[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cash machine PINheads (fwd)



------- start of forwarded message -------
Path: news.suba.com!feeder.chicago.cic.net!wolverine.hq.cic.net!news.neca.com!news.shkoo.com!news1.mpcs.com!hammer.uoregon.edu!arclight.uoregon.edu!news.bbnplanet.com!su-news-hub1.bbnplanet.com!csn!nntp-xfer-1.csn.net!news.hemi.com!news
From: Tkil <[email protected]>
Newsgroups: alt.sysadmin.recovery
Subject: cash machine PINheads
Date: 16 Jan 1997 11:27:04 -0700
Organization: Scrye.com
Lines: 59
Sender: [email protected]
Approved: yup.
Message-ID: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]>
NNTP-Posting-Host: ppp2.hemi.com
X-Attribution: Tkil
X-Newsreader: Red Gnus v0.80/Emacs 19.34


found in <URL: http://axion.physics.ubc.ca/atm.html>:

   A number of security systems were developed, of which two captured
   most of the market. These were the IBM system, launched in 1979;
   and the VISA system, which extended it and was introduced shortly
   afterwards. These systems relate the PIN to the account number in a
   secret way. The idea is to avoid having a file of PINs, which might
   be stolen or copied. and to make it possible to check PINs in the
   ATM itself so as to allow transactions when it is not online to the
   bank's central computer site. The definitive reference is Meyer and
   Matyas' huge book Cryptography: a new dimension in computer data
   security; there is a shorter account in Davies and Price Security
   for Computer Networks.
   
   PINs are calculated as follows. Take the last five significant
   digits of the account number, and prefix them by eleven digits of
   validation data. These are often the first eleven digits of the
   account number; they could also be a function of the card issue
   date. In any case, the resulting sixteen digit value is input to an
   encryption algorithm (which for IBM and VISA systems is DES, the US
   Data Encryption Standard algorithm), and encrypted using a sixteen
   digit key called the PIN key. The first four digits of the result
   are decimalised, and the result is called the `Natural PIN'.
   
   Many banks just issued the natural PIN to their customers. However,
   some of them decided that they wished to let their customers choose
   their own PINs, or to change a PIN if it became known to somebody
   else. There is therefore a four digit number, called the offset,
   which is added to the natural PIN to give the PIN which the cusomer
   must enter at the ATM keyboard.

and from <URL: http://catless.ncl.ac.uk/Risks/14.76.html>:

   *The Risks Digest Volume 14: Issue 76*

   [...] How is it possible to use an EXPIRED card to make $8000 in
   cash advances?
   
   It's possible because the ATM's verification center ONLY checks if
   the card number is on a list of STOLEN/LOST cards. If the card is
   not stolen/lost, the verification center then performs a
   verification check of the information FROM THE CARD ITSELF, not
   from some other database.
   
   So the perpetrators just wrote a new expiration date on the
   magnetic stripe of their fake card; the ATM verification center
   verified that the date hadn't yet passed and that was that.
   
my apologies for the useful info, but the "yes it is" "no it isn't"
bit was getting even more irritating.  both of these items have quite
a bit more text to them that makes for interesting reading -- i just
excerpted the bits that dealt with where the PIN was verified.

t.
-- 
Tkil <[email protected]> emacs evangelist, hopelessly hopeless romantic
  "Like brittle things that break before they bend"
	-- The Sisters Of Mercy, _Floodland_, "Driven Like The Snow" [1987]
------- end of forwarded message -------

-- 
***************** PLEASE TAKE NOTE:
In an effort to reduce the amount of junk mail that I receive, I am no longer
reading email sent to [email protected]. send email to [email protected] where
login = petro. You send unsoliciated commercial email, and I will kill you.