6

I wonder what is the content of a basic banking card having a chip, the kind you use for payment in any store, with a PIN, possible bank authorization, such as Mastercard or Visa or national banking schemes.

  • What kind of information is on the card ?
  • Is it quite similar to corporate smartcard (private key for signing/authentication) ?
  • Are there crypto primitives in it ?
  • Is PIN code protected from physical extraction ?
crypto-learner
  • 697
  • 1
  • 7
  • 17
  • What sort of bank card? I think the answer depends on the specific card - in some places cards universally have a chip, while in some they normally just have a magstripe. – cpast Dec 18 '14 at 21:12
  • @cpast A basic bank card having a ship, the one you use for payment in any store, with pin code, possible bank authorization, as Mastercard or even more basic one. – crypto-learner Dec 18 '14 at 21:20
  • That's not the basic bank card everywhere - most bank cards in the US have no chip, just a magstripe. – cpast Dec 18 '14 at 21:36
  • It's worth pointing out that both old (magstripe) and new ("chip and pin") cards both use a "pin", so you can't use "pin" to distinguish between the two. Of course, with the old style card, the "pin" is only meaningful as checked by the mainframe at the bank... – gowenfawr Dec 18 '14 at 22:15
  • 1
    @cpast In most of Europe, all bank cards have been chip cards for at least a few years. – Gilles 'SO- stop being evil' Dec 18 '14 at 22:34
  • 1
    @Gilles Which is why "in some places" is there in my comments. – cpast Dec 19 '14 at 00:53

2 Answers2

4

“Chip and PIN” banking cards have a chip, as the name indicates. The chip performs cryptographic operations and stores secret keys. The chip isn't just storage, it's a processor and the storage is not directly accessible from the outside.

The chip is physically protected against duplication — it's embedded in a protective layer and designed to self-destruct if someone tries to peel off the protection. There are software and hardware countermeasures to protect against side channel attacks such as electromagnetic emissions measurements. For more information about protection against physical attacks, see

The card stores the card number and other identifying information. It stores secret keys that it uses to communicate with the bank. It also stores the card number and a hash of the PIN. It also stores a PIN attempt counter: after three successive incorrect attempts, the card refuses to validate PINs anymore.

Smartcards used in corporate settings use the same basic technology, but banking cards are usually a grade above, incorporating the latest countermeasure technology when corporate smartcards often have previous-generation security (but sometimes higher performance, if they need to do asymmetric cryptography to sign messages). Smartcards used in access control are often several grades lower in terms of security (“cost-conscious”).

Community
  • 1
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • I guess chip and pins cards are secure now. When they first came out there were so many ways to hack them it wasn't funny, to the point they seemed less secure than a standard magstripe card. – Sonny Ordell Dec 18 '14 at 22:56
  • 1
    @SonnyOrdell Do you mean when they first came out in the early to mid-1990s, or when they crossed the Channel in the mid 2000s? AFAIR chip cards weren't used for banking until they did have more security than a magstripe card (which can be simply be read). The problem with chip cards is that the banks were claiming (and often still claim) that chip cards are invulnerable and that the protocols are flawless, neither of which is of course true. – Gilles 'SO- stop being evil' Dec 18 '14 at 23:01
  • I would say in the mid 2000's. I know very little about this specific field so I may be way off, but when I was living in the UK and chip and pin cards started to appear, banks were insisting how secure they were to the point people were suspicious of my non chip and pin cards (Australia and the US were not offering them yet). As that was happening I kept seeing news stories and papers being released showing yet another way the chip and pin implementation could be bypassed/was broken etc. – Sonny Ordell Dec 18 '14 at 23:09
  • @Gilles Is user private key used for authentication/signing when communicating with bank, or it is a key dedicated to communication encipherment ? – crypto-learner Dec 23 '14 at 10:51
1

Traditional cards are simply a magnetic strip with a very small number of bits on it, and anyone can read (or effectively re-write) those bits. The security of basic bank cards therefore does not depend on any innate secrecy or integrity. Everything you want to know is on Wikipedia:

  • Info is usually ISO/IEC 7813
  • It's not a smart card, and has no private key
  • It has no crypto primitives
  • The PIN code is not stored on the card, so protection is not applicable

The newer EMV ("chip and pin") cards change that, and you can find out more by searching this site for the EMV tag.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198