cash machine PINheads (fwd)
Petro
petro at suba.com
Fri Jan 17 19:21:11 PST 1997
------- start of forwarded message -------
Path: news.suba.com!feeder.chicago.cic.net!wolverine.hq.cic.net!news.neca.com!news.shkoo.com!news1.mpcs.com!hammer.uoregon.edu!arclight.uoregon.edu!news.bbnplanet.com!su-news-hub1.bbnplanet.com!csn!nntp-xfer-1.csn.net!news.hemi.com!news
From: Tkil <tkil at scrye.com>
Newsgroups: alt.sysadmin.recovery
Subject: cash machine PINheads
Date: 16 Jan 1997 11:27:04 -0700
Organization: Scrye.com
Lines: 59
Sender: tkil at creepy.scrye.com
Approved: yup.
Message-ID: <m3680xfpc7.fsf_-_ at creepy.scrye.com>
References: <E3KH0p.55F at xcski.com> <5bh6ke$5rr at illuin.demon.co.uk> <5bhhd5$dfv$1 at comet3.magicnet.net> <spberry.853431573 at endeavor.ansci.iastate.edu>
NNTP-Posting-Host: ppp2.hemi.com
X-Attribution: Tkil
X-Newsreader: Red Gnus v0.80/Emacs 19.34
found in <URL: http://axion.physics.ubc.ca/atm.html>:
A number of security systems were developed, of which two captured
most of the market. These were the IBM system, launched in 1979;
and the VISA system, which extended it and was introduced shortly
afterwards. These systems relate the PIN to the account number in a
secret way. The idea is to avoid having a file of PINs, which might
be stolen or copied. and to make it possible to check PINs in the
ATM itself so as to allow transactions when it is not online to the
bank's central computer site. The definitive reference is Meyer and
Matyas' huge book Cryptography: a new dimension in computer data
security; there is a shorter account in Davies and Price Security
for Computer Networks.
PINs are calculated as follows. Take the last five significant
digits of the account number, and prefix them by eleven digits of
validation data. These are often the first eleven digits of the
account number; they could also be a function of the card issue
date. In any case, the resulting sixteen digit value is input to an
encryption algorithm (which for IBM and VISA systems is DES, the US
Data Encryption Standard algorithm), and encrypted using a sixteen
digit key called the PIN key. The first four digits of the result
are decimalised, and the result is called the `Natural PIN'.
Many banks just issued the natural PIN to their customers. However,
some of them decided that they wished to let their customers choose
their own PINs, or to change a PIN if it became known to somebody
else. There is therefore a four digit number, called the offset,
which is added to the natural PIN to give the PIN which the cusomer
must enter at the ATM keyboard.
and from <URL: http://catless.ncl.ac.uk/Risks/14.76.html>:
*The Risks Digest Volume 14: Issue 76*
[...] How is it possible to use an EXPIRED card to make $8000 in
cash advances?
It's possible because the ATM's verification center ONLY checks if
the card number is on a list of STOLEN/LOST cards. If the card is
not stolen/lost, the verification center then performs a
verification check of the information FROM THE CARD ITSELF, not
from some other database.
So the perpetrators just wrote a new expiration date on the
magnetic stripe of their fake card; the ATM verification center
verified that the date hadn't yet passed and that was that.
my apologies for the useful info, but the "yes it is" "no it isn't"
bit was getting even more irritating. both of these items have quite
a bit more text to them that makes for interesting reading -- i just
excerpted the bits that dealt with where the PIN was verified.
t.
--
Tkil <tkil at scrye.com> emacs evangelist, hopelessly hopeless romantic
"Like brittle things that break before they bend"
-- The Sisters Of Mercy, _Floodland_, "Driven Like The Snow" [1987]
------- end of forwarded message -------
--
***************** PLEASE TAKE NOTE:
In an effort to reduce the amount of junk mail that I receive, I am no longer
reading email sent to petro at suba.com. send email to login at encodex.com where
login = petro. You send unsoliciated commercial email, and I will kill you.
More information about the cypherpunks-legacy
mailing list