FR3030826A1 - METHOD FOR SECURING AN ELECTRONIC DEVICE, AND ITS ELECTRONIC DEVICE - Google Patents

Abstract

The invention relates to a control method implemented by an electronic device (2), said method comprising the following steps: obtaining a secret code entered by a user; - Secret code processing, the processing comprising a verification of the secret code and management of a first counter (TOT_PTC); storing the value of the first counter (TOT_PTC) in a rewritable non-volatile memory (10); the electronic device being such that: if the code entered is detected as false during said verification, the processing step has the effect of modifying the value of the first counter (TOT_PTC) to indicate that the secret code is false; and if the code entered is detected as being good during said verification, the processing step has the effect of keeping the value of the first counter (TOT_PTC) unchanged whatever the value of the first counter. The invention also relates to an electronic device capable of implementing such a control method.

Description

BACKGROUND OF THE INVENTION The present invention is in the general field of electronic devices able to cooperate with an external terminal in order to carry out a transaction, in the banking field for example. The invention relates more particularly, but in a nonlimiting manner, to a smart card (or microcircuit cards), conforming for example to the IS07816 standard, and capable of carrying out a transaction in cooperation with an external terminal as well as a method of control of such a smart card.

The invention aims in particular the control of a smart card operating according to the EMV protocol (for "Europay Mastercard Visa") and adapted to perform a payment transaction with an external reader such as a payment terminal. In general, a smart card is designed to communicate with a device external to this card, otherwise called terminal or reader. These cards make it possible to carry out various types of transactions, such as payment transactions, identification transactions and / or authentication of the bearer etc. Smart cards implementing one or more banking applications (credit card, debit card etc.) are for example able to communicate with payment terminals.

EMV is the standardized protocol used mainly in the world to secure payment transactions made by smart cards. The EMV protocol has been designed to reduce the risk of fraud during a payment transaction by allowing in particular the authentication of both the smart card and its holder. The authentication of the bearer is generally performed from a secret code (also called PIN) entered by the cardholder at the request of the payment terminal. Typically, as part of the EMV protocol, the external terminal sends a VERIFY command to the bank card containing the secret code entered by the user on the payment terminal. The bank card then verifies the authenticity of the user by comparing the secret code entered by the latter with a reference code stored in a secure memory of the card. If the authentication is successfully passed, the bank card sends back to the terminal an OK message indicating that the verification of the secret code has passed successfully. If, on the other hand, the secret code entered is not valid, the bank card sends back a NOK failure message to the terminal. Three consecutive tests are generally granted to the user to provide the correct secret code in response to the input request presented by the terminal. If the user performs three consecutive attempts to enter the secret code and fails all three times, the bank card informs the terminal that the authentication of the bearer has failed. In general, three consecutive failures cause the card to hang. To do this, an EMV bank card keeps track of the number of trials that have failed consecutively, whether during the same EMV transaction or in several separate transactions. Thus, if a user enters a wrong first secret code, he will have one less chance of entering the correct secret code at the next test, whether this test takes place in the same transaction as the first failure or during a transaction. higher.

If the user enters the correct secret code, the card resets the number of trials granted to three for the next request to enter the secret code in a subsequent transaction. This secret code verification mechanism protects the owner of the bank card against fraudulent use by a malicious person. A person usually has only three consecutive attempts to enter the correct secret code, whether in the same transaction or during multiple transactions. However, new forms of fraud and piracy are continually being developed by fraudsters, so that there is a need today to reinforce the security mechanisms for smart cards (EMV for example) and more generally, on all electronic devices intended to carry out a transaction, of the banking or other type, in cooperation with an external terminal. In particular, there is a need to strengthen the user authentication process implemented by such electronic devices.

