chipTAN: How is it possible without PIN

Question

For my online banking I have a Smartcard-Reader with optical sensors for data transaction by what is called 'flickering'. The Reader then shows the Receivers IBAN and amount of money to transfer and generates a TAN without asking me for my PIN, which I need to get money at the ATM. As far as I know each Smartcard has a cryptography-co-processor (which is used to calculate a signature for a money transaction) which does nothing until it is activated by the secred personal PIN.

How can the Smartcard-Reader use the debit card to generate a TAN without activating the cryptography co-processor by my personal PIN in the first place?

Answer 1

The user has an option to set the minimum amount up to which the card don't prompt to input the PIN value. If you have not chosen this minimum amount, then it may be activated by default in your card. Check the terms and conditions for the card.

Answer 2

Smart cards are much more flexible than you seem to assume. It is responsibility of the application designer, to specify, what actions require which kind of authentication. It is easily possible, to have keys requiring no authentication at all. Whether a command uses a cryptographic co-processor is completely independent of the access right specification. (Usally there is some coupling, but that originates from the problem domain.)

Since ChipTAN only provides a TAN, you will need the PIN anyway to release the transaction, so there is no benefit to ask for it.

A generic problem is, that humans are only able to remember quite few PINs, and it is quite difficult, to enter it as valid for one specific action only, but not for another. (Different PINs would help, but see above).