davidb@pacer.uucp (David Barts) (09/20/90)
john@bovine.ati.com (John Higdon) writes: > Do you think that he is capturing all those > PINs in the back room so that he can retire to Tahiti? I would lay > odds that the merchant does not record your PIN, which is normally > simply sent along with the rest of the encrypted transaction to the > banking center or network... Precisely. If the ATM terminals found in stores are anything like the ATMs in banks, it just encrypts the number on the card and the PIN and sends them off to the bank computer for verification. The merchant has no business knowing what your PIN is -- that is confidential information between you and your bank. The only information that the merchant needs to know is that (a) the PIN you entered is valid, (b) there are sufficient funds in your account to pay for the purchase, and (c) that funds have been successfully transferred to pay for the purchase. If anything, this represents an increase in security over credit cards (with which the merchant gets a slip with your complete credit card number and signature on it -- all the information needed to commit fraud). The major issue with these devices (and also with virtually any other non-cash method of payment) is what happens to the record of your purchases after the bills have been settled. The technology already exists so that a laser-scan cash register, ATM terminal, and mainframe database could be tied together to keep a detailed record of every item you purchase. (I don't know if it is being done anywhere, but it certainly COULD be.) Who gets access to this information, and what is it used for? Targeting junk-mail advertising (a minor annoyance)? Targeting junk phone calls (a major annoyance)? Paranoia aside :-), I have never used any of these new ATM's because all the ones in the Seattle area seem to stick you with a surcharge. Paying with a bank card may be more convenient, but only marginally so and the tiny amount of convenience isn't worth the fee for me. David Barts Pacer Corporation, Bothell, WA davidb@pacer.uucp ...!uunet!pilchuck!pacer!davidb
msb@sq.com (Mark Brader) (09/27/90)
> ... the bank stores the encrypted PIN and does a straight match. The > technique was invented by John Atalla, one of the early Fairchild > people. Most of the bank PIN pads I have seen have been made by > Atalla Technovations. The chip performs a one-way (e.g. many-to-one) > encryption of an arbitrary number of key presses. ... As noted by someone else, the same techique of storing only the encrypted form is used by UNIX for its password file. To clarify the above, Atalla's invention was the chip used in ATMs, not the concept of storing the encrypted form. The credit for *that* turns out to go to one of the founders of computing -- it first appears in a book from 1966 or so, by Maurice Wilkes. Wilkes was the leader of the team that produced the early computer -- the first computer, by some people's definition -- called the EDSAC. Thanks to Dennis Ritchie and Marc Kaufman for helping me locate the above information. Mark Brader, SoftQuad Inc., Toronto, utzoo!sq!msb, msb@sq.com