How can my bank debit card reader know that my pin is valid?

Question

Why do ATMs accept any PIN? states that the ATM does not know my pin and the pin is not on the card as well.

My bank has this system:

It works in 5 stages:

1. I enter my debit card number on the website;
2. The website gives me an 8 digit code to enter on the machine;
3. I insert my card into the machine, press the M1 button and enter the 8 digit code;
4. After the code is entered, the machine asks me for my 4 digit pin and and immediately says if it's correct (by stating "PIN OK");
5. The machine then gives me a 7 digit code to enter on the website, which authenticates me.

How can this machine know that my code is valid if the code is not on my card? Note that the M1 and M2 buttons are not memory buttons, but instead buttons that start a certain workflow: M1 is for authentication with the system and M2 is for digitally signing my transactions.

Answer 1

The card knows this, the reader doesnt. When you put a pin in the reader talks to the microcontroller on the card to verify - which also logs the incorrect attempts. So multiple readers wont help trying to guess somebodies pin!
Thats more or less the extent of my knowledge, but an overview of how it works. The underlying protocols I have no knowledge of unfortunately. But the best public chip and pin researchers I've seen to date are the Cambridge guys ( http://www.cl.cam.ac.uk/~rja14/ ) despite the legal threats against them. A better answer will come along very soon!

Answer 2

If your debit card has an EMV chip (almost all chips are based on EMV today), it very likely does know your PIN (or at least how to verify an entered PIN).

Whether that capability is actually used depends on the type of transaction and terminal; if the terminal is online capable, it might as well verify the PIN directly with your bank's servers, which also know your PIN (or some derived verification value). This explains the behavior in the referenced question about ATMs; they simply choose to ignore the card's built-in PIN verification capabilities.

Since your reader is obviously not connected to anything but your card, the PIN you enter is in fact verified by the software running on your card itself, and not by the reader.

The reader supplies the card with your entered PIN. If they match, the transaction can proceed; if they don't match, an internal counter in the card is decremented and you can try again (but only a few more times).

Answer 3

It is likely that the 8 digit code is mathematically related to your pin (i.e. the sum of a certain hash of both arrives at a predefined static value) so that the 8 digit code can serve as a challenge and a way to validate your PIN. One possible way to find out more about the Digipass sequence is to try entering random (presumably incorrect) 8 digit codes: does the code get rejected immediately or does the machine reject your PIN? For more info on systems like this, see: http://en.wikipedia.org/wiki/Chip_Authentication_Program

Answer 4

Does it really mean "PIN OK"? In the sense that you entered the correct PIN? My bank uses a similar system. I put the card in the reader, enter my PIN. The bank gives an 8 digit code which I enter in the reader. The reader gives a 8 digit code back. It does not need to know if the entered PIN is correct to generate this code. If I enter the wrong PIN, it will simply return another code, which will not be accepted by the website.

Card-id + PIN + request code => validation code

When either is wrong, it will result in the wrong code. Your card does not need to know the PIN to get this working. It might however be different.