Comments on: SMS PIN Sentry reader

By: lammy

lammy — Mon, 09 Nov 2009 14:59:14 +0000

“OK, I can confirm that a PinSentry device WILL lock a card after 3 wrong PIN entries”

No, this is wrong. The card locks ITSELF after 3 wrong PIN entries, whether these come from a PinSentry or another device such as the Chip-and-PIN device in the supermarket.

Therefore you can’t use the PinSentry – modified or not – to brute force a PIN number for a card, because the card’s chip will always lock out after 3 wrong guesses.

By: Jon

Jon — Thu, 15 Oct 2009 01:16:32 +0000

The card reader responds that it will lock the card if you enter your pin wrong several times, to know the pin you enter is ‘wrong’ (when it doesn’t connect to the outside world) is must either: Know the pin (Stored on the card?) OR know a value it can relate to the pin (An encrypted, hashed or algorithm result based on the pin, again stored on the card)
Either way the pin or a value relating to it, is stored on the card, and if the algorithm the unit uses can be figured out (by multiple challenge responses?) the system would be insecure

By: DASH

DASH — Sat, 26 Sep 2009 17:03:41 +0000

To mj,

Once you have investigated and found an resault please post it, its rather interesting!

“Presumably there is some encryption. Whether this can be reverse engineered to allow the PIN to be determined for any card I don’t know. However I wonder if you could use the PinSentry itself to (laboriously) hack cards to find their PIN.”

That will be interseting…

By: Mark E

Mark E — Thu, 30 Jul 2009 22:26:20 +0000

OK, I can confirm that a PinSentry device WILL lock a card after 3 wrong PIN entries.
In may case, they weren’t wrong at all. I know I entered the correct PIN at least the last two times, so it looks like there is a fault with the machine.

By: bank online

bank online — Mon, 29 Jun 2009 23:40:31 +0000

The info you’ve given is spot on, believe me, I’ve been doing my research and you’re info is some of the best out there.

By: character

character — Sat, 07 Feb 2009 04:40:34 +0000

Im looking for this.Im pay ….
It does accept any code I just tried it on mine.
If anybody seller this device.please call me.
shrewd@abv.bg

By: bob

bob — Mon, 17 Nov 2008 20:52:19 +0000

sry i didnt read over the commments, but now i have, can anyone confirm this thing can block ur card? i thought it probably wouldnt be able to, because it doesnt look like it would have enough battry power to perform such a task (surely?). but if you say its in the instructions then well im wrong.

By: bob

bob — Fri, 14 Nov 2008 13:22:05 +0000

excuse my idioticy, but could some one explain to me whats to stop someone nicking my card, brute forcing it until a correct login is made with a pensentry, then walking to a cash machine and using my pin?

By: tom p

tom p — Thu, 24 Jan 2008 00:05:34 +0000

Isn’t there a big flaw in this that he has to leave his card plugged into his pin sentry device at home. What if he wants to get money out of an ATM or buy something at the shop and he does not have his card?!

I have heard anecdotally that these particular devices are not time critical, so for log in only (not payments where you have to also enter the amount and recipient account no) you can go through the process three times, generate three codes and take them with you to allow three log ins while you are away from your pin sentry. No idea whether this is correct though.

By: Webster

Webster — Tue, 18 Dec 2007 18:03:13 +0000

to #23 and a host of others.

The card contains the PIN. It works the same as Chip & PIN. In fact, it is a Chip & PIN card application!

You enter the PIN, the card verifies the PIN (yes, the PIN is stored in the card!) then generates a cryptogram based on some other variable input data and the crypto keys (also in the card). The calc device puts part of the cryptogram into the code - the other part of the code is the variable data the bank needs to recreate the code for validation purposes. The bank also has the same crypto keys. Hey presto!

The PIN is not hashed. Nor does it, or a hash, or anything else to do with the PIN, get sent to the bank.

If you enter the PIN incorrectly three times, the card locks and blam - no more cryptograms. At least, not until you phone the bank and go down to the ATM for a card unlock.

As for the "hack", how is the PIN entered?

By: Alex

Alex — Mon, 17 Dec 2007 17:50:13 +0000

I did have a similar idea as soon as I realised I’d have to carry the bloody thing around, but there’s something I don’t get: surely you have to leave your card at home, which is far more inconvenient than not being able to get into online banking at will?

By: g

Mon, 17 Dec 2007 16:14:22 +0000

my pinsentry does not accept any PIN. if i enter a wrong PIN after pressing Identify, it knows and says the code is wrong (i just tried it). it only generates the 8 digit one time login code if i enter the correct PIN.

i would think that the way it does this is a one way encryption process, like normal unix passwords - presumably the card itself stores an encrypted version of the PIN, which is tested against whatever value is entered via the keypad after putting it through the same one way encryption. (i think that chip-and-pin readers work the same way?)

so you could use the pinsentry to brute force the PIN for a card, but only if you could figure out a way to disable the card lockout after 3 wrong tries. i would hope that the bank knows this and that the pinsentry is designed in such a way that the lockout mechanism couldn't be disabled without disabling the PIN test method.

By: Danny

Danny — Thu, 06 Dec 2007 02:35:20 +0000

The PINsentry isn't connected to the outside world, and the card does not store the PIN.

What I think happens is the card will store a validation number. The PINsentry can use the PIN to generate a validation number, and see if this matches the one on the card.

So yes, there might be a way to use the PINsentry to still calculate the correct (or a number of possible) pin numbers. So I do wonder if overall this is a secure idea.

By: mj

mj — Sat, 01 Dec 2007 10:16:22 +0000

I got one of these calculator type things from Barclays. It's called PinSentry.

It clearly states in the instructions that if you enter your pin incorrectly three times your card will be locked. As there is no connection to the outside world this must be done via a pin stored on the card on the chip. Presumably also to lock your card the device must be able to write to the chip to tell it that it is now locked.

Presumably there is some encryption. Whether this can be reverse engineered to allow the PIN to be determined for any card I don't know. However I wonder if you could use the PinSentry itself to (laboriously) hack cards to find their PIN.

All it would need is a way of bypassing the card locking. Maybe this could be done by simply putting tape over the write contacts on the chip so that the device can't write to the chip to tell the card that its locked. Maybe its a little more complex than that. Maybe they check they can write to the card as part of some authentication procedure?

I'll do some investigation for sure. Anyone know if I'm barking up the wrong tree completely?

By: sam

sam — Fri, 30 Nov 2007 02:30:25 +0000

to #13.

The entered PIN will be hashed into the 8 digit code the PINSentry device generates.. the card won't have the PIN on it. If the decoded PIN (from the submitted 8 digit code) turns out not to match the one held on the server 3 times then it will trigger a lockout for the next time that card appears at an ATM or in a shop.. it wont actually write the lock to the card just as it didnt read the PIN from there.

It does accept any code I just tried it on mine.