Security Basics mailing list archives
PIN security policy / proof
From: gmx <pal_adam () gmx net>
Date: Thu, 10 Aug 2006 23:17:29 +0200
Hello I was engaged in a discussion about security of alternative payment methods. I have agree in the point that, a CC offers less security because since you have its number, and name you can use it, and no furter security check will be performed. About banking-card and PIN the result remains half-open and that is where i need your oppinion: The argument was, by stealing only the PIN, an attacker is able to get into account (remark, only with knowledge of PIN, nothing else, no account nr.). My statement, was that it is impossible to reveal account data only from PIN, but it is possible (maybe in veeeeryy long time) to reveal PIN from a banking card. My argumentation was following: -The banking card holds the account information, maybe with some unique data, encrypted hash-like via one-way encryption, the encrypted text is also unique (like hash). -The automat compares the hashed , means encrypted values to the same encrypted values on central database, then checks for PIN, maybe in similar way encrypted. -The user enters PIN, PIN is checked. -Conclusion : It is not possible to reveal account info from PIN, but it is possible if an attacker has access to the banking card, to duplicate its data, and by obtaining the PIN to impersonate the legitimate user. Was my argumentation correct? Did i missed something ? Do you maybe have some sheet where i can look up some policies and make my thesis "waterproof" ? regards Adam --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- PIN security policy / proof gmx (Aug 11)
- RE: PIN security policy / proof Dixon, Wayne (Aug 14)