Chip and PIN

James Cox ukcrypto at chiark.greenend.org.uk
Wed, 23 Jan 2008 19:20:06 +0000 

On 23 Jan 2008, at 18:52, Sebastien Lahtinen wrote:

>
> On Wed, 23 Jan 2008, Igor Mozolevsky wrote:
>
>> There's clearly no defence against someone watching you put your  
>> PIN in and then pick-pocketing your wallet... If anything, C&P is  
>> making it *easier* to draw cash from someone else's CC...
>
> I find it really surprising how many people type in PINs without  
> covering the keypad. I think this illustrates a huge lack of  
> interest within the general public to protecting their own security.  
> It's not unlike their attitude to opening executable electronic  
> Christmas card attachments.. They just think someone else is going  
> to protect them. The pressure on ISPs to protect end users is  
> mounting, but the banks seem to be able to get away with quite a bit.
>

there's a social problem here- placing your hand to further cover the  
keypad as you enter your number suggests you distrust the person  
you're buying from which is socially awkward, to say the least. Most  
people - especially us quaint britons - would rather avoid that  
embarrassment than be properly protected.

I remember that when these devices were first introduced, they were  
easy to place your hand over the keypad, (imagine like you're playing  
the piano) and very deftly hit the right keys to enter your pin. It'd  
be done in a second and anyone shoulder surfing would have a hard time  
to see what you were typing- all fingers were in play. Now, the units  
are old, worn and you have to press hard to activate the number. This  
leads to a slow finger pecking approach which makes it easier to  
detect your number...

i'd like to see legislation that requires the replacement of these  
units on a regular basis, and a guidance that the buttons should be  
responsive, easy to press and large enough that you don't have to  
fiddle with it - that way the user experience of entering your numbers  
can really be over so quickly that registering the number becomes much  
harder.

> Has anyone twigged that with widespread adoption of PINSentry  
> devicees, someone who robs you can demand your PIN and verify it on  
> the spot before heading off with your card?


If i'm ever in that situation, i'll give the person my card, enter my  
pin etc... and extricate myself from the situation. I'll then call the  
number i have which protects me from id fraud etc, and within a day or  
so i'll get a replacement card, knowing my money is safe from theft.  
The systems in place for recovering from such theft is easy - the most  
annoying thing will be having to change my pin and remembering what  
the new one is....

-- james