dwp@cci632.uucp (Dana Paxson) (02/01/90)
On the subject of phone credit cards/calling cards: Why is the PIN emblazoned on the AT&T calling card, right there for everyone to see? I've worked on computer password management, and one thing my cohorts and I kept telling people was: Don't put your password in a visible place in written form. I've used bank cards at ATMs, and the banks I have cards for have been uniform in their refusal to put the PIN on the card. But I use the phone card, and Lo! there is my complete access authentication, for anyone to read over my shoulder, or use if the card is found lying somewhere. Bad enough it is, that the PIN is so short and so structured (see the recent articles on this subject); but why make matters worse by displaying it? BTW, I once got two bank ATM cards from two different banks, having two different account numbers -- but the identical four-digit PIN! I speculated that maybe the banks bought the passwords (or the algorithm) from the same guy ... My input: Get the PINs off the cards. If people can't deal with that, they can't deal with bank ATMs either. Furthermore, don't put the PINs IN the cards (magnetically) either. For secure communications, the data channel and the authentication channel should be separate. Dana Paxson Systems Architecture Disclaimer: the opinions expressed above are my very own.
Rich Zellich <zellich@stl-07sima.army.mil> (02/02/90)
Dana Paxson wants to get the PIN off the calling card, for security reasons. It seems to me, that for the great unwashed, who have their real telephone number (as opposed to a billing-only made-up number, as some of the Telecom subscribers do), that the card is the only thing they get that has the PIN. What they really need to do for these people is take their name and phone number off the card, leaving just the corporate name/logo and the PIN - hopefully these people can remember their own name and number. Since there would then be more room on the front of the card, the calling instructions could be put on the front, in larger type than what is on the back (or the litle card that originally came with my first AT&T calling card). If someone finds a PIN-only card, they would have no way of knowing what number it belonged to, and with no name couldn't look it up, either. If a purse or wallet is stolen, the name would be known, but so many people put their various PINs on a slip of paper in their wallet somewhere anyway, that it probably wouldn't matter.
dave%westmark@uunet.uu.net (Dave Levenson) (02/03/90)
In article <3438@accuvax.nwu.edu>, dwp@cci632.uucp (Dana Paxson) writes: ... > On the subject of phone credit cards/calling cards: ... > My input: Get the PINs off the cards. If people can't deal with that, > they can't deal with bank ATMs either. Furthermore, don't put the > PINs IN the cards (magnetically) either... Note: Bank ATM cards, like telco cards, _do_ have your PIN magnetically encoded on the card. It is nice of the banks, however, to have thought of not printing it in a human-readable place on the card. Dave Levenson Voice: (201 | 908) 647 0900 Westmark, Inc. Internet: dave@westmark.uu.net Warren, NJ, USA UUCP: {uunet | rutgers | att}!westmark!dave [The Man in the Mooney] AT&T Mail: !westmark!dave
tell@oscar.cs.unc.edu (Stephen Tell) (02/04/90)
The original poster (sorry, lost the reference) suggested that calling cards not include the PIN for obvious security reasons. My Southern Bell (new this past August) card has only my phone number on the front, and a roughened rectangle on the back. The instructions with it suggest writing your PIN in pencil, and then erasing it after you've memorized it. It seems that security concerns have been addressed in a small but growing number of the places that we comp.dcom.telecom/comp.risks/etc types have been discussing over the years. Disclaimer: I'm just a satisfied customer. That isn't hard, I used to live in GTE-land. Steve
"John R. Levine" <johnl@esegue.segue.boston.ma.us> (02/06/90)
