gins@wlbr.UUCP (Fred Ginsburg) (05/18/87)
There are several validation methods availale to the ATM. A given
ATM might validate different cards in several manners. Any given card
might have several validation methods, and could actually have several
valid PINs (Personal Identification Numbers).
Remote verification is performed by when the ATM has no way of knowing
what the PIN is. When remote verification is performed, the ATM may
validate the PIN right away by sending a special message to the network,
or it may let you go ahead and enter the transaction and get both the
transaction and PIN okayed at the same time. [ The ATM itself is a
STATE MACHINE. It is NOT programmed in COBOL! Some of the newer ones
are programmed in 'C' but use some sort of State Machine design to
get the transitions performed. ]
The PIN could be sent to the host in encrypted form, by ATM encryption,
and troops, yes it could even be sent in the clear (gadzuks!).
Validation can be performed at the host by a data base lookup (probably with
some form of one way encryption) or by performing a manipulation based
on the information on the card image itself.
Local PIN verification is performed (Generally) by taking the
PRIMARY ACCOUNT NUMBER which turns out to be 16 digits, even if you
have to pad it. Running it through DES along with a bank supplied PINKEY.
This will generate a 16 hex digit number. If you have a four digit
PIN the first four digits will be taken. Now no one out there has
a pin of '1D4F' so there is a translation of the numbers. A table lookup
is performed. While the lookup allows any digit to be converted to any
digit, usually 0-9 stays the same 'A' to 'F' goes to 0 to 5. (See, it's
even EASIER to guess the PIN since it is weighted to those lower digits.)
This number we acheived is called the 'Natural PIN'. If you had an
opportunity to select you own PIN, and the ATM locally validates, you
will have what is called an Offset. By using modulo addition on each
digit, you will generate your selected PIN.
An added comment: Some transactions will take 45 seconds to wind their way
through a network. Since most people enter their PIN correctly why punish
them for two network waits, so the people who screw up will save the time
of having to enter their transaction?
(Note to the person who asked me about the tracks on a card: There are
three defined Track 1 contains your name and maybe your account number.
Track 2 contains your account number and mayber experation date and
offset, it is used for online processing. Track three contaions account information
and information which will allow you to do offline transactions at ATMs).
-Fred-
818-706-146
{trwrb,ihnp4}!wlbr!ginsdevine@vianet.UUCP (Bob Devine) (05/19/87)
The Wall Street Journal on May 18th had an article about someone who stole $86,000 from New York area ATMs. How did he do it? Well, the article did not give much technical information (it is the WSJ, after all) but it told of the general method. The thief, Robert Post, a recent immigrant from Poland, was an ex-ATM serviceman who bought a device (article didn't say from who) that enabled him to write on an blank ATM card some information. However, Post didn't quite get the entire code correct, but, he did have a card good enough for months of withdrawals. The weakness in the ATM security was its users. Post would watch a person enter the PIN. He would also retrieve any discarded receipt slips to get their account number. Using that info, Post would create a card and extract money from the person's account. One bank that was frequently stung was Manufacturers Hanover. Last October the bank changed its ATM program to show when a bad card was being used. The following morning they captured two of his cards but didn't get Post. The same night they nearly got him at one ATM, but got away. Minutes later, a bank agent accosted him at the next ATM he tried. He ran but police caught him after a few blocks. Final paragraph: "He (Post) said in the interview later that he was dismayed bank officials didn't offer him a consulting job." Bob Devine