From: Petro <petro@suba.com>
To: cypherpunks@toad.com
Message Hash: 48257d0c17a8ef194111f586c328955fd25c807604ff5e33500b6367b1a6f4b6
Message ID: <199701180321.VAA21345@suba01.suba.com>
Reply To: <E3KH0p.55F@xcski.com>
UTC Datetime: 1997-01-18 03:21:11 UTC
Raw Date: Fri, 17 Jan 1997 19:21:11 -0800 (PST)
From: Petro <petro@suba.com>
Date: Fri, 17 Jan 1997 19:21:11 -0800 (PST)
To: cypherpunks@toad.com
Subject: cash machine PINheads (fwd)
In-Reply-To: <E3KH0p.55F@xcski.com>
Message-ID: <199701180321.VAA21345@suba01.suba.com>
MIME-Version: 1.0
Content-Type: text/plain
------- start of forwarded message -------
Path: news.suba.com!feeder.chicago.cic.net!wolverine.hq.cic.net!news.neca.com!news.shkoo.com!news1.mpcs.com!hammer.uoregon.edu!arclight.uoregon.edu!news.bbnplanet.com!su-news-hub1.bbnplanet.com!csn!nntp-xfer-1.csn.net!news.hemi.com!news
From: Tkil <tkil@scrye.com>
Newsgroups: alt.sysadmin.recovery
Subject: cash machine PINheads
Date: 16 Jan 1997 11:27:04 -0700
Organization: Scrye.com
Lines: 59
Sender: tkil@creepy.scrye.com
Approved: yup.
Message-ID: <m3680xfpc7.fsf_-_@creepy.scrye.com>
References: <E3KH0p.55F@xcski.com> <5bh6ke$5rr@illuin.demon.co.uk> <5bhhd5$dfv$1@comet3.magicnet.net> <spberry.853431573@endeavor.ansci.iastate.edu>
NNTP-Posting-Host: ppp2.hemi.com
X-Attribution: Tkil
X-Newsreader: Red Gnus v0.80/Emacs 19.34
found in <URL: http://axion.physics.ubc.ca/atm.html>:
A number of security systems were developed, of which two captured
most of the market. These were the IBM system, launched in 1979;
and the VISA system, which extended it and was introduced shortly
afterwards. These systems relate the PIN to the account number in a
secret way. The idea is to avoid having a file of PINs, which might
be stolen or copied. and to make it possible to check PINs in the
ATM itself so as to allow transactions when it is not online to the
bank's central computer site. The definitive reference is Meyer and
Matyas' huge book Cryptography: a new dimension in computer data
security; there is a shorter account in Davies and Price Security
for Computer Networks.
PINs are calculated as follows. Take the last five significant
digits of the account number, and prefix them by eleven digits of
validation data. These are often the first eleven digits of the
account number; they could also be a function of the card issue
date. In any case, the resulting sixteen digit value is input to an
encryption algorithm (which for IBM and VISA systems is DES, the US
Data Encryption Standard algorithm), and encrypted using a sixteen
digit key called the PIN key. The first four digits of the result
are decimalised, and the result is called the `Natural PIN'.
Many banks just issued the natural PIN to their customers. However,
some of them decided that they wished to let their customers choose
their own PINs, or to change a PIN if it became known to somebody
else. There is therefore a four digit number, called the offset,
which is added to the natural PIN to give the PIN which the cusomer
must enter at the ATM keyboard.
and from <URL: http://catless.ncl.ac.uk/Risks/14.76.html>:
*The Risks Digest Volume 14: Issue 76*
[...] How is it possible to use an EXPIRED card to make $8000 in
cash advances?
It's possible because the ATM's verification center ONLY checks if
the card number is on a list of STOLEN/LOST cards. If the card is
not stolen/lost, the verification center then performs a
verification check of the information FROM THE CARD ITSELF, not
from some other database.
So the perpetrators just wrote a new expiration date on the
magnetic stripe of their fake card; the ATM verification center
verified that the date hadn't yet passed and that was that.
my apologies for the useful info, but the "yes it is" "no it isn't"
bit was getting even more irritating. both of these items have quite
a bit more text to them that makes for interesting reading -- i just
excerpted the bits that dealt with where the PIN was verified.
t.
--
Tkil <tkil@scrye.com> emacs evangelist, hopelessly hopeless romantic
"Like brittle things that break before they bend"
-- The Sisters Of Mercy, _Floodland_, "Driven Like The Snow" [1987]
------- end of forwarded message -------
--
***************** PLEASE TAKE NOTE:
In an effort to reduce the amount of junk mail that I receive, I am no longer
reading email sent to petro@suba.com. send email to login@encodex.com where
login = petro. You send unsoliciated commercial email, and I will kill you.
Return to January 1997
Return to “Petro <petro@suba.com>”
Unknown thread root