Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

PIN security policy / proof

From: gmx <pal_adam () gmx net>
Date: Thu, 10 Aug 2006 23:17:29 +0200
Hello

I was engaged in a discussion about security of alternative payment
methods. I have agree in the point that, a CC offers less security
because since you have its number, and name you can use it, and no
furter security check will be performed.
About banking-card and PIN the result remains half-open and that is
where i need your oppinion:
The argument was, by stealing only the PIN, an attacker is able to get
into account (remark, only with knowledge of PIN, nothing else, no
account nr.).
My statement, was that it is impossible to reveal account data only
from PIN, but it is possible (maybe in veeeeryy long time) to reveal
PIN from a banking card.
My argumentation was following:
-The banking card holds the account information, maybe with some
unique data, encrypted hash-like via one-way encryption, the encrypted
text is also unique (like hash).
-The automat compares the hashed , means encrypted values to the same
encrypted values on central database, then checks for PIN, maybe in
similar way encrypted.
-The user enters PIN, PIN is checked.
-Conclusion : It is not possible to reveal account info from PIN, but
it is possible if an attacker has access to the banking card, to
duplicate its data, and by obtaining the PIN to impersonate the
legitimate user.


Was my argumentation correct? Did i missed something ?
Do you maybe have some sheet where i can look up some policies and
make my thesis "waterproof" ?


regards

Adam


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: