Here in Switzerland, PostFinance (the bank of the national mail company) uses a small, yellow card reader for the two-factor authentication (I don’t want to talk about how good this two-factor authentication is, but errrr). Because I don’t need my device anymore I decided to poke around a little bit. First of all, it’s really nice that they tell you from the beginning which type of card reader it is (sticker on the back):
MADE IN CHINA
US PATENTS: 4.599489 and 4.609777
Easy start. If you look Digipass 810 up, you’ll see that it is compliant to something called “Europay-Mastercard-Visa Chip Authentication Program Enhancements”. A card which has no chip at all, will get you the error message “Falsche Karte” (“wrong card” in German). It doesn’t like my debit cards either (which have chips on them), it displays different error messages: “Karte Ungültig” (“invalid card”) and “card error”. So I simply tried my credit cards and both (Visa and Mastercard) did work. The reader prompts for a code/challenge, I just entered 1234 and it asked for my PIN. Interestingly it will only accept the correct PIN which was set for the credit card and will then output some TAN. A wrong PIN will result in an error message. Funny!
So a malicious person who wants to try out the PINs for your credit card, but doesn’t want to risk to be recorded by a security camera at the ATM can use a Digipass 810 instead.
TODO (i still need my credit card):
– Check if you really only have 3 tries
– Check if card is really locked (e.g. in store or at an ATM) after 3 tries
– Of course there is much more card stuff out there, eg. a presentation at PHNeutral 2011
I hope you are aware that EMV supports different CVMs. A decent card implementation would lock you out after a few attempts. The card reader is nothing more then the name implies….
And I just hope you are right. Still, I never knew that I have a device at home which I can use at least for the first few attempts.