In article <3532@accuvax.nwu.edu> dave%westmark@uunet.uu.net (Dave Levenson) writes: >Note: Bank ATM cards, like telco cards, _do_ have your PIN >magnetically encoded on the card. Although that was true for some early ATMs, it's not generally true any more. The number from your card along with the PIN you enter are sent along to the issuing bank for validation. My bank sends out cards with no PIN, then you have to appear in person at the bank once with ID, swipe in your card, then enter your PIN twice and they store it for future use. The way they pass the number and PIN back to the issuer is similar in concept but not in execution to the way that telco calling cards are done. By the way, there is no pattern to calling card PINs. Each operating company makes them up any way they want. My cousin who runs the family telco in Vermont used to run a random number generator on his IBM Sys/32. Each time you enter a calling card number, it is validated in the giant distributed calling card data base. My cousin once explained to me how he gets his numbers into the giant data base; for his tiny telco it's a complicated multi-stage process involving a service bureau run, I believe, by the USITA that actually fields the validation requests. Regards, John Levine, johnl@esegue.segue.boston.ma.us, {spdcc|ima|lotus}!esegue!johnl
cp@ukc.ac.uk (02/06/90)
Hi.. Can I ask a simple question ? What exactly are these calling cards from MCI etc.. ? Are they like credit cards? Cards that store numbers ???? I don't think that these kind of cards are in use in England, the closest thing, I guess, we have are the phone cards. These just give you a set amount of units. ie. a 40 unit phone card, costing 4 pounds, will give you that many units in phone use. This was done to stop the vandalism of the pay phones whereby people would try and access the money paid into it. Thanks Chris ( cp@ukc.ac.uk )
syd@dsinc.dsi.com (Syd Weinstein) (02/06/90)
dave%westmark@uunet.uu.net (Dave Levenson) writes: >In article <3438@accuvax.nwu.edu>, dwp@cci632.uucp (Dana Paxson) writes: >Note: Bank ATM cards, like telco cards, _do_ have your PIN >magnetically encoded on the card. It is nice of the banks, however, >to have thought of not printing it in a human-readable place on the >card. While in the past, (ten years ago), banks have put the PIN on the card, presently most banks do not. It is indeed a database lookup. The interbank switching system (Cirrus, Plus, etc.) do indeed pass encrypted messages for verifying accounts and PINs. Those banks that do put the PIN on the back, for use by off line machines, usually now encrypt it. It is considered too much of a security risk to put the PIN on the card, and also too much trouble to change it, if the customer requests a change. ===================================================================== Sydney S. Weinstein, CDP, CCP Elm Coordinator Datacomp Systems, Inc. Voice: (215) 947-9900 syd@DSI.COM or {bpa,vu-vlsi}!dsinc!syd FAX: (215) 938-0235
psrc@pegasus.att.com (Paul S. R. Chisholm) (02/07/90)
Sorry, this is straying a little off topic. In article <3532@accuvax.nwu.edu>, dave%westmark@uunet.uu.net (Dave Levenson) writes: > Note: Bank ATM cards, like telco cards, _do_ have your PIN > magnetically encoded on the card. It is nice of the banks, however, > to have thought of not printing it in a human-readable place on the > card. The PIN (personal identification number; the "password", so to speak, as compared with the personal account number or PAN, the "login ID") is *NOT* stored on ATM or debit cards, not even in encrypted form. I think a checksum *is* stored, to allow for some off-network validation. One of the problems banks have with PINs is that people can't remember them . . . so they write them on the card! Great security, huh? My favorite story about PINs involves Al Brown, a plastic card pioneer who recently retired from AT&T. He went to Japan, where they showed him a plastic card, and proudly told him that the PIN was stored on the card. Al pulled a loop reader out of his pocket, a little gizmo with a sheet of magnetic bubbles (or some such) that make magnetic fields visible. He ran it over the card, passed the card back, and told his hosts what the PIN was! The engineers conferred in a side office, returned after a few minutes, and announced their solution: "Don't give cards to tricky Americans!" Paul S. R. Chisholm, AT&T Bell Laboratories att!pegasus!psrc, psrc@pegasus.att.com, AT&T Mail !psrchisholm I've never been involved with AT&T Calling cards, and I'm *definitely* not speaking for the company, I'm just speaking my mind.
