cash machine PINheads (fwd)

------- start of forwarded message ------- Path: news.suba.com!feeder.chicago.cic.net!wolverine.hq.cic.net!news.neca.com!news.shkoo.com!news1.mpcs.com!hammer.uoregon.edu!arclight.uoregon.edu!news.bbnplanet.com!su-news-hub1.bbnplanet.com!csn!nntp-xfer-1.csn.net!news.hemi.com!news From: Tkil Newsgroups: alt.sysadmin.recovery Subject: cash machine PINheads Date: 16 Jan 1997 11:27:04 -0700 Organization: Scrye.com Lines: 59 Sender: tkil@creepy.scrye.com Approved: yup. Message-ID: References: <5bh6ke$5rr@illuin.demon.co.uk> <5bhhd5$dfv$1@comet3.magicnet.net> NNTP-Posting-Host: ppp2.hemi.com X-Attribution: Tkil X-Newsreader: Red Gnus v0.80/Emacs 19.34 found in http://axion.physics.ubc.ca/atm.html>: A number of security systems were developed, of which two captured most of the market. These were the IBM system, launched in 1979; and the VISA system, which extended it and was introduced shortly afterwards. These systems relate the PIN to the account number in a secret way. The idea is to avoid having a file of PINs, which might be stolen or copied. and to make it possible to check PINs in the ATM itself so as to allow transactions when it is not online to the bank's central computer site. The definitive reference is Meyer and Matyas' huge book Cryptography: a new dimension in computer data security; there is a shorter account in Davies and Price Security for Computer Networks. PINs are calculated as follows. Take the last five significant digits of the account number, and prefix them by eleven digits of validation data. These are often the first eleven digits of the account number; they could also be a function of the card issue date. In any case, the resulting sixteen digit value is input to an encryption algorithm (which for IBM and VISA systems is DES, the US Data Encryption Standard algorithm), and encrypted using a sixteen digit key called the PIN key. The first four digits of the result are decimalised, and the result is called the `Natural PIN'. Many banks just issued the natural PIN to their customers. However, some of them decided that they wished to let their customers choose their own PINs, or to change a PIN if it became known to somebody else. There is therefore a four digit number, called the offset, which is added to the natural PIN to give the PIN which the cusomer must enter at the ATM keyboard. and from http://catless.ncl.ac.uk/Risks/14.76.html>: *The Risks Digest Volume 14: Issue 76* [...] How is it possible to use an EXPIRED card to make $8000 in cash advances? It's possible because the ATM's verification center ONLY checks if the card number is on a list of STOLEN/LOST cards. If the card is not stolen/lost, the verification center then performs a verification check of the information FROM THE CARD ITSELF, not from some other database. So the perpetrators just wrote a new expiration date on the magnetic stripe of their fake card; the ATM verification center verified that the date hadn't yet passed and that was that. my apologies for the useful info, but the "yes it is" "no it isn't" bit was getting even more irritating. both of these items have quite a bit more text to them that makes for interesting reading -- i just excerpted the bits that dealt with where the PIN was verified. t. -- Tkil emacs evangelist, hopelessly hopeless romantic "Like brittle things that break before they bend" -- The Sisters Of Mercy, _Floodland_, "Driven Like The Snow" [1987] ------- end of forwarded message ------- -- ***************** PLEASE TAKE NOTE: In an effort to reduce the amount of junk mail that I receive, I am no longer reading email sent to petro@suba.com. send email to login@encodex.com where login = petro. You send unsoliciated commercial email, and I will kill you.