On 12.07.2017 12:10, Peter Lebbing wrote:
> On 12/07/17 07:51, Binarus wrote:
>> Furthermore (not being sure, so read with care), I think that the bank
>> does not know your pin
> 
> When my bank card is replaced because its validity is about to end, the
> new card has the same PIN as the old one. I can't readily think of a way
> to do that without the bank knowing my PIN, since the new card didn't
> physically exist yet when the old card got its copy of the PIN.[1]

See

https://security.stackexchange.com/questions/62306/a-second-bank-card-arrived-with-the-same-pin

and

https://security.stackexchange.com/questions/88711/how-can-my-bank-issue-a-new-credit-card-with-the-same-pin-number

> Furthermore, I see no use to the bank not knowing my PIN. If their
> backend got hacked, these random 4 digits being public knowledge are the
> least of the problems.
> 
> And since a pin has so low entropy, I don't see how to protect it with a
> hash. Any system that can verify correctness in the time it takes to do
> a PIN payment[2] can do 10,000 guesses in reasonable time.

Right, but no reason to not do it that way (if the PIN needs to be
stored at all in some backend which I doubt).
> Also, back when you could do payments with the magstripe (which, AFAIK,
> can still be done in some countries, using your Dutch bank card, if you
> allow it), the PIN necessarily went to the bank, there was no way for a
> check by the chip in the card.

I never did look into the magstripe technique ... so no clue here. I
only know that those cards could be copied easily.

> Anyway, I'm still writing this even though I questioned its usefulness.
> But let's consider whether this thread really needs to go on much
> longer, it seems it has run its course and is now turning into a wide
> trickling delta that is no longer hurrying towards its destination but
> rather seeking the path of least resistance in any random direction :-).

You are right - let's finish.

Regards,

Binarus

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to