[lxgr]

Is this unexpected? When your PIN input and transaction confirmation device is untrusted, about the only thing a smart card can protect against is key exfiltration, and maybe rate limiting signature/authentication attempts (I believe the German protocol sends trusted timestamps from the remote reader which would allow that).

Tapping your card and entering your PIN in a compromised app/on a compromised device has the same (and to me expected) result as tapping it on a fraudster’s device directly and providing them the PIN.

[zeeZ]

Yeah, this is a phishing attack replacing the terminal with a compromised one.

The terminal used the PIN for three transactions: The original sign-in process, the attacker's ID verification process for the bank, and a "Selbstauskunft" which essentially is an echo service that returns data read from the card back to the user.

It's not a very performant process and needs to happen near real time.

[a3w]

When using a PC, isn't one supposed to use a hardware RFID reader[^1] with a physical numpad to enter the key? Then, the PC never gets a hold of the PIN. Ideally, the hardware reader has a display to show 1. which data is sent to 2. which site/authority that is asking for it.

So on a phone, with every layer of the communication in just software, not hardware, that is inheritly unsafe? (On e.g. Apple phones a security chip could work to increase security, but if a prompt is faked, the PIN can still be exfiltrated.)

[1]: Free RFID USB readers were given out at every local agency in germany, but those were the cheap models, without a numeric input.

[lxgr]

Yes, but realistically, nobody is going to get a hardware CCID reader with the required security level and connect it to their computer anymore (assuming they even have one – for more and more people, their smartphone is their main and sometimes only computing device they own).

What might work today is a Bluetooth-capable smartcard reader with a PIN pad and display for secure transaction confirmation ("enter your PIN to open a bank account with bank xyz" vs "enter your PIN to confirm that you own a valid driver's license for the purpose of renting a car" etc.), but even that is a stretch and will probably only ever see very low adoption.

It would be great to have it as an option supported by the official reader app, though!