Cory R. King (coryking@azalea.com)
Fri, 21 Aug 1998 14:31:50 -0700
Just a lurker :-)
I was thinking about the whole thread a while back about PIN numbers /
Authentication / Key exchange on ATM machines and was wondering if the
system I am about to present would work very well...
It's actually quite simple:
1. User Enters PIN ## and proceeds to use ATM
2. User completes transaction, ATM now attempts to verify..
3. ATM calls "home base" and sends the account number to the server
4. Server looks up a hash of the users PIN number in database.
5. ATM also generates the hash based on the PIN number the user entered
- From this point forward the server would expect the transaction
to be encrypted using the hash as a key..
- From this point forward the ATM would encrypt the traffic using
the hash it just generated from the users PIN number..
If the user did not enter the right pin number, then the encryption key
would be wrong, the traffic would be gibberish, and the server could not
process/authenticate the user.
The only weak point I could see is Hacker X somehow acquiring the PIN
number database on the server. I'm sure I'm missing more problems, so
flame away!
---------------------------------------------------------------
Cory R. King
- Coming Soon To A Computer Near You - Microsoft Linux99[tm]!!
- Be afraid, Be very afraid..
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:11:00