Smartcards, PINs, cryptography, and open standards
dcoombs asks a question about how PINs are used in the fancy new smartcard-enabled Visas vs. Mastercards.
Specifically, he notes that you can change your Visa PIN over the phone, which suggests that the PIN is stored on your bank's servers, not on the card itself. (He also notes that you don't have to store it on the card either; you can encrypt the signing key on the card, so the PIN is never stored at all, anywhere.)
As it happens, I've had some occasion to look into credit card payments in the past. (I do work at a banking software company, after all.) So while I didn't know the answer to the question, I knew where to look.
Where to look is EMVCo, the Europay Mastercard Visa Company, which publishes the EMV Payments Specification. Conveniently for our purposes, you can actually download that very specification from that very link, and learn more than you ever wanted to know about the communication protocol used in payment cards.
Now, the spec is long and boring, so I used the magic of full-text search to find what I was looking for. I alert you to section 5.2.6 of Common Payment Application Specification v1 Dec 2005.pdf (oh yes!), which discusses the various "Cardholder Verification Methods (CVMs)" that are used to... verify cardholders.
From this section, you discover the terms "offline PIN" and "online PIN," which turn out to be what you might expect. Each card identifies its preferred CVMs. The former one means that the card checks the PIN by itself; the latter means that the PIN gets checked by the bank. It appears that your card could require multiple CVMs, although I was too lazy to read in enough detail to be sure of that.
So anyway, the "insecure" method dcoombs describes as being used by his Visa can definitely exist. But I guess we already knew that because it exists.
More interesting is the "more secure" method (offline PIN) presumably used by his Mastercard. The real question is: are they really using offline PINs, or do they just not let you change your PIN over the phone? I don't think we can tell, unless we construct a terminal according to the specs and ask our terminal to read the CVM list from the card :) So we don't really know if Mastercard is "more secure" than Visa; they just don't make it obvious. On the other hand, the spec says they could be "more secure" if they wanted; that feature exists too.
Now, I've been "quoting" the terms "more secure" and "insecure" above. The reason is that I suspect both methods are perfectly fine, and (as we'd hope!) vastly better for security than the old magstripe systems.
The key feature of a smart card is not actually that it keeps your PIN secure. Banks, I suspect, have rightly observed that keeping your PIN super-secret is not really going to happen. There are just too many ways to steal it.
For example, a common form of credit card fraud nowadays is to have fake card readers where they swipe the card and you enter the PIN, and it records the PIN and card number before forwarding it on to the "real" reader device that does the transaction. There is no way to prevent such a system from stealing your PIN; the only option would be to carry around your own keypad for entering your PIN, because you know that keypad isn't hacked... but nobody wants to do that, so forget it.
The other common way to steal your PIN is to watch you type it into a bank machine. Trust me, you're not as secret as you think you are. Or even if you are, the next guy won't be.
So let's accept that your PIN is really not that secure. What can we do?
Well, we can make it really hard to steal your credit card number. This is what smartcards do. As far as I know, the only way to steal the encryption key directly out of such a card is to do some awfully weird stuff to the card (X-rays, super-slow low voltage analysis, etc). Nobody in a corner store or restaurant is going to get away with doing that stuff to your card without you noticing, so you're pretty darn safe. When your card authorizes a transaction, it generates an authorization key for only that one transaction; it never reveals the card number itself, so a card reader machine can't steal it.
You could reverse-engineer your own card, but it wouldn't accomplish anything; if you really need to copy your own card, just ask your bank for another copy. (This problem is why the original "as good as cash" smart card idea wasn't so great. They carry around money and do transactions without the help of a bank - which means that if you can hack your own card, you have a license to print e-money. You don't want to give people incentives like that.)
So the reality is that as long as you don't tell your PIN to everyone, then the probability that someone both knows your PIN and steals your physical card (since they can't copy it) is extremely low.
The remaining question is whether it's secure to let people change their PIN over the phone. Well, nothing on the phone is very secure. But interestingly, even that isn't a big deal; they still need your physical card to make a transaction. They can steal your physical card and go change the PIN over the phone; in that case, they'll need to confirm some personal information. That seems like the most likely attack vector, but it only works if they manage to steal your physical card, which you'll probably notice pretty fast.
Also note that if all this analysis turns out to be wrong, they can just issue a new card that demands offline PIN and disables online PIN. Or vice versa, if it turns out there's something wrong with the offline PIN implementation(1) but online PIN is secure after all.
All in all, I think they did a pretty good job of it.(2)
(1) I can think of one way that offline PIN would turn out to be less secure than online: remember, a PIN is typically only four digits. Four digit passwords are stunningly insecure, protected only by the fact that these systems will shut down if you guess wrong more than n times, where n is a small number like five. But if you steal and hack someone's card, you can read out the key directly, and simply try decrypting it with every possible PIN (all 10000 of them); there's no lockout feature. Even if your PIN isn't "stored on the card," it's still as good as there. You're potentially better off having the card in one physical location and the PIN in another.
(2) On the other hand, did you know that EMV (smartcard) support is optional in the fancy new contactless cards? Basically, EMV support is independent of contactless support. You can have either, neither, or both. Contactless payments are a great idea, but without EMV too, people could actually copy your credit card by passing a reader near your wallet. Crazy. I don't know for sure if this was ever deployed, but if the standard exists, I guess it was; if you have a contactless card (like Mastercard Paypass) without a smartcard reader on it, it's probably this insecure kind. Disclaimer: I am not an expert on this, I just skimmed some standards. Anybody who can confirm/deny, please send me an email.
Update (2009/01/18): Adrian wrote to say that he's tried PC Financial Mastercard and Washington Mutual Mastercard. Both have Mastercard PayPass (the contactless payment system) but no smart card. So that's a lovely security update.
Update (2009/01/18): ppatters wrote to note that various methods (X-rays, low voltage, cold, etc) that used to work will nowadays trigger self-shutdown sequences as an anti-reverse-engineering measure. The question then is: what's more likely, that someone will find a new method that still works on smart cards, or that someone will break through your bank's firewall and steal a list of PINs? Beats me.
ssh+2FA to all your machines, anywhere, without opening firewall ports.