have to observe the card owner to see when the counter is
>reset and to start his next tries.

I was told, although not confirmed, that cards with embedded chips
cannot be copied and still be usable. If anyone would like to comment
on that, it would be welcomed.

>> The probability to guess the correct code during the 5-years life of
>> the card is definitely non-negligible.>  
>>> And there is one more very important thing most people don't think
>>> of: What happens if you have an accident or if you die? Your heirs
>>> will have all sorts of troubles if something happens to you and
>>> they can't access your electronic accounts because they don't have
>>> the passwords.  
>
>> Usually there are other, non-technical ways. For example they just
>> go to the bank with a death certificate.  

I have actually seen that happen. The estate lawyer had to fill out
some paper work, but it was really no big deal. Basically, it is the
same procedure used to get access to a deceased safe deposit box.

>I already have seen cases where it was not that easy in Germany.
>Usually, presenting a death certificate to the bank is not enough. I
>have seen that the bank had to make sure that the people presenting the
>death certificate actually were the legal heirs. That meant that those
>people had to acquire all sorts of documents from all sorts of
>authorities which has been very expensive (several hundreds of EUR),
>but more important, was very unpleasant and time consuming, especially
>in the situation they were.

Good for them. They should make absolutely sure before releasing the
funds.

>AFAIK, there is only one thing you could do to avoid that hassle: The
>testator and the heirs should make a contract of inheritance. Such a
>contract must be made by a notary, so this will also have its cost, but
>when you present such a contract to the bank (in addition to the death
>certificate), you will have no problems.

The cost of a notary is a few dollars; therefore, negligible. Honestly,
I would hope that it would NOT be that easy.

>But now, being a German citizen, try the same thing with eBay,
>Facebook, LinkedIn, PayPal and so on ... no thanks.
>
>>> So I tend to write down at least my master password on a sheet of
>>> paper, put that in a sealed envelope and give it to a relative who
>>> I highly trust. In case I die, they open the envelope, have the
>>> master password for my password safe and can use that to open the
>>> access to all my accounts. Alternatively, you could have some
>>> relative you trust memorize your master password. But since he
>>> won't use it regularly (hopefully), he probably will forget it
>>> after short time ...  
>
>> Better use shamir's secret sharing, or just use LCD-segments
>> characters printed on two acetate sheets that need to be combined to
>> be read. Obviously the two sheets are to be given to two different
>> people, in sealed envelopes...  
>
>Nice ideas :-) My 

Re: Changing PINs of German bank card

[Binarus]

On 11.07.2017 14:32, NdK wrote:
> Il 11/07/2017 12:32, Binarus ha scritto:
> 
>> But now, being a German citizen, try the same thing with eBay, Facebook,
>> LinkedIn, PayPal and so on ... no thanks.
> Why should heirs have access to social accounts? Paypal, otoh, is a bank
> that have to follow the same rules of other banks...

Interestingly enough, this subject is becoming more and more important.
I think I can remember that there are first tries in some countries (or
the EU?) to make respective laws. At least, I am sure that there already
were lawsuits where heirs have tried to get hold of accounts of somebody
who passed away (in the case I can remember, a facebook account has been
subject of the lawsuit, but I can't remember right now how it ended).

IMHO, there are many reasons why this should be possible, so I would
appreciate if there were such laws. I don't want this thread to become
too off-topic, so I won't elaborate on this in a fashion this complex
subject deserves, but just give one pragmatic example:

Let's suppose somebody offers something on eBay and then passes away.
Let's suppose that somebody else wins that auction and immediately pays
via PayPal. Now what?

There may be means to solve such situations, but they usually cost lots
of time, money or nerves, and this has been just a simple example. If we
think a while about it, we surely will find a constellation where it
would be quite catastrophic if an account holder's heirs couldn't get
hold of his accounts.

>> Nice ideas :-) My own security needs are not that high, though (hoping
>> that life won't punish me for that optimism).
> My concern with a singl "cleartext" pass would be a burglar that steals
> it together with other valuables...