OBJECT AND SUMMARY OF THE INVENTION To this end, the present invention relates to a control method implemented by an electronic device, said method comprising the following steps: obtaining a secret code entered by a user; secret code processing, the processing including secret code verification and management of a first counter; storing the value of the first counter in a rewritable non-volatile memory; wherein: if the entered code is detected as false during said check, the processing step has the effect of changing the value of the first counter to indicate that the secret code is false; and if the entered code is detected as good during said check, the processing step has the effect of keeping the value of the first counter unchanged regardless of the value of the first counter.

According to a particular embodiment, the control method comprises a detection of an anomaly from the value of the first counter when a predetermined condition is satisfied. According to a particular embodiment, the predetermined condition defines a threshold value, the detection of the anomaly being performed by comparing the current value of the first counter with the threshold value. According to a particular embodiment, the control method is such that: each time the code entered is detected as false during said verification, the processing step has the effect of incrementing the value of the first counter to indicate entering an additional false code, said anomaly being detected when the current value of the first counter is greater than or equal to said threshold value; or whenever the code entered is detected as false during said verification, the processing step has the effect of decrementing the value of the first counter to indicate the input of an additional false code, said anomaly being detected when the current value of the first counter is less than or equal to said threshold value. According to a particular embodiment, the control method comprises, on determining said anomaly, an operation for securing at least one of the electronic device and an operation with an external terminal.

According to a particular embodiment, the security operation comprises at least one of the following operations: reconfiguration of the electronic device so as to restrict its operating capacities; defeat an operation with the external terminal; and sending to the external terminal a security data representative of said anomaly.

According to a particular embodiment, the operation with the external terminal is a bank transaction. According to a particular embodiment, said processing comprises the management of a second counter, the control method comprising the following steps: if the code entered is detected as false, the processing has the effect of modifying the value of the second counter for indicate the entry of an additional false code; if the code entered is detected as good, the processing has the effect of: modifying the value of the second counter so as to reset it to a predetermined constant value when the value of the second counter is different from said predetermined constant value, and keeping the value of the second counter unchanged when the value of the second counter is equal to said predetermined constant value According to a particular embodiment, the value of the first counter and the value of the second counter are recorded during the same write operation in the rewritable non-volatile memory of the electronic device. According to a particular embodiment, the value of the first counter and the value of the second counter are stored in a same memory block of the rewritable non-volatile memory of the electronic device. According to a particular embodiment, in which each memory block of the rewritable non-volatile memory contains 256 bytes of memory. In a particular embodiment, the various steps of the control method are determined by computer program instructions.

Accordingly, the invention also relates to a computer program on an information carrier (or recording), this program being capable of being implemented in an electronic device such as a smart card or a computer , this program comprising instructions adapted to the implementation of the steps of a control method as defined above.

The invention also relates to a recording medium (or information carrier) readable by a computer, and including instructions of a computer program as mentioned above. Correlatively, the invention relates to an electronic device comprising: a module for obtaining a secret code entered by a user; a processing module for performing a secret code processing, the processing comprising a verification of the secret code and management of a first counter; a storage module for storing the value of the first counter in a rewritable non-volatile memory of the electronic device; wherein: if the entered code is detected as false by the verification module, the processing has the effect of modifying the value of the first counter to indicate the input of an additional false code; and if the code entered is detected as good by the verification module, the processing has the effect of keeping the value of the first counter unchanged regardless of the value of the first counter. According to a particular embodiment, the electronic device comprises a module for detecting an anomaly from the value of the first counter when a predetermined condition is satisfied. According to a particular embodiment, the predetermined condition defines a threshold value, the detection module being able to detect the anomaly from a comparison between the value of the first counter and the threshold value. According to a particular embodiment, the electronic device is a smart card. Note that the computer programs mentioned in this presentation can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable form. In addition, the recording (or information) media mentioned in this disclosure may be any entity or device capable of storing the program. For example, the medium may comprise storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or a magnetic recording medium, for example a floppy disk or a disk. Hard disk. On the other hand, the recording media may correspond to a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means. The program according to the invention can be downloaded in particular on an Internet type network.

Alternatively, the recording media may correspond to an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.

