"CHANGE REFERENCE DATA" is the command for changing password. I think that there is a bug in the specification, which should be improved.
Specifically, the card/token which follows this specification has no way to detect erroneous password input when a part of input is as same as correct password.
The data should have a delimiter or length of input to check input against correct password.
Excerpt of specification
In the section 7.2.3 CHANGE REFERENCE DATA says:
The length of the existing password is known in the card, so that neither a delimiter nor padding for filling up fixed formats is necessary.
It sounds right, but it is not in fact.
A case of longer input for original password
This case is the one I have encountered. Correct password was "123456". I misunderstood it were "12345678".
I tried to change the password with "12345678" as original password input, and "new-password" as new password input.
It should be failed as I entered wrong input for original password, but the token has no way to detect this. That's because the data sent was "12345678new-password" in the protocol.
The result was that, the change of password succeeded, with "78new-password" for new password, which I didn't expected.
Another case of shorter input for original password
This is another possible case. Input for original password is shorter, and the beginning of new password happen to be as same as the end of original password.
Suppose that original password is "abcdefgh". User inputs are, "abcdef" for original password, and "ghostscript" for new password.
This case data to be sent is "abcdefghostscript", and the command will be succeeded with new password of "ostscript".