Is your pin stored on your card?

Hello,

Can anyone help solve an argument!!?

Is the PIN stored on the card?

Thanks in advance,
Dylan

Yes, I think because of offline payments

Yes and no.

Yes because the card is definitely capable of checking whether a PIN that has been entered is correct or not. PIN checks are done instantly when it’s in a terminal (it doesn’t use a network).

and no because it’ll be stored in an encrypted format (i.e not plaintext)

I have no real knowledge of the inner workings of cards, but I suspect this is how they work:

The card has a built in mini-computer. When the cards pins are touching a terminal or contactless is used, electricity flows through the card waking up the computer.

The card has an application on it that allows PIN attempts. The PIN is stored encrypted (as a hash). Hashes with only 9999 different combinations would be easy to brute force, no? Well the application will have access to test against the encrypted hash and we plebs will not, and after 3 attempts the application refuses any more tries, the card is locked out. Similar to how a phone and passcode works.

as others have said, yes a version is stored on the card.

This is super accurate.

Just a few additions:

• The chip profile on Monzo cards is online preferring, so unless the terminal has no online capability, we will not authorise using the offline PIN. That is, your offline PIN will only ever be used on planes or similar scenarios

• Occasionally your online and offline PIN might misalign. If you change your PIN in the app, your card won’t immediately know about it. Next time you enter your card at a terminal we can tell it to update the offline PIN. We can also tell the terminal to block your card temporarily or permanently!

• There is a limit to offline PIN transactions. Both in terms of amount and count. For security reasons I won’t enclose it, but it means you or a fraudster won’t be able to spend too much money on a plane.

I mean the real fraudster is Easyjet for charging £11 for a gin and tonic.

Wait, you can do this, where? Also, I’d love to be able to view the card CVV in app while I’m at it

image1284×2778 175 KB

I am not 100% sure actually. I would assume it’s stored encrypted using card’s RSA public key.

It’s certainly encrypted by the terminal using the card’s public key and transmitted over the wire to the card itself to decrypt.

That’s one to check on the EMV Spec.

Sorry, I meant after you go through PIN reset (which requires a human review).

CVV in-app is on our mind, but I remember there being some security concerns. That beging said, we do that for virtual cards.

I once paid roughly £5 for exactly 10 microwaved French fries and a chicken nugget that tasted like dehydrated cardboard on a Ryanair flight. Lesson learnt, always buy your food from the airport instead (then you’re only being ripped off for twice as much as what it’s actually worth, as opposed to 10x!).

Damn! Thought you’d accidentally leaked an upcoming feature there!

(I’ve seen a feature request for changing the card PIN in app on this forum in the past…)

CVV in app is possible, same level of security as making a payment (asks for pin before sending)

As for changing your PIN in app, I don’t see why that wouldn’t be possible, but that one is a bit more difficult then asking for a PIN (If you don’t know it) perhaps using a video selfie to verify?

I believe the reason given on the forum for why they weren’t going to implement changing PIN in-app was that any offline transactions between when the PIN change took place and the next time an online transaction occurred (allowing Monzo to push the new PIN to the card) would still require the old PIN. I think they decided this was too messy of a solution, and would of course be problematic in cases where the user changed their PIN because they’d forgot the old one.

Suddenly something that happened last year makes complete sense!

My partner was issued a card by Tomorrow Bank and she used their app to change her pin from the one she was originally provided with.

She then tried to buy something at Boots a few days later, but when she entered her pin the terminal kept saying that it was wrong - she also didn’t know the original pin.

Having separate pins on the network and card explains what happened in this scenario… And yes it was really frustrating not knowing what was wrong or how to fix it so this here makes complete sense:

Minor corection: You can do an online transaction with either online or offline PIN (Obviously an offline transaction with online PIN isn’t possible). For hysterical raisins POS terminals in the UK, Ireland and a few other countries are not allowed to do online PIN verification - they must do offline PIN only. So in UK/IE/etc the card validates the PIN.

How the cards store the PIN is unspecified (whether its’ encrypted I don’t know - but that would be a little pointless given the fact that the encryption key would be in the same storage!). They’re built on secure microcontrollers which won’t allow the data to be read out without severely invasive surgery, however.

When your PIN is changed, the encrypted PIN block is sent to the card using a Triple-DES key known only to the issuer’s processor and the card. (Maybe in a few years EMV will release their updated spec which moves to AES…)

When online PIN verification is performed (as is the default e.g. in Germany where I live, and at all ATMs), the PIN gets encrypted by the terminal with a key that it shares with its’ configued acquirer, who then re-encrypt it with a key they share with Mastercard, who then re-encrypt it with a key they share with the issuer.

Monzo UK only allows PIN changes at ATMs because that way it can be ensured that both offline and online PINs are synchronized. Monzo US allows in-app PIN changes because those cards do not support offline PIN.

Very interesting, thanks Erin!

So are Monzo US cards online only?! …Which would presumably mean that purchases on a plane/at a vendor out and about without cellular connection/on some public transit systems aren’t possible for American Monzo users? Or in an offline scenario would they have to resort to magstripe + signature?

Also, this typo made me laugh more than it should’ve

Chip and Signature. (They’re also signature preferring, so will pick Chip and Signature in most cases. This is due to US regulations distinguishing “PIN based debit payments” and capping the interchange rates for them lower than for signature)

Not a typo

Got it. Crikey I’m glad we don’t do that in the UK, I’d like it if UK-issued cards did away with the signature strip all together to be honest.

Oh wow, I didn’t know that was actual terminology, my bad

@erincandescent, happy to see you around here. How is the new job?

But even if offline PIN verification fails the terminal would go online with an authorisation (telling us in DE-55 that the offline PIN verification failed). That gives us the opportunity to approve the authorisation if the offline PIN is misaligned/outdated.

My definition of new is very relaxed