BRIEF DESCRIPTION OF THE DRAWINGS Other features and advantages of the present invention will emerge from the description given below, with reference to the accompanying drawings which illustrate embodiments having no limiting character. In the figures: FIG. 1 represents in the form of a flowchart an exemplary embodiment of a transaction implemented by a smart card according to the EMV protocol with an external terminal; FIG. 2 schematically represents the hardware architecture of a smart card according to a particular embodiment of the invention; FIG. 3 schematically represents modules implemented by the smart card of FIG. 2; FIG. 4 represents in the form of a flowchart a control method implemented by the smart card of FIGS. 2 and 3 according to a particular embodiment; and FIG. 5 represents in the form of a flowchart an alternative embodiment of the control method of the invention. DETAILED DESCRIPTION OF SEVERAL EMBODIMENTS As indicated above, the present invention is in the general field of electronic devices capable of cooperating with an external terminal in order to carry out a transaction, in the banking field for example. In this document, embodiments of the invention are described in the context of a bank card (credit card, debit card, payment card, etc.) capable of carrying out a banking transaction with an external reader. In this example, the bank card and the reader cooperate together according to the EMV protocol.

However, it will be understood that they are only non-limiting examples and that the invention can be applied in particular to other protocols and other types of transactions. More generally, the smart card can be any electronic device capable of communicating with the reader to perform a given transaction. Moreover, in the examples considered here, the smart card conforms to the ISO 7816 standard.

Unless otherwise indicated, elements common or similar to several figures have the same reference numbers and have the same or similar characteristics, so that these common elements are generally not described again for the sake of simplicity.

FIG. 1 firstly describes an example of processing implemented by an EMV chip card, this processing including the verification of the secret code and the management of a counter to count the number of consecutive missed attempts. secret code entry by a user. During an EMV transaction, it is assumed that a reader requests a user to enter the secret code (or PIN) of an EMV card. The user usually enters the secret code using the keys on the reader. The EMV card in particular manages a counter rated PTC which determines the number of consecutive attempts to enter the PIN code by the user that failed. From the monitoring of the PTC counter, the EMV card is able to determine the sequence to be given to the entry of a PIN code by the user. More specifically, during a step S2, the smart card receives a first PIN code entered by the user. The card determines (S4) then whether the PTC counter is such that: PTC> LMT1 where LMT1 is a predetermined constant set here for example at 3, this constant representing the maximum allowed number of consecutive failed attempts to enter the PIN code. If 3 attempts of the PIN code fail consecutively, the verification of the PIN code permanently fails and, in general, the card is blocked. If PTC> LMT1, the EMV card proceeds to step S8. If not, the PTC variable is detected as invalid and a NOK failure message is returned (S6) to the reader by the card. In S8, the EMV card decrements the PTC variable by 1 and proceeds to step S10. In S10, the EMV card determines whether the secret code entered by the user is valid by comparing it with a reference code stored for example in a secure memory of the card.

If the secret code is valid, the EMV card (S14) resets the PTC variable to the value of the LMT1 constant. In addition, the EMV card returns (S14) to the reader an OK message indicating the success of the verification of the secret code. If, on the other hand, the secret code is detected as being invalid in S10, the EMV card checks (S16) if the variable PTC is equal to zero. If so, the user has performed the maximum number of consecutive PIN tries such that the bearer authentication fails and the card returns (S8) a failure message to the reader and usually hangs. If the PTC variable is not equal to zero, the user still has at least one chance to enter the correct secret code. In this case, the EMV card prompts (S20) the user to enter the secret code again by sending a TRY_AGAIN command provided for this purpose to the reader. An example of an algorithm corresponding to steps S2 to S14 is proposed below: / * held in NVM; set during personalization to 3 for example * / byte constant: PIN_TRY_COUNTER LIMIT; / * Held in NVM; PIN TRY COUNTER LIMIT * / _ byte variable: PTC; get-pin (pin) {if (PTC> TRY COUNTER LIMIT PIN) _ _ return NOK; --PTC; if (ok (pin)) {PTC = PIN TRY COUNTER LIMIT; _ return OK; else {return TRY AGAIN; In the above algorithm example, NVM is a nonvolatile memory of the smart card. In addition, PIN_TRY_COUNTER_LIMIT is the LMT1 preset value set here at 3. Furthermore, it will be noted in the algorithm example above that when the PIN code is detected as erroneous in step S10, the algorithm does not start a verification step to check whether the PTC counter is equal to zero or not but simply generates a TRY_AGAIN command inviting the user to perform a new seizure of the secret code. It will be understood that various embodiments can however be envisaged. Tracking the PTC counter advantageously allows the smart card to prevent a user from entering more than once consecutively a false secret code, whether during the same transaction or during more transaction (provided that the tests in question are consecutive ). N is an integer defined by the constant LMT1. This authentication of the user from the PTC counter makes it possible to limit fraud attempts against smart cards, such as EMV cards.

