Where's my PIN number stored?

[essell]

Given that:

The bank can send me an unencrypted pin if I forget it without generating a new one clearly they have some record stored on their end.

But

I think chip&pin has changed the rules a little because the PDQ machine in my shop checks the pin before it dials the bank. So it must be stored in the chip atleast. I was wondering if that was a recent change or is the magnetic cards have always had the pin inside them too.

The answer seems to the ever present: It Depends. I expected a little more unity from international organisations like banks though especially on something so fraud-related as pin numbers!

I humbly apologise for the obvious error in the title. Very sorry danceswithcats and anyone else who I upset

[Ximenean]

When you say that the PIN must be stored on the chip, do you mean the PIN in unencrypted form? Because I don’t see why. The machine could perform the hash on the PIN + other details, and compare that to what is stored on the chip.

[Mangetout]

Usram:

When you say that the PIN must be stored on the chip, do you mean the PIN in unencrypted form? Because I don’t see why. The machine could perform the hash on the PIN + other details, and compare that to what is stored on the chip.

Even if it’s hashed, it’s only four digits - brute force attacks would find it quickly, wouldn’t they?

[Ximenean]

Not if you add some pre-calculated random bits (“salt”) before hashing.

[Mangetout]

How do you prevent the salting value from being discovered?

[Ximenean]

You can’t, but you can make it harder, e.g. by storing on the chip in obfuscated form. I know what you’re thinking - “security by obscurity isn’t security”.