On 12.07.2017 12:10, Peter Lebbing wrote: > On 12/07/17 07:51, Binarus wrote: >> Furthermore (not being sure, so read with care), I think that the bank >> does not know your pin > > When my bank card is replaced because its validity is about to end, the > new card has the same PIN as the old one. I can't readily think of a way > to do that without the bank knowing my PIN, since the new card didn't > physically exist yet when the old card got its copy of the PIN.[1]
See https://security.stackexchange.com/questions/62306/a-second-bank-card-arrived-with-the-same-pin and https://security.stackexchange.com/questions/88711/how-can-my-bank-issue-a-new-credit-card-with-the-same-pin-number > Furthermore, I see no use to the bank not knowing my PIN. If their > backend got hacked, these random 4 digits being public knowledge are the > least of the problems. > > And since a pin has so low entropy, I don't see how to protect it with a > hash. Any system that can verify correctness in the time it takes to do > a PIN payment[2] can do 10,000 guesses in reasonable time. Right, but no reason to not do it that way (if the PIN needs to be stored at all in some backend which I doubt). > Also, back when you could do payments with the magstripe (which, AFAIK, > can still be done in some countries, using your Dutch bank card, if you > allow it), the PIN necessarily went to the bank, there was no way for a > check by the chip in the card. I never did look into the magstripe technique ... so no clue here. I only know that those cards could be copied easily. > Anyway, I'm still writing this even though I questioned its usefulness. > But let's consider whether this thread really needs to go on much > longer, it seems it has run its course and is now turning into a wide > trickling delta that is no longer hurrying towards its destination but > rather seeking the path of least resistance in any random direction :-). You are right - let's finish. Regards, Binarus _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