The applicant however found that a fault remains when this security mechanism is implemented in an electronic device such as an EMV bank card for example. More specifically, the applicant has observed that it is possible for an attacker to steal an EMV bank card and make two attempts to enter the secret code (in the case where LMT1 = 3 for example). In case of failure, the malicious person can then return the EMV card to its legitimate user without the latter being aware of it. Once the legitimate owner enters the correct secret code in a subsequent transaction, the PCT counter resets to the maximum value defined by LMT1, that is, the value 3 in this example. The malicious person then has the opportunity to retry two seizures of the secret code without the knowledge of the legitimate user of the card. Repeating as many times as necessary this subterfuge in time, it is possible for an attacker to determine the correct secret code of the card. This weakness detected in the protocol lies in the fact that each time a secret code is successfully entered by a user, the smart card resets the PTC counter. The invention proposes in particular to overcome the problems and disadvantages identified above. To do this, the invention proposes a smart card (and more generally an electronic device) capable of controlling a total number of missed attempts to enter the secret code. It is thus possible for the smart card to detect an anomaly representative of an abnormal use of the card from the total number of missed attempts to enter the secret code at a given moment. An anomaly is detected, for example, when the card determines that the total number of missed attempts at entering the secret code reaches a predetermined threshold value LIMT2. If such an anomaly is detected, the smart card can perform an appropriate treatment of the anomaly such as a given security operation (blocking the card, sending a message of failure of the current transaction to the reader etc.). It is thus possible to detect a fraudulent use of the smart card even if the number of consecutive seizures of the secret code has not reached the maximum authorized limit (set at three, for example).

FIG. 2 schematically represents the hardware architecture of the smart card 2 according to a particular embodiment of the invention. In this example, the card 2 is an EMV card conforming to the ISO 7816 standard. More particularly, the smart card 2 here comprises a microprocessor 4 coupled to external contacts 6 (input / output ports), a rewritable volatile memory ( RAM type) 8 and a rewritable non-volatile memory 10 (Flash type for example). The card 2 may also include a ROM (ROM type) not shown here. The microprocessor 4 is able, via the external contacts 6, to communicate by contact with an appropriate external reader (or terminal) LT, a payment terminal for example. However, it will be understood that the invention can also be applied to smart cards communicating in contactless mode. In this example, it is considered that the memory 10 is secured, using a conventional security mechanism well known to those skilled in the art and therefore will not be described here.

The memory 10 constitutes here a recording medium (or information) according to an embodiment of the invention, readable by the smart card 2, and on which is recorded a computer program PG1 according to a mode embodiment of the invention. The program PG1 includes instructions for carrying out the steps of a control method, in accordance with one embodiment of the invention. Exemplary embodiments of this method are shown in Figures 4 to 5 described later. The memory 10 also contains in this example a reference code CREF representative of the authentic secret code of the card 2, the values of the counter PTC and the counter TOT_PTC, as well as the threshold values LMT1 and LMT2.