jad@dayton.dhdsc.mn.org (J. Deters) (02/08/90)
> Article <3564@accuvax.nwu.edu> From: johnl@esegue.segue.boston.ma.us (John R. Levine) >In article <3532@accuvax.nwu.edu> dave%westmark@uunet.uu.net (Dave Levenson) >writes: >>Note: Bank ATM cards, like telco cards, _do_ have your PIN >>magnetically encoded on the card. >Although that was true for some early ATMs, it's not generally true >any more. The number from your card along with the PIN you enter are >sent along to the issuing bank for validation. My bank sends out It is definitely no longer true. I program the Point-Of-Sale equipment for Dayton-Hudson Dept. Stores Co., and have had to do an awful lot with MSR cards these days! With the advent of Electronic Funds Transfer at the point of sale, security became a huge issue (we currently have no plans to implement EFT in the near future, but the latest release of IBM software has it coded.) At the Point Of Sale, IBM sells a special customer 10-key pad and Mag Stripe Reader that encrypts the PIN prior to transmission to the terminal. At no time is the data (PIN) transmitted in the clear (not even to the base unit of the cash register.) It's a shame that this isn't more widely known. I think that more people might be inclined to trust a system like that iff they knew that their data was secure. Of course, 95% of the people don't care one whit if their PIN is secure, because they're unaware of the consequences of losing it :-). Oh, as to selecting PINs: My banker just asked me for a number when I signed up for the card. I said, "Just some random number, please." He asked me "How about 6677?" I sighed and got out my pocket calculator (with the random number generator) and gave him four digits. He just gave me this funny look... J. Deters INTERNET: jad@dayton.DHDSC.MN.ORG .\ /. "Smile -- Cthulu loathes you!" UUCP: ...!bungia!dayton!jad \_____/ ICBM: 44^58'36"N by 93^16'12"W
johnw@gatech.edu (John Wheeler) (02/08/90)
Realizing that this is NOT comp.banking.pins: In article <3564@accuvax.nwu.edu> johnl@esegue.segue.boston.ma.us (John R. Levine) writes: >My bank sends out cards with no PIN, then you have to appear in person >at the bank once with ID, swipe in your card, then enter your PIN twice >and they store it for future use. Yeah, but the most unusual I've dealt with, since my bank is out-of-state, is that the bank sends the card out with no PIN, then you are called at home (at NIGHT) by the bank, and you are connected to an automated PIN-select system. You enter up to 10 digits as your PIN, using touch-tones(R). My PIN was usable instantly at the ATM down the street. /* John Wheeler - Unix/C Systems Designer/Programmer/Administrator/etc... * * Turner Entertainment Networks * Superstation TBS * TNT * Turner Production * * ...!gatech!nanovx!techwood!johnw (404) TBS-1421 * * "the opinions expressed in this program are not necessarily those of TBS" */
douglas@ddsw1.mcs.com (Douglas Mason) (02/09/90)
In article <3532@accuvax.nwu.edu> dave%westmark@uunet.uu.net (Dave Levenson) writes: >Note: Bank ATM cards, like telco cards, _do_ have your PIN >magnetically encoded on the card. It is nice of the banks, however, >to have thought of not printing it in a human-readable place on the >card. Actually, my understanding is that ATM cards do NOT contain the pin number on it for obvious reasons. I'm not concrete on this because I can't cite my source offhand, but it seems to me that the ATM user enters the PIN number, which is sent downline (encrypted) and a binary (1/0) response is sent back as to if it was correct or not. The system never sends downline anything to the effect of "The PIN number is NOT xxxx, it is yyyy". One of the reasons I belive this is that when I use my American Express card in the bank machines, or my Citibank Visa, I can enter a PIN number that was set by me LONG after I had the cards in my possession. ie: there was no way that they could have encoded the pin number I selected BEFORE I received the cards! Again, I can't really justify this, but it seems logical... Douglas T. Mason | douglas@ddsw1.UUCP or dtmason@m-net |
Dave Levenson <dave%westmark@uunet.uu.net> (02/10/90)
