hanafee@cory.Berkeley.EDU (Brian Hanafee) (07/20/87)
I can't seem to recall the date, but awhile ago there was a front page article in the Wall Street Journal about a man who was ripping off ATMs. It seems that he had the proper machine to generate ATM cards, and he had a number of blanks. He obtained PINs using a very low-tech approach; he looked over peoples shoulders when they entered them. Since many people throw away their receipts immediately after a transaction, he was able to glean their account numbers from the trash. Simple. The bank involved was able to catch him because he apparently made some sort of mistake in his copying, but no details were given. The bank involved has also stopped printing account numbers on receipts. In a recent posting, Fred Ginsburg said that there is a space on most ATM cards for an offset, which is commonly used to adjust PINs when the customer has chosen his or her own PIN. It occurs to me that if this had been the case for any of the cards in the above case, then the man wouldn't have been able to forge the cards correctly, since he wouldn't have known the correct offset. The crucial point is that the card contains information which is never displayed in a human-readable format. Can anyone out there think of a reason why banks shouldn't automatically generate a random* offset for all their cards? It seems that the technology is already in place and the programs are running. In fact, this seems so simple that I wouldn't be surprized if someone is already doing it. Does anybody have any additional information? * Please, please, please don't turn this into another discussion on how to generate random numbers. We are not talking about a high-tech attack on a large set of numbers; we are talking about something unpredictable enough so that there is a very low probability of correctly guessing the number before the ATM gets po'd and swallows the (fake) card. ------------------------------------------------------------------------------ My opinions are mine, and I take full responsibility. So there. (signed) Brian Hanafee !ucbvax!ucbzen!ucbcory!hanafee
outer@utcsri.UUCP (07/23/87)
> Can anyone out there think of a reason why banks shouldn't > automatically generate a random* offset for all their cards? Usually the offset is used to >offset< a customer chosen PIN. So the offset is entirely determined by the PIN the customer chooses. In principle there's nothing to prevent the issuing institution from choosing an assigned PIN at random, computing the natural PIN, and determining the card's offset from the two of them accordingly. -- Richard Outerbridge <outer@utcsri.UUCP> (416) 961-4757 Payload Deliveries: N 43 39'36", W 79 23'42", Elev. 106.47m.