As already explained, the value of the counter PTC is representative of the consecutive number of missed attempts to enter the secret code by the user of the card 2. The value of the counter TOT_PTC is representative of the total number of input attempts by the user. secret code user. As explained below, the RAM 8 serves as a working memory in which the microprocessor 4 can temporarily store data, such as the values of the counters TOT_PTC and PTC. This data is transferred if necessary from the RAM 8 into the rewritable non-volatile memory 10. The threshold value LMT1 is representative of the maximum number of consecutive missed attempts to enter the secret code by the user while the threshold value LMT2 is representative. the maximum total number of missed attempts to enter the secret code by the user. For example, it is assumed here that LMT1 = 3 and LMT2 = 15, these values being able to be adapted according to needs. FIG. 3 schematically represents modules that can be implemented by the microprocessor 4 executing the program PG1, namely: a module for obtaining a secret code 14, a processing module 16 for a secret code obtained by the module for obtaining 14, a storage module 18 able to store a value of the counter TOT_PTC obtained by the processing module 16, a detection module 20 able to detect an anomaly from the value of the counter TOT_PTC, and a security module 22 capable of performing a security operation of the smart card 2 when such an anomaly is detected. A particular embodiment of the invention is now described with reference to FIG. 4. More specifically, the smart card 2 implements a control method according to a particular embodiment of the invention by executing the program PG1.

It is assumed here that the smart card 2 and the LT reader cooperate together according to the EMV protocol to perform a transaction such as a payment transaction or a banking transaction for example. Other embodiments of the invention are, however, conceivable. It is assumed here that the EMV card 2 is inserted into the reader LT and that the card 2 initiates a dialogue according to the EMV protocol with the reader LT. During a user authentication phase, the external reader LT retrieves a secret code (or PIN code) entered by the user and sends this secret code to the EMV card that receives it in step E2. In this example, obtaining the PIN code is performed using the obtaining module 14 of the EMV card 2 via the external contacts 6.

The EMV2 card then performs a secret code processing, this processing including in particular a verification of the secret code (E10) thus recovered and a management (E4, E8 and E20) of the counter TOT_PTC. In this example, this processing further comprises the management of the PTC counter (E8, E12 and E20) although the implementation of this PTC counter is strictly mandatory to achieve the invention. This treatment is performed using the processing module 16 in the example considered here. The EMV card increments (E4) by 1 by the value of the counter TOT_PTC.

In this example, the value of TOT_PTC thus incremented is recorded (E6) in the RAM 8 of the EMV card 2. The different recordings of the counter TOT_PTC in the RAM 8 or in the rewritable non-volatile memory 10 are made in this example to using the memory module 18.

During a step E8, the EMV card 2 determines whether the value of the counter PTC and the value of the counter TOT_PTC are erroneous. In this example, the EMV card 2: (1) checks whether the value of the PTC counter is strictly greater than the threshold value LMT1, and (2) verifies whether the value of the counter TOT_PTC is strictly greater than the threshold value LMT2. If one of these two checks is positive (ie if PTC> LMT1 or TOT_PTC> LMT2), the EMV card 2 detects an anomaly and returns (E10) a NOK error message to the external reader LT. If, on the contrary, the two checks above (1) and (2) are negative, the EMV card 2 proceeds to step E12 in which it decrements the value of the counter PTC by 1. The card EMV 2 then records (E14) the value thus decremented by the counter PTC in the RAM memory 8 and then transfers (E16) the current value of the counter PTC and the counter TOT_PTC to the non-volatile memory rewritable 10. In this example, this transfer is performed during the same step of writing in the memory 10. The EMV card 2 determines (E18) moreover if the secret code entered by the user and recovered in step E2 is correct. To do this, the EMV card 2 here compares the secret code obtained in E2 with the reference code CREF stored in the memory 10. If the EMV card 2 detects (E18) that there is correspondence between the secret code entered and the CREF reference code, it proceeds to step E20, otherwise it proceeds to step E26. During step E20, the EMV card resets the value of the PTC counter to the threshold value LMT1 and decrements by 1 the value of the counter TOT_PTC so as to cancel the incrementation carried out previously in E4. The counter of TOT_PTC thus returns to the state immediately before the step of incrementing E4.

