Brian Mancuso (brianm@cs.bu.edu)
Fri, 7 Aug 1998 11:07:54 -0400 (EDT)
: Chris is right. It is single DES. The PIN is encrypted right in the box
: where the PIN keypad is attached.
Not all banks use this method of PIN authentication, mine in particular.
The PIN of my ATM card must be encoded on my card, for the following
reasons:
Immediately after inserting my card the ATM presents me with a login
(enter-your-pin) screen. If I enter my PIN correctly I immediately
proceed to a screen from which I can initiate ATM transactions. But,
if I enter my PIN incorrectly the login screen immediately indicates
as such and asks me to enter it again; thus, in my case PIN authentication
is decoupled from ATM transactions. If I fail to enter the PIN correctly
three consecutive times the machine eats my card, and I never will have
had the opportunity to make an ATM transaction.
The delay for the ATM to determine if the PIN I entered is incorrect
is for all appearances non-existent (which implies < 255ms, given
human-factors considerations). The delay to process any other ATM
transaction is about 3 seconds, which is a significant difference.
When I go to inquire about my account at a bank branch I am required
to swipe my card and enter my PIN through a small card reader to
authenticate myself. In that instance it requires about 3 seconds
to verify my PIN, so we can deduce that if the PIN verification
at an ATM machine were made on-line that is the delay we would
see if we entered the PIN incorrectly.
Thus, either my PIN (or some transformation thereof) must be encoded
on my card, or the ATM machine has some cache of PINs on board. As my
bank is the 16th largest in the US (BankBoston), controls about
3,000 ATM machines, and requires every one of its customers to have an
ATM card (as a substitute for authentication by bank-book for manual
transactions), I don't think every ATM of the bank has every PIN
of every bank customer cached.
Note that at the supermarket checkout line my card functions as
described by Chris; I am informed that my PIN is incorrect after
the little swiper attempts to commit the transaction. Additionally
people with cards from other banks that use my bank's ATMs seem to
be informed after an attempted transaction that their PIN was
incorrect.
Moreover, I have heard from a reliable source that ATM PINs are
simply stored encrypted on the card by a universal transformation
(like XOR with a constant string), and that one of the ATM system's
vulnerabilities is that if anybody outside the banking community
discovered this universal transformation they could easily obtain
the PIN of any card they had in their possession.
Note that sending the PIN encrypted through the network is less
secure then actually encoding information on the card, anyway. A more
secure method would be a system where f(a * b) = c, where f is a
one-way function, a is stored on a person's ATM card, b is the
person's PIN, and c is stored in the bank's database. The person
inserts their card into the ATM, the ATM reads a from the card and
downloads c from the bank, the person enters their PIN b, the ATM
composes a with b and applies the one-way transformation f, and if
that results in c then the PIN was correct, and it doesn't match c and
the PIN was incorrect. Even if the encrypted network traffic were
decryptable (because someone bought a DES Cracker) it wouldn't make a
difference because they would only have c which is not invertible to a
and b.
Brian Mancuso
brianm@cs.bu.edu
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56