ATM limits.

I'm struggling with the security aspects of this. If one expects a suitable card to work in any ATM world-wide, that implies one global security method used to compare the encrypted PIN stored on the card with that entered by the user. Since I would imagine many criminals can read the magnetic information off a stolen card easily enough, it is only going to take one leak or hack of this encyption method to compromise any and every stolen card. This *seems* an unlikely state of affairs - what am I missing ? There are plenty of Googled references suggesting validation is on-line, but I don't trust everything just because it's on the Internet.

In message , John Laird writes

Nothing, which is why they are switch to chip & pin.

Look back in this group about 6(?) Weeks ago, there was a lengthy discussion.

Even if you know the encryption method, and key, this doesn't mean you can readily decrypt the encrypted PIN, because it would typically be encrypted using what's called a one way trap door function.

What the machine does *not* do is decrypt the stored PIN to compare it with what you type in (in fact it can't), but rather it *encrypts* the PIN you type, and compares the result with what's stored on the card.

They're not just stored as rot-5, you know. :-)

But, with only 10000 possible values, a brute force approach can identify the PIN in an instant.

I always thought the PIN was held only by the bank, and I'm gobsmacked to learn that this is not the case.

Matti

Me too, does this mean that the data on the strip is changed if you change the PIN at a machine?

In message , Matti Lamprhey writes

A common misconception. If fraudulent use is as easy as you apparently think, why is such fraud not widespread?

In message , Blackthorn writes

Yes, in fact it used to be the case that the strip was re-written on exit so as to ensure the daily limit was not exceeded.

"Matti Lamprhey" wrote

How so, when you are locked-out after only 3 incorrect attempts??

Doesn't that effectively amount to the same thing?

Surely if a fraudster had access to the encryption algorithm, it wouldn't take much to encrypt all possible combinations of a 4-digit PIN and compare the results with what was stored on the card. Once he had a match he's know the PIN.

In message , Chris Blunt writes

So why isn't such fraud prevalent then?

FWIR from previous discussions here passim the actual PIN is never changed. what happens is that an offset is cunningly calculated and stored (where? on the card? ) such that the user chosen keyed in value added to the offset re-generates the original PIN..

I am sure that was the case, you could hear the machine doing it. I assumed the strip held a daily balance of withdrawals. I'm talking about the Midland "Autobank" system Ca 1978 (NCR type terminals) which went out of service at 3-30pm every weekday. I assumed this was because the "Operating system" they used wasn't capable of talking to the bank's mainframe at the same time as interfacing with the public and dispensing money. DG

I'm talking about the special hardware used by people who've stolen your card, and just need your PIN in order to use it. They can read the magnetic strip into a PC and use special software to deduce the PIN.

Matti

I think the discussion here refers to the circumstances of a criminal getting a stoled/cloned card and equipped with a computer with a card reader and software of his own.

*IF* he had the encryption algorithm and the key a simple script could try all the posible pins from 0000 to 9999 in a jiffy.

DG

Guess the algorithm and the keys have been successfully kept secret.

I understand that SWIFT encryption/authentication boxes have explosive self destruction features if they are violated.

DG

I believe that's because the PIN, even in an encrypted form, is no longer stored on cards.

It may have been done that way with the early ATMs, but these days, where crooks have access to powerful technology, it would be far too easy to hack the PIN on a card.

john boyle said on 29.05.04:

Because more input than just 4 digits of the PIN go (went?) into the algorithm? Not sure about the UK, but back here the data is no longer on the magstripe anyway, nowadays either the ATM goes online to the issuer or the transaction is declined.

Chris

In message , derek writes

Partly right. It was only on line for a few times a day, in the meantime it stored the transaction data on a cassette (yes, a normal cassette), and also printed the details on a tally roll. Then every so often, it would be 'polled' by the network and it would go on line and send the data. Once or twice a day a 'hotcard' file would be transmitted to the ATM so it could spot those cards that were being badly misused, but most stolen cards were not put on this list due to capacity problems.

What actually happened just after 3.30 was that the staff had to 'balance the till' inside the ATM, force any outstanding data to be transmitted, wait for a response from the mainframe (in Bootle), check the cash, tear off the days tally roll then nip outside and perform a test transaction. During this time the machine would be out of service for a few minutes and would be back working quite quickly. Any subsequent transaction, in those days, would be in the next days work.

One day when I nipped outside somebody got to the ATM before me and as the card came out I could see the word 'Miss' at the beginning of the name, but I wasn't sure. What I was sure about was the person using it wasn't a Miss, he was definitely a Mr. I ran back into the branch and opened up the back of the machine (all this took time cos the front door of the branch was shut and I had to wait whilst somebody opened it from the inside, and it then needed 2 people with different keys to open up an ATM.) We read the account number off the tally roll, luckily it was an account at our own branch, so we could look up the account number and found it belonged to a female. So I ran outside again but the guy had gone. We tried to contact the lady by phone without success (no mobiles in those days) so I wrote a letter to her asking her to contact me immediately without saying why. The next day she phoned in a bit of a worried state and I asked her when she last used her ATM card. She went quiet for a bit and then asked why I wanted to know. I asked her if she had used it at this branch at about 3.36 and 13 seconds pm the previous day, and I got an embarrassed silence. I told her that we knew a man had used her card and obviously knew the number yet she had not reported it lost or that the PIN was compromised. She said, relieved, "Oh thats OK, hes my boyfriend, I asked him to get some money". I advised her that the card had now been stopped because the PIN was obviously compromised and that she could only have a new one if she re-signed the terms and conditions regarding non-disclosure of the PIN. She then asked me how we knew, and I told her that we had some very special technical anti fraud equipment these days..............

In message , Chris Blunt writes

I dont that is correct, weve been through all this before havent we?

There are only two possible answers: a) The card by itself is not enough and an online connection is part of the process of validation. b) The banks have managed to keep the encryption details secret. (This would be no mean feat, and there is still a vulnerability in the ATMs themselves if someone was prepared to ship one away and attempt to reverse-engineer the software inside. One would hope the machines are set up to "lose" key details on power fail, perhaps.)