The card EMV 2 sends (E22) to the reader LT an OK message indicating the success of the verification of the secret code. In addition, the EMV card 2 stores (E24) in the RAM 8 the reset value at E20 of PTC and the value decremented at E20 of TOT_PTC. The EMV card 2 then performs (E124) the transfer of the values of the counters PTC and TOT_PTC from the memory RAM 8 in the memory 10. In this example, this transfer is performed during the same step of writing in the memory 10 .

In step E26 (in the case of the invalid secret code), the EMV card 2 determines (E26) whether the user is authorized to perform a new secret code input test, based on the value of the counter TOT_PTC and that of the PTC meter. To do this, the EMV card 2 checks here whether one of the following two conditions is satisfied: (a) TOT_PTC = LMT2 (b) PTC = 0 If neither of the two conditions (a) and (b) above is satisfied, the EMV card 2 authorizes (E28) a new entry of the secret code by the user. If, on the other hand, at least one of the conditions (a) and (a) above is satisfied, the EMV card 2 detects that there is an anomaly and proceeds to the step E30 during which it performs a treatment. of the anomaly thus detected. Various treatments may be considered as appropriate. The detection of the anomaly carried out in E26 from the values of TOT_PTC and PTC is here carried out using the detection module 20. The processing performed in E30 here constitutes an operation for securing the EMV card 2. This operation of security is here performed using the security module 22. The security operation may include at least one of the following operations: - the reconfiguration of the EMV card 2 so as to restrict its operating capabilities (so by example of blocking the EMV card); the failure of the current transaction with the external reader; and sending to the external reader a security data representative of said anomaly (a message indicating for example that TOT_PTC = LMT2 and / or PTC = 0 as the case). Note that if the secret code entered by the user is detected to be valid at E18, the counter TOT_PTC is decremented by 1 so that the E4-E20 processing performed by the EMV card 2 has the overall effect of keeping the value of the counter TOT_PTC unchanged regardless of the value of the counter TOT_PTC before initiating the treatment E4-E20 in question. On the other hand, if the secret code entered by the user is detected as being erroneous in E18, the counter TOT_PTC is not decremented so that the E4-E18 processing carried out in this case by the EMV card 2 has the overall effect of modify the value of the counter TOT_PTC, that is to say, to decrement by 1 the value of the counter TOT_PTC in the example described here. The overall effect of the E4-E20 treatment on the value of the PTC counter is different. Thus, if the secret code entered by the user is detected as valid in E18, the PTC counter is reset to its maximum value, namely the predetermined value LMT1. In this case, the E4-E20 treatment has the overall effect of not modifying the value of PTC if its value was already at the value LMT1 immediately before initiating the treatment E4-E20 (a special case where the user had realized with successful its previous entry of the secret code), or has the overall effect of modifying the value of PTC if its value was not at the value LMT1 immediately before initiating the processing E4-E20 (special case where at least the previous seizure secret code made by the user was wrong). An example of an algorithm corresponding to steps E2 to E22 is proposed below: / * held in NVM; set during personalization to 3 for example * / byte constant: PIN_TRY_COUNTER_LIMIT; / * held in NVM; set during personalization to 15 for example * / byte or two-byte constant: TOT_PIN_TRY_COUNTER_LIMIT; / * Held in NVM; set of personalization to the value of PIN TRY COUNTER LIMIT * / _ byte or two-byte variable: PTC; / * Held in NVM; set to 0 during personalizaton * / byte variable TOT PTC; get-pin (pin) {++ TOT PTC; if (PTC> PIN_TRY_COUNTER_LIMIT) or (TOT_PTC> TOT PIN TRY COUNTER LIMIT) _ _ _ return NOK; --PTC; / * commit incremented / decremented values to EEPROM / Flash before executing ok (pin) * / if (ok (pin)) f PTC - PIN TRY COUNTER LIMIT; _ _ - TOT PTC; / * commit reinitialized / decremented values to EEPROM after executing ok (pin) * / return OK; else f return TRY AGAIN; In the algorithm example above, NVM means a nonvolatile memory of the smart card. In addition, PIN_TRY_COUNTER_LIMIT is the LMT1 preset value set here at 3, and TOT_PIN_TRY_COUNTER_LIMIT is the LMT2 preset value set here at 15. Furthermore, it will be noted in the above algorithm example that when the PIN is detected as being erroneous in step E18, the algorithm does not check the counters PTC and TOT_PTC as described above in relation to step E26 but simply generates a TRY_AGAIN command inviting the user to perform a new one. entering the secret code. It will be understood that various exemplary embodiments are conceivable. As indicated above, various variants of the embodiment illustrated in FIGS. 2 to 4 can be envisaged within the scope of the invention. In particular, it is possible to decide to modify the value of the counter PTC (in E4) and that of the counter TOT_PTC (in E12) by incrementation or decrementation as appropriate. Those skilled in the art will be able to adapt the embodiment of the invention as a function of the chosen configuration. It will also be understood that the present invention relates mainly to the use of the counter TOT_PTC. It is preferred, however, to also use the PTC counter to monitor the consecutive number of missed secret code entries as explained above. The present invention advantageously makes it possible to improve the protection of a legitimate user of a smart card, of the EMV type, for example, against a fraudulent use aiming in particular at repeatedly testing the secret code of the card 35 (so more or less random depending on the case), taking care to regularly return the card to the legitimate user so that the latter resets the PTC counter by entering the correct secret code during a transaction. The implementation of the PTC meter alone does not protect a user against this type of fraudulent behavior.

