9

I may be neglecting a crucial fact here, but putting the following together leads me to believe it is dead-easy to determine a bank card's PIN using the most basic hardware available to everyone (I speak for my country in what follows):

  • Each bank has an internet banking application that uses a "digipass" to verify the user. These are all made in China and there are only some models in use. It does not matter which logo or serial number is on the device, they all work the same.
  • The digipass asks for your PIN, and knows if it's correct or not (quite fast).
  • A regular PIN is 4 digits, making for 10000 possible codes. Brute-forcing that is easy.

Put everything together, and you get this:

  1. Steal a bank card,
  2. modify a digipass to allow for a quick succession of PIN number trials, and detect if it thinks the PIN you entered is correct (this is simple? electronics, really)
  3. Get a card's PIN in say, 5 seconds per try, roughly 14 hours.

I must really be missing something, or is bank card security that ridiculous?

rubenvb
  • 213
  • 2
  • 7

4 Answers4

14

The chip embedded in the smart card locks itself after a defined number of incorrect PIN entries, typically between 3 and 10 attempts.

Graham Hill
  • 15,394
  • 37
  • 62
  • So the chip on the card itself locks itself? That would mean 3 bad PIN attempts require me going to the bank. Better remember that before I try a third time :) – rubenvb Nov 20 '12 at 14:10
  • @rubenvb Yes, chip cards contain some persistent memory and the software on the chip keeps a count of failed PIN attempts. 3 strikes and the card goes mute. And on cards used for banking there are serious protections against physical tampering and side channel attacks. – Gilles 'SO- stop being evil' Nov 20 '12 at 17:53
  • 3 times in a specific time? so if I get my card out of the money machine and tried again later, will the counter start again for these 3 times? – Mohammed Noureldin Jan 16 '18 at 00:55
7

I doubt you'd actually need to iterate through all 10,000 combinations either. There is a really nice analysis here on the frequency of different pairs of numbers:

http://www.datagenetics.com/blog/september32012/index.html

Basically starting with 19XX and working your way through stands a much higher success rate than if the PIN numbers were actually randomly generated.

niallhaslam
  • 201
  • 2
  • 5
5

Step 1 is easy, step 2 is hard. The chips are designed to prevent that sort of tampering, research groups have been working for years on ways to do what you are proposing with no successful attacks yet.

GdD
  • 17,291
  • 2
  • 41
  • 63
2

I've never heard of this digipass. I don't use one when I do online banking, so I don't think attack applies in the US.

In the US, we do have an ATM card (a magstripe card with some data on it), and if you steal someone's ATM card, one can try various PINs. However, verification of a PIn involves a communication with the bank's mainframe, and if you enter the PIN incorrectly 3 or so times, the bank swallows your ATM card (and presumably locks the account). Thus, exhaustive guessing of the PIN number won't work, because you only get a few tries.

I would expect US banks to apply the same defense against guessing of online banking passwords. And in whatever your country is, I would expect banks to have applied some similar defense against exhaustive guessing of your PIN, either implemented in the digipass or alternatively implemented in the bank back-end systems (the latter is only possible if authentication requires some interaction between the digipass and the bank server, but that's a reasonable way to design an authentication protocol).

D.W.
  • 98,420
  • 30
  • 267
  • 572