You are right, burglary is a real threat. But if you have memorized your
master password and don't keep it on paper in your own apartment /
house, but just give it on paper to a relative, the burglar will have to
steal the paper from your relative and at the same time steal your PC
(or banking card) from you to make anything out of it.

Therefore, I have no problem with giving the password on paper to a
relative who lives some km away from me. I would never keep the password
on paper in the same room (or even building) as the PC or banking card,
though, and as soon as either the PC (or banking card) or the password
paper would be stolen, I would immediately change the password (and hand
the new one out on paper to my relative).

>> To add to it, if you mistrust your relatives, you could put the password
>> on paper into some sort of lock box and carry the key to that lock box
>> with you. But then what would happen if you lost that key?
> Given that mechanical keys are often easier to open whithout the key
> than with it...

Actually, I was thinking about a lock box in a bank or such things ...

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[NdK]

Il 11/07/2017 12:32, Binarus ha scritto:

>> If you routinely use your card twice a day, they can make two or four
>> guesses each day: every correct PIN you insert resets the counter.
> I am not completely sure if I got you right. Wouldn't that mean that I
> have to lose my card, the bad person then makes two guesses, then I get
> back my card and enter my correct pin, then I lose my card again, and
> the same bad person finds it again and makes another two guesses, then I
> get my card back again and so on?
Say that's your wife/son that takes the card when you're at home...
Low prob, but possible :)

>> Usually there are other, non-technical ways. For example they just go to
>> the bank with a death certificate.
> I already have seen cases where it was not that easy in Germany.
> Usually, presenting a death certificate to the bank is not enough. I
> have seen that the bank had to make sure that the people presenting the
> death certificate actually were the legal heirs. That meant that those
> people had to acquire all sorts of documents from all sorts of
> authorities which has been very expensive (several hundreds of EUR), but
> more important, was very unpleasant and time consuming, especially in
> the situation they were.
Been there...
Another reason to give the password before going with the documents
might be "a bit" illegal: just transfer the money to avoid paying taxes.

> But now, being a German citizen, try the same thing with eBay, Facebook,
> LinkedIn, PayPal and so on ... no thanks.
Why should heirs have access to social accounts? Paypal, otoh, is a bank
that have to follow the same rules of other banks...

> Nice ideas :-) My own security needs are not that high, though (hoping
> that life won't punish me for that optimism).
My concern with a singl "cleartext" pass would be a burglar that steals
it together with other valuables...

> To add to it, if you mistrust your relatives, you could put the password
> on paper into some sort of lock box and carry the key to that lock box
> with you. But then what would happen if you lost that key?
Given that mechanical keys are often easier to open whithout the key
than with it...

BYtE,
 Diego


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Matthias Mansfeld]

On 11 Jul 2017 at 9:44, Binarus wrote:

> On 10.07.2017 17:42, Guan Xin wrote:
> > This is probably a general question --
> > 
> > I have never seen a German bank that allows changing the PIN of a card.
> 
> I am not sure if this is an intentional limitation of the cards (to
> prevent users from choosing idiotic pins like 1234 or their birthday).

[..]
At least Sparkasse and HypoVereinsbank and IIRC also Postbank allow 
changing at the ATM terminal.

And a birthday isn't as idiotic as 1234 or , as long you assume a 
standard pickpocket doesn't know you personal data (OK, your ID-card 
within the same wallet... maybe no good idea. Then not your own 
birthday but from a person or your cat you can remember, or better 
your wedding day, which normally would be forgotten always ;-) 

> Now, this is a completely different question which does not have to do
> anything with the pin's length. The answer to this question completely
> depends on your environment and your intentions. I will explain this by
> two examples with contrary conclusions:
> 
> Example 1:
> 
[...]
> 
> Example 2:
[..]

Example 3

MY use case would be: I have, let's say two bank accounts at 
Sparkasse, one at Postbank, one at HypoVereinsbank (possible reason: 
two bussines accounts and one private account and one from a 
inherited account) and I can remember ONE good "random-like" 
4-digit-PIN, but would mangle definitely four different PINs (been 
there, done that...). Then I chose one and the same "good" PIN for 
all four cards which I don't need to write down anywhere and 
everything is OK.