The joint use of the PTC counter and TOT_PTC also makes it possible to offer optimal protection against attempts to fraudulently use a smart card, EMV for example. The manner in which the value of the counter TOT_PTC, and if applicable that of the counter PTC, are stored in memory in the EMV card 2 may be adapted by the skilled person as needed. According to a variant illustrated in FIG. 5 of the embodiment described above, the value of the counter PTC and that of the counter TOT_PTC are recorded together during step E16 in the same memory block BC (also called memory page) of the non-volatile memory rewritable 10 of the EMV card 2. Such a memory block BC has for example a memory size of 256 bytes or 64 bytes. Likewise, the value of the counter PTC and that of the counter TOT_PTC are recorded together during the step E24 in a same memory block BC. The recording of the values of TOT_PTC and PTC in the same memory block of the memory 10 makes it possible to improve the security of the management of the counter TOT_PTC. Indeed, it is common to implement in a EMV chip card a security mechanism to check if a write of a value of the PTC counter in the rewritable non-volatile memory has been correctly performed, in order to mitigate any fraud by an attacker. Such a security mechanism comprises, for example, the realization of a so-called "checksum" function on the value of PTC written in the memory 10. Save the values of the counters TOT_PTC and PTC in the same memory block of the rewritable non-volatile memory 10 makes it possible to benefit from the writing of TOT_PTC in the memory 10 of the security mechanism intended to check the good writing of PTC in the memory 10. If the value of the counter TOT_PTC is not written correctly in the memory 10, the mechanism of verification of the writing of the PTC counter can advantageously detect it. In a particular example, it is verified that the writing of TOT_PTC and PTC in the memory 10 has been correctly performed by performing a checksum function only on PTC. According to one variant, the checksum function is performed on both TOT_PTC and PTC as recorded in the memory 10.

Those skilled in the art will understand that the embodiments and variants described above are only non-limiting examples of implementation of the invention. In particular, those skilled in the art may consider any combination of the variants and embodiments described above to meet a particular need.

