Jamen Porteus (jporteus@tassie.net.au)
Thu, 06 Aug 1998 09:21:15 +1000
Hi again,
Are we all sure this is not a bank misinformation campaign.
If the pin is not on the card why do the bank need the card back to
change it.
A friend had his pin changed to one of his own choice and they put the
card in a
stand-alone reader/writer machine. This was only connected to 240V power
and I don't think these banks are up with AC line modems yet, so their
computers don't know of the change.
That explains why the bank say your pin is so secure even they don't
know what it is.
Can anyone else relate to this experience.
I know my girlfriend can.
She lost $1000 from an ATM after someone stole her debit/credit card
with only 3 possible explanations.
1. inside bank job
2. shoulder surfer got the pin, then stole the card
3. smart crim stole the card and decyphered the pin
thanks for the bandwidth
jImbo
Chris Liljenstolpe wrote:
> Greetings,
>
> In all the implimentations I am aware of today, the PIN is
> actually
> stored at the bank in the tandem (i.e. as part of the account info).
> The
> comms between the ATM and the bank are DES encrypted. There is no
> PIN on
> the card...
>
> Chris
>
> --On Wednesday, 05 August, 1998, 23:32 +0800 someone claiming to be
> Enzo
> Michelangeli <em@who.net> scribed:
>
> > At http://www.atalla.com/prod/A4000_network.html , the description
> > mentions DES keys stored in the ATM machine and in the various other
>
> > nodes involved in the transaction; there is no reference to any
> on-card
> > encrypted pin. Such creature (encrypted PIN on ABA track 2, in the
> > "Additional Data" field) was indeed mentioned in an old issue of
> Phrack.
> > However,
> > http://www.idt-net.com/magenc.htm describes a layout of Track 2
> where that
> > field seems to be used for a country code.
> >
> > It is possible that in early days of the ATM, when disconnected
> operations
> > were commonplace, the card contained the PIN encrypted with some
> fixed
> > key, in order to allow offline verification. Nowadays I see little
> scope
> > for it.
> >
> > Enzo
> >
> >
> > -----Original Message-----
> > From: Rabid Wombat <wombat@mcfeely.bsfs.org>
> > To: Jamen Porteus <jporteus@tassie.net.au>
> > Cc: CodherPlunks@toad.com <CodherPlunks@toad.com>
> > Date: Wednesday, August 05, 1998 11:00 PM
> > Subject: Re: ATM card pins
> >
> >
> >>
> >> If your PIN is encrypted and stored on your ATM card, they're doing
> it
> > wrong.
> >>
> >> -r.w.
> >>
> >> On Wed, 5 Aug 1998, Jamen Porteus wrote:
> >>
> >>> I am sick of getting pushed around by the bank telling me my 'pin'
>
> >>> number is safer than a signature. What would a bank clerke know.
> >>> Does anyone know anything about pin encryption on banking mag
> stripe
> >>> cards?
> >>> I believe track 2, ABA standard, but what of the encryption?
> >>> I don't want to use it, I just need some amunition.
> >>> --
> >>> jImbo
> >>>
> >>>
> >>
> >
>
> --
> Chris Liljenstolpe - Network Engineer, NOC - McMurdo Station
> Antarctica
> Antarctic Supt. Assoc. - under contract to USAP, Nat. Science
> Foundation OPP
> mailto:cds@mcmurdo.gov TEL: +1 509 689 6270 FAX: +1 509
> 689 6293
> PSC 469, Box 700, APO AP 96599-5700 USA Lat: 77 50 53 S Long: 166
> 40 06 E
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:55