Regards
Matthias
--
OpenPGP: http://www.mansfeld-elektronik.de/gnupgkey/mansfeld.asc
Fingerprint: 6563 057D E6B8 9105 1CE4 18D0 4056 1F54 8B59 40EF


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 11.07.2017 10:14, NdK wrote:
> Il 11/07/2017 09:44, Binarus ha scritto:
> 
>> - If somebody tries to brute force the pin (or online banking password),
>> the access will be permanently denied if there are more than 3 failures
>> (the exact number may vary). That means that the length of the pin /
>> password is not as important as one might think, because it is
>> practically impossible to brute force a 4 digit pin with only 3 tries.

> If you routinely use your card twice a day, they can make two or four
> guesses each day: every correct PIN you insert resets the counter.

I am not completely sure if I got you right. Wouldn't that mean that I
have to lose my card, the bad person then makes two guesses, then I get
back my card and enter my correct pin, then I lose my card again, and
the same bad person finds it again and makes another two guesses, then I
get my card back again and so on?

This is practically impossible (unless I have missed something obvious).
How could the correct pin be entered and the counter be reset if I
didn't get the card back?

Or did you refer to an adversary who copied the card? In that case, he
still would have to know when I actually have entered the correct pin
(which would mean that he permanently had to observe me) to start his
next two tries.

Furthermore, people usually call their bank to make their card invalid
as soon as they notice they have lost it. This means that they usually
won't enter the correct pin again after having lost the card.

The only way to abuse the fail counter reset feature would be to steal
the card, to copy it and to return it to its owner, and to do this in a
way that the owner would not notice it. But again, the adversary would
then still have to observe the card owner to see when the counter is
reset and to start his next tries.

> The probability to guess the correct code during the 5-years life of the
> card is definitely non-negligible.>
>> And there is one more very important thing most people don't think of:
>> What happens if you have an accident or if you die? Your heirs will have
>> all sorts of troubles if something happens to you and they can't access
>> your electronic accounts because they don't have the passwords.

> Usually there are other, non-technical ways. For example they just go to
> the bank with a death certificate.

I already have seen cases where it was not that easy in Germany.
Usually, presenting a death certificate to the bank is not enough. I
have seen that the bank had to make sure that the people presenting the
death certificate actually were the legal heirs. That meant that those
people had to acquire all sorts of documents from all sorts of
authorities which has been very expensive (several hundreds of EUR), but
more important, was very unpleasant and time consuming, especially in
the situation they were.

AFAIK, there is only one thing you could do to avoid that hassle: The
testator and the heirs should make a contract of inheritance. Such a
contract must be made by a notary, so this will also have its cost, but
when you present such a contract to the bank (in addition to the death
certificate), you will have no problems.

But now, being a German citizen, try the same thing with eBay, Facebook,
LinkedIn, PayPal and so on ... no thanks.

>> So I tend to write down at least my master password on a sheet of paper,
>> put that in a sealed envelope and give it to a relative who I highly
>> trust. In case I die, they open the envelope, have the master password
>> for my password safe and can use that to open the access to all my
>> accounts. Alternatively, you could have some relative you trust memorize
>> your master password. But since he won't use it regularly (hopefully),
>> he probably will forget it after short time ...

> Better use shamir's secret sharing, or just use LCD-segments characters
> printed on two acetate sheets that need to be combined to be read.
> Obviously the two sheets are to be given to two different people, in
> sealed envelopes...

Nice ideas :-) My own security needs are not that high, though (hoping
that life won't punish me for that optimism).

> BTW the method you use is the same that was used for our mainframe's
> master password. :)

To add to it, if you mistrust your relatives, you could put the password
on paper into some sort of lock box and carry the key to that lock box
with you. But then what would happen if you lost that key?

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Julian H. Stacey]

> > This is probably a general question --
> >=20
> > I have never seen a German bank that allows changing the PIN of a card.
> > So I wonder if it is because using a fixed (non-changeable) 4-digit PIN
> > mailed in clear text really safer than using a 4 to 6 digit variable leng=
> th
> > PIN that never explicitly appears anywhere.
> 
> Nowadays some German banks allow changing the PIN in the Teller
> Machines. I saw it today in an ATM of the Sparkasse. Amex allows (or=20
> allowed) requesting a new personal PIN by fax.

Postbank.de did not provide it on ATM or by any other means a month back.
All UK cards I know of allow PIN change at the ATM.

Cheers,
Julian
-- 
Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#700k_stolen_votes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[NdK]

Il 11/07/2017 09:44, Binarus ha scritto:

> - If somebody tries to brute force the pin (or online banking password),
> the access will be permanently denied if there are more than 3 failures
> (the exact number may vary). That means that the length of the pin /
> password is not as important as one might think, because it is
> practically impossible to brute force a 4 digit pin with only 3 tries.
If you routinely use your card twice a day, they can make two or four
guesses each day: every correct PIN you insert resets the counter.
The probability to guess the correct code during the 5-years life of the
card is definitely non-negligible.

> And there is one more very important thing most people don't think of:
> What happens if you have an accident or if you die? Your heirs will have
> all sorts of troubles if something happens to you and they can't access
> your electronic accounts because they don't have the passwords.
Usually there are other, non-technical ways. For example they just go to
the bank with a death certificate.

> So I tend to write down at least my master password on a sheet of paper,
> put that in a sealed envelope and give it to a relative who I highly
> trust. In case I die, they open the envelope, have the master password
> for my password safe and can use that to open the access to all my
> accounts. Alternatively, you could have some relative you trust memorize
> your master password. But since he won't use it regularly (hopefully),
> he probably will forget it after short time ...
Better use shamir's secret sharing, or just use LCD-segments characters
printed on two acetate sheets that need to be combined to be read.
Obviously the two sheets are to be given to two different people, in
sealed envelopes...

BTW the method you use is the same that was used for our mainframe's
master password. :)

BYtE,
 Diego

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Binarus]

On 10.07.2017 17:42, Guan Xin wrote:
> This is probably a general question --
> 
> I have never seen a German bank that allows changing the PIN of a card.

I am not sure if this is an intentional limitation of the cards (to
prevent users from choosing idiotic pins like 1234 or their birthday).

> So I wonder if it is because using a fixed (non-changeable) 4-digit PIN
> mailed in clear text really safer than using a 4 to 6 digit variable
> length PIN that never explicitly appears anywhere.

I recently had a talk with one of my banks because they didn't even
allow changing the web password (for access to online banking) to
something being longer than 5 alphanumeric digits (!!!).

Although (in my case) the subject of the talk was the web password, the
following applies to the card pin as well.

- Usually, you are receiving the card's pin by postal mail. It is
consensus here in Germany that postal mail is highly trustworthy and
that the so called "Briefgeheimnis" is obeyed very carefully. The legal
hurdles for opening a letter during transport are still very high.

- Additionally, you are usually receiving the pins in a special envelope
which (AFAIK) makes it very difficult to read the letter's content
without opening it, even by advanced means (X-ray and the like). In many
cases, the pin is even more secured (metal coating).

I (personally) consider receiving pins that way safe.

But the key point in the bank's argumentation was (applies to pins as
well as to my online banking access):

- If somebody tries to brute force the pin (or online banking password),
the access will be permanently denied if there are more than 3 failures
(the exact number may vary). That means that the length of the pin /
password is not as important as one might think, because it is
practically impossible to brute force a 4 digit pin with only 3 tries.

I know that the chance for guessing 4 digits within 3 tries is higher
than guessing 6 digits, but obviously, most banks are considering 4
digits safe enough.

Furthermore, if you are really hacked and lose money because of this,
the bank will compensate your loss provided that you did not behave like
an idiot (i.e. if you did not note the pin on a piece of paper, attached
that piece of paper to your card and then lost both of them). At least,
they did so in all cases I know about, despite of the fact that the
respective customer (of course) could not *prove* at a technical level
how the hacking worked. As long as the customer could demonstrate
credibly that he had not done any very silly mistake, the bank compensated.

