RE: PIN security policy / proof

["Dixon, Wayne" <wcdixo () aurora lib il us>]

The only problem is that with a CC there often is also the code on the
back of the card that needs to be entered as well in order to actually
be able to verify the card.  Anybody can possibly get the name and
number but getting the verification code is not always possible.

Wayne
 


-----Original Message-----
From: gmx [mailto:pal_adam () gmx net] 
Sent: Thursday, August 10, 2006 4:17 PM
To: security-basics () securityfocus com
Subject: PIN security policy / proof


Hello

I was engaged in a discussion about security of alternative payment
methods. I have agree in the point that, a CC offers less security
because since you have its number, and name you can use it, and no
furter security check will be performed. About banking-card and PIN the
result remains half-open and that is where i need your oppinion: The
argument was, by stealing only the PIN, an attacker is able to get into
account (remark, only with knowledge of PIN, nothing else, no account
nr.). My statement, was that it is impossible to reveal account data
only from PIN, but it is possible (maybe in veeeeryy long time) to
reveal PIN from a banking card. My argumentation was following: -The
banking card holds the account information, maybe with some unique data,
encrypted hash-like via one-way encryption, the encrypted text is also
unique (like hash). -The automat compares the hashed , means encrypted
values to the same encrypted values on central database, then checks for
PIN, maybe in similar way encrypted. -The user enters PIN, PIN is
checked. -Conclusion : It is not possible to reveal account info from
PIN, but it is possible if an attacker has access to the banking card,
to duplicate its data, and by obtaining the PIN to impersonate the
legitimate user.


Was my argumentation correct? Did i missed something ?
Do you maybe have some sheet where i can look up some policies and make
my thesis "waterproof" ?


regards

Adam


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------