On cryptography@c2.net, cypherpunks@toad.com, and coderpunks@toad.com, Ulrich Kuehn <kuehn@ESCHER.UNI-MUENSTER.DE> wrote:

Liz Taylor:

...

[...] I don't know anything about bank ATMs and the protocols they use, but I presume the PIN is stored on the card single DES encrypted.

As far as I know, here in Germany (maybe also somewhere else) there is not the pin stored on the card. Instead, it is regenerated by the ATM every time using a secret key of the bank. In order to be able to use the ATM card even with ATMs of different banks, there are offsets stored on the card that relate to some commonly used pool keys.

These "offsets" on (German) eurocheque ATM cards can be regarded as the PIN encrypted with some variant of DES CFB[*], using the account number (including the five trailing digits of the "Bankleitzahl", an eight-digit code that identifies the bank that hosts the account, and a single digit card number) as IV. The same encryption key ("pool key") is used for all cards from all banks. [*] (It's an extremely stupid variant of CFB and introduces additional weaknesses, but that is irrelevant in the context of key search.) In fact, the system allows for three pool keys. They correspond to three "offsets" on each ATM card: Offset number 1 is the PIN encrypted under pool key number 1, and so on. I guess this design was chosen to allow changing the pool keys: While pool key number 2 is in use, the other two keys can be replaced by new ones. If there were just one pool key, changing it would immediately invalidate all PINs currently in use. I don't know how many pool keys are used today, and I also don't know whether one of them has have ever been changed. (PIN generation is similar to PIN encryption, but the bank uses its own encryption key. The PIN is computed directly from the DES result, i.e. DES is used in ECB mode.) For a key search, the attackers would need about four or five Eurocheque cards (that is, the data stored on their magnetic stripes) and their PINs. Each attempted PIN decryption results in only four decimal digits, so the attackers would obtain lots of plausible DES keys if they just checked with a single card. When a DES key seems to work for the first card, one must doublecheck if it also works for the second one (usually it won't), etc., which costs some time. One the other hand, because there are several pool keys, the attackers can save a significant amout of time if they just want to find any one of the pool keys. Note that once they know one of the keys, they can easily compute the PIN to any stolen ATM card, which might allow them to buy faster hardware for the rest of the search. (Their bank probably wouldn't lend them money for such a project.) All that is illegal, of course, but it is suspected by some that there are already organizations that have somehow obtained the pool keys (or some of them) -- either by key search, or the keys somehow leaked out. (Not so long ago these pool keys were stored in every ATM, thus there are many possible points of failure.) Each year, there are thousands of cases in Germany where someone claims that his ATM card was stolen and immediately used for large withdrawals. The banks usually claim that either the client is lying (and did the withdrawals himself), or he wrote his PIN down (e.g., on his ATM card). Bodo Moeller <Bodo_Moeller@public.uni-hamburg.de>