Due to all reasons mentioned above, I (personally) think that you should
not be concerned by the length of the pin, the fact that you can't
change it, and the way you receive it.

> If German banks are right, then should I follow their method and store
> the PINs of my OpenPGP cards on a piece of paper?

Now, this is a completely different question which does not have to do
anything with the pin's length. The answer to this question completely
depends on your environment and your intentions. I will explain this by
two examples with contrary conclusions:

Example 1:

You always forget that pin of your EC card. Therefore, you write it down
to a piece of paper and put it into your wallet besides your EC card.

Well, as said above, this obviously would be the most silly thing you
could do. No bank will compensate you if you lose your wallet (with the
card and its pin) and if somebody then steals your money.

So you think about it and come to a better idea. You could store the pin
on your smart phone. This indeed is better - hopefully you won't lose
your smart phone and your banking card at the same time. But there is
still a small chance that you do.

You think again and finally have a good idea. You install a password
safe app on your smart phone which locally stores all pins and passwords
with strong encryption. You operate that app with great discipline: You
choose a long, weird master password which you must enter to open the
password safe where the pin is stored. You open the safe only when
needed, and you close it immediately when done, and you don't let the
app (or OS) cache the master password.

(Note: Of course, you MUST NOT write the master password on a piece of
paper and attach that paper to your smart phone ...)

So, in this example, carrying a piece of paper with you where the pin is
noted is a very bad idea, but carrying that pin with you on your smart
phone is a good idea provided that the pin is stored there in a heavily
encrypted password safe and provided that you operate that safe with
some discipline. You still have to memorize that safe's master password,
but this is a one time thing, and you then could store all other
passwords and pins in that safe.

Example 2:

On your desktop PC, you are using the internet excessively, and you are
afraid that some Trojan horse / keylogger will be able to get on your PC
(given the latest ransomware attacks, this 

Re: Changing PINs of German bank card

[Guan Xin]

On Tue, Jul 11, 2017 at 1:52 AM, Matthias Apitz  wrote:

>
> Nowadays some German banks allow changing the PIN in the Teller
> Machines. I saw it today in an ATM of the Sparkasse. Amex allows (or
> allowed) requesting a new personal PIN by fax.
>
> Interesting ... Just closed my Sparkasse account since everyday every
clerk of them has a different answer to exactly the same question and I'm
unable follow them.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Guan Xin]

On Tue, Jul 11, 2017 at 1:38 AM, Ingo Klöcker  wrote:

>
> ... and that would very often be either 1234[56] or the card owner's
> date of birth as we all know. A random 4-digit PIN randomly chosen by
> the bank is certainly safer than this.
>
> Yes, that's true.


> German banks require you to destroy the PIN letter after memorizing the
> PIN. You are not supposed to keep the letter. If you want to follow
> their method then write your PIN on a piece of paper, memorize the PIN
> and then burn or eat the piece of paper. ;-)
>
> Sometimes they circulate the permanent PIN for two weeks in German Post
before delivery. Looks like I'm the last to read it.

Two  other advantages (correct me if I'm mistaken) of self-invented PINs
are, I think,
1) One can prepare and remember the PIN in advance, so there is practically
no need to write it down;
2) A PIN letter is only something I have, while my own PIN record is in
addition something I know. i.e., it may not be obvious to someone else to
be a PIN record / reminder.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Monday 10 July 2017 at 8:24:28 PM, in
,
gnupg-users.d...@o.banes.ch wrote:-


> In e.g. switerland it is normal to change your PIN -
> which is most time
> 6 Digits long.

In the UK bank card PINs are almost exclusively 4 digits long. The
bank allocates a PIN initially, but the customer can usually change it
as often as they like at an ATM that supports PIN changes.

