Changing PINs of German bank card
Binarus
lists at binarus.de
Wed Jul 12 12:01:35 CEST 2017
On 12.07.2017 11:42, Guan Xin wrote:
> On Wed, Jul 12, 2017 at 1:51 PM, Binarus <lists at binarus.de
> <mailto:lists at binarus.de>> wrote:
>
> On 11.07.2017 20:38, MFPA wrote:
> >
> >
> > On Tuesday 11 July 2017 at 8:44:48 AM, in
> > <mid:3499376d-11fb-9854-688a-48e054166647 at binarus.de
> <mailto:mid%3A3499376d-11fb-9854-688a-48e054166647 at binarus.de>>,
> Binarus wrote:-
> >
> >
> >> I am not sure if this is an intentional limitation of
> >> the cards (to
> >> prevent users from choosing idiotic pins like 1234 or
> >> their birthday).
> >
> >
> > Surely things like 1234 can be prevented by software.
> >
>
> But birthdays and the like probably not.
>
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin, but it is stored in the banks' backends as some
> sort of hash, and this means that such software would have to run on the
> card.
>
> Such software can run on ATMs if that are the only places where one can
> change the PIN.
> And I don't think the bank needs the hash of the PIN. They may need the
> hash of the key(s) protected by the PIN, however.
Not sure about that. Similar to serious websites which don't store your
password in clear text, but do store the password's hash instead, I
would expect that banks don't store your PIN in clear text as well.
As far as I know, no bank will be able to tell you your PIN if you have
forgotten it even if you go there and show them your passport. They can
only generate a new one (or a new card), but they can't tell you the
existing one because they just don't know it.
That means that the bank's backend will never see the PIN you choose and
thus can never decide if it is insecure (i.e. something like 1111). If a
bank decides to handle the PINs that way, they probably won't allow the
ATM to get hold of the PIN in clear text as well.
I might be wrong, though.
Regards,
Binarus
More information about the Gnupg-users
mailing list