PIN security policy / proof


I was engaged in a discussion about security of alternative payment
methods. I have agree in the point that, a CC offers less security
because since you have its number, and name you can use it, and no
furter security check will be performed.
About banking-card and PIN the result remains half-open and that is
where i need your oppinion:
The argument was, by stealing only the PIN, an attacker is able to get
into account (remark, only with knowledge of PIN, nothing else, no
account nr.).
My statement, was that it is impossible to reveal account data only
from PIN, but it is possible (maybe in veeeeryy long time) to reveal
PIN from a banking card.
My argumentation was following:
-The banking card holds the account information, maybe with some
unique data, encrypted hash-like via one-way encryption, the encrypted
text is also unique (like hash).
-The automat compares the hashed , means encrypted values to the same
encrypted values on central database, then checks for PIN, maybe in
similar way encrypted.
-The user enters PIN, PIN is checked.
-Conclusion : It is not possible to reveal account info from PIN, but
it is possible if an attacker has access to the banking card, to
duplicate its data, and by obtaining the PIN to impersonate the
legitimate user.

Was my argumentation correct? Did i missed something ?
Do you maybe have some sheet where i can look up some policies and
make my thesis "waterproof" ?



This list is sponsored by: Norwich University

The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Relevant Pages

  • Re: How to securely store a password on a PC
    ... password - so locking the data to ONE account will not solve that problem. ... Full disk encryption can protect against EXTERNAL attackers (who ... full encryption - not only Vista's BitLocker but any 3rd party solution. ... Security is not about the secrecy of the algorithm. ...
  • File Encryption
    ... I wasn't logged into Administrator ... account appears to be the only account whose security ... my certificate and security information is intact (the ... related files, encryption keys, etc). ...
  • [NT] Vulnerability in Amtote International Homebet Self Service Wagering System
    ... Vulnerability in Amtote International Homebet Self Service Wagering System ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: ... Internet-based account wagering ... Account and pin combination authentication ...
  • Multiple Issues in Nettelephone Dialer
    ... MULTIPLE ISSUES IN NETTELEPHONE DIALER ... Weak Encryption for Account Information: ... PIN is stored in encrypted form. ...
  • [NT] Multiple Issues in Nettelephone Dialer
    ... Beyond Security would like to welcome Tiscali World Online ... Weak Encryption for Account Information: ... whereas the PIN is stored in encrypted form. ... The duration for these calls is 45 seconds ...