- --
Best regards

MFPA  

Hard work never killed anyone, but why take a risk?
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWQQEV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5PYiAP9EsNwdiB/SIfTLFBdfUvZZoRXP45DGJS7pIbRFK/+hTAEAs3wPoT9uSXhV
cw1zh3xFCanohsHofRcWzoa5wB1pYAuJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWQQF18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8LF2B/9B5cN54cApj+jdAge2m7M0VRXB
VQVbGSxnlCniGJnLAsN69KffCV9RkHsQtj0lYM6j1AbStJd2PJUh7ZFK2mMPhtOl
SNYaXgFJL/8nEqM84NKI1GdxOWhd5wiQ82zbpiqDV0R4GjGnswudjjVfIXjJanGx
3tf6SknBCCW2KSeg9rOqBJP9PKA2EpDbEx0Ol8Wacg0tH/zVlXUPnwqPb8ezYsNS
DyrSW+ndCNUNVEgFGpZpJXENe9MyP6D9RD0hSHfIY+J6BWQZ/UeM/21eDE9o50e9
dGA+a0SyDPbRx+A6CaGBvcfVZWbCcQgfyHEmL92ZQBGD/Fcnefn2WM1SAy7Z
=JVCv
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[gnupg-users . dirk]

since german bankingcards / even girocard should comply to EMV Standard
a change of PIN via Issuer Script should be possible - if the issuer -
your bank - supports it.

FYI: You have to change the PIN in the Card for offline validation  and
the PIN stored in the issuers backed.

In e.g. switerland it is normal to change your PIN - which is most time
6 Digits long.

best regards

Dirk

On 10.07.2017 19:52, Matthias Apitz wrote:
> El día lunes, julio 10, 2017 a las 11:42:12p. m. +0800, Guan Xin escribió:
>
>> This is probably a general question --
>>
>> I have never seen a German bank that allows changing the PIN of a card.
>> So I wonder if it is because using a fixed (non-changeable) 4-digit PIN
>> mailed in clear text really safer than using a 4 to 6 digit variable length
>> PIN that never explicitly appears anywhere.
> Nowadays some German banks allow changing the PIN in the Teller
> Machines. I saw it today in an ATM of the Sparkasse. Amex allows (or 
> allowed) requesting a new personal PIN by fax.
>
>   matthias
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Matthias Apitz]

El día lunes, julio 10, 2017 a las 11:42:12p. m. +0800, Guan Xin escribió:

> This is probably a general question --
> 
> I have never seen a German bank that allows changing the PIN of a card.
> So I wonder if it is because using a fixed (non-changeable) 4-digit PIN
> mailed in clear text really safer than using a 4 to 6 digit variable length
> PIN that never explicitly appears anywhere.

Nowadays some German banks allow changing the PIN in the Teller
Machines. I saw it today in an ATM of the Sparkasse. Amex allows (or 
allowed) requesting a new personal PIN by fax.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

[Ingo Klöcker]

On Monday 10 July 2017 23:42:12 Guan Xin wrote:
> This is probably a general question --
> 
> I have never seen a German bank that allows changing the PIN of a
> card. So I wonder if it is because using a fixed (non-changeable)
> 4-digit PIN mailed in clear text really safer than using a 4 to 6
> digit variable length PIN that never explicitly appears anywhere.

... and that would very often be either 1234[56] or the card owner's 
date of birth as we all know. A random 4-digit PIN randomly chosen by 
the bank is certainly safer than this.


> If German banks are right, then should I follow their method and store
> the PINs of my OpenPGP cards on a piece of paper?

German banks require you to destroy the PIN letter after memorizing the 
PIN. You are not supposed to keep the letter. If you want to follow 
their method then write your PIN on a piece of paper, memorize the PIN 
and then burn or eat the piece of paper. ;-)


Regards,
Ingo


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Changing PINs of German bank card

[Guan Xin]

This is probably a general question --

I have never seen a German bank that allows changing the PIN of a card.
So I wonder if it is because using a fixed (non-changeable) 4-digit PIN
mailed in clear text really safer than using a 4 to 6 digit variable length
PIN that never explicitly appears anywhere.

If German banks are right, then should I follow their method and store the
PINs of my OpenPGP cards on a piece of paper?

Guan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users