Claims (17)

REVENDICATIONS1. A method of control implemented by an electronic device (2), said method comprising the steps of: obtaining (E2) a secret code entered by a user; secret code processing, the processing comprising a verification (E18) of the secret code and a management (E4, E8, E20) of a first counter (TOT_PTC); storing (E16) the value of the first counter in a rewritable non-volatile memory (10); characterized in that: if the entered code is detected as false during said verification (E18), the processing step has the effect of modifying the value of the first counter (TOT_PTC) to indicate that the secret code is false; and if the entered code is detected as good during said check (E18), the processing step has the effect of keeping the value of the first counter (TOT_PTC) unchanged regardless of the value of the first counter. The method of claim 1 including detecting (E30) an abnormality from the first counter value (TOT_PTC) when a predetermined condition is satisfied. 3. Method according to claim 2, wherein the predetermined condition defines a threshold value (LMT2), the detection of the anomaly being performed by comparing the current value of the first counter with the threshold value. The method according to claim 3, wherein: each time the code entered is detected as false during said verification (E18), the processing step has the effect of incrementing the value of the first counter (TOT_PTC) to indicate the input of an additional false code, said anomaly being detected when the current value of the first counter is greater than or equal to said threshold value; or whenever the code entered is detected as false during said verification (E18), the processing step has the effect of decrementing the value of the first counter (TOT_PTC) to indicate the input of a false additional code, said anomaly being detected when the current value of the first counter is less than or equal to said threshold value. 5. Method according to any one of claims 2 to 4, comprising, on determining said anomaly, a securing operation (E30) of at least one of the electronic device and an operation with an external terminal (LT) . 6. The method of claim 5, the security operation (E30) comprising at least one of the following operations: reconfiguration of the electronic device (2) so as to restrict its operating capabilities; defeat an operation with the external terminal (LT); and sending to the external terminal (LT) a security data representative of said anomaly. The method of claim 5 or 6, wherein the operation with the external terminal (LT) is a bank transaction. The method of any one of claims 1 to 7, wherein said processing comprises managing a second counter (PTC), comprising the steps of: if the entered code is detected (E18) as false, the processing has the effect of changing the value of the second counter (PTC) to indicate the entry of an additional false code; If the entered code is detected (E18) as good, the treatment has the effect of: modifying the value of the second counter (PTC) so as to reset it to a predetermined constant value when the value of the second counter is different from said predetermined constant value, and 30 o keeping the value of the second counter (PTC) unchanged when the value of the second counter is equal to said predetermined constant value The method according to claim 8, wherein the value of the first counter and the value of the second counter are recorded in a single write operation in the rewritable non-volatile memory (10) of the electronic device. 3 03 082 6 The method according to claim 8, wherein the value of the first counter and the value of the second counter are stored in a same memory block (BC) of the rewritable non-volatile memory (10) of the electronic device. 5 The method of claim 10, wherein each memory block (BC) of the non-volatile rewritable memory (10) contains 256 bytes of memory. A computer program (PG1) comprising instructions for performing the steps of a checking method according to any one of claims 1 to 11 when said program is executed by a processor. 13. A processor-readable recording medium (10) on which is recorded a computer program (PG1) comprising instructions for carrying out the steps of a checking method according to any of claims 1 to 11 15 14. Electronic device (2) comprising: a module (14) for obtaining a secret code entered by a user; a processing module (16) for performing a secret code processing, the processing comprising a secret code check and a management of a first counter (TOT_PTC); a storage module (18) for storing the value of the first counter in a rewritable non-volatile memory of the electronic device; characterized in that: - if the entered code is detected as false by the verification module, the processing has the effect of modifying the value of the first counter to indicate the input of an additional false code; and if the code entered is detected as good by the verification module, the processing has the effect of keeping the value of the first counter unchanged regardless of the value of the first counter. An electronic device according to claim 14, comprising a detection module (20) of an anomaly from the value of the first counter (TOT_PTC) when a predetermined condition is satisfied. 16. An electronic device according to claim 14 or 15, wherein the predetermined condition defines a threshold value (LMT2), the detection module being able to detect the anomaly from a comparison between the value of the first counter and the threshold value. . 17. Electronic device according to any one of claims 14 to 16, the electronic device being a smart card.