In article <3585@accuvax.nwu.edu>, jad@dayton.dhdsc.mn.org (J. Deters) writes: > >>Note: Bank ATM cards, like telco cards, _do_ have your PIN > >>magnetically encoded on the card. > > >Although that was true for some early ATMs, it's not generally true > >any more. The number from your card along with the PIN you enter are > >sent along to the issuing bank for validation. My bank sends out > > It is definitely no longer true. I program the Point-Of-Sale > equipment for Dayton-Hudson Dept. Stores Co., and have had to do an > awful lot with MSR cards these days! ... Perhaps it is not true today, but less than a year ago when I was issued a new card, they put it into a machine and handed me a keyboard, telling me to select and enter a PIN. After I did so, the machine apparently updated the mag stripe on the card. In any case, the only external connection to that machine was its power-cord. If it didn't communicate the PIN to anyplace, it must have written it on the card (perhaps encrypted, like the password field in /etc/passwd?) -- Dave Levenson Voice: (201 | 908) 647 0900 Westmark, Inc. Internet: dave@westmark.uu.net Warren, NJ, USA UUCP: {uunet | rutgers | att}!westmark!dave [The Man in the Mooney] AT&T Mail: !westmark!dave
hrs1@cbnewsi.ATT.COM (herman.r.silbiger) (02/11/90)
In article <3585@accuvax.nwu.edu>, jad@dayton.dhdsc.mn.org (J. Deters) writes: > Oh, as to selecting PINs: My banker just asked me for a number when I > signed up for the card. I said, "Just some random number, please." > He asked me "How about 6677?" I sighed and got out my pocket > calculator (with the random number generator) and gave him four > digits. He just gave me this funny look... That is a very clever solution. Now, if you forget your PIN, all you have to do is get out your calculator, run your random number generator, and there it is :-). Herman Silbiger
David Tamkin <dattier@chinet.chi.il.us> (02/12/90)
Dave Levenson wrote in <3735@accuvax.nwu.edu> of Volume 10, Issue 91: | Perhaps it is not true today, but less than a year ago when I was | issued a new card, they put it into a machine and handed me a | keyboard, telling me to select and enter a PIN. After I did so, the | machine apparently updated the mag stripe on the card. In any case, | the only external connection to that machine was its power-cord. If | it didn't communicate the PIN to anyplace, it must have written it | on the card (perhaps encrypted, like the password field in /etc/passwd?) I've been through that same procedure. The S&L said that the card would be valid in two to three business days. (My family has several accounts with that institution, and I helped my parents go through the procedure as well, so I did this about three times at the same place.) If the PIN was encoded onto the card, even encrypted, it should have been valid immediately. I got the impression that each days' PIN selections from each branch were uploaded to the institution's database at the end of the day and later the institution batched them and uploaded them to the network's database. David Tamkin P.O Box 813 Rosemont, Illinois 60018-0813 | BIX: dattier dattier@chinet.chi.il.us (708) 518-6769 (312) 693-0591 | GEnie: D.W.TAMKIN No two Chinet users agree about this (or anything else). | CIS: 73720,1570
tell@oscar.cs.unc.edu (Stephen Tell) (02/12/90)
In article <3735@accuvax.nwu.edu> dave%westmark@uunet.uu.net (Dave Levenson) writes: X-Telecom-Digest: Volume 10, Issue 91, message 7 of 9 >In article <3585@accuvax.nwu.edu>, jad@dayton.dhdsc.mn.org (J. Deters) writes: >> >>Note: Bank ATM cards, like telco cards, _do_ have your PIN >> >>magnetically encoded on the card. >> >Although that was true for some early ATMs, it's not generally true >> >any more. ... >> It is definitely no longer true. .... >Perhaps it is not true today, but less than a year ago when I was >issued a new card, they put it into a machine and handed me a >keyboard, telling me to select and enter a PIN. After I did so, the >machine apparently updated the mag stripe on the card. In any case, >the only external connection to that machine was its power-cord. If >it didn't communicate the PIN to anyplace, it must have written it >on the card (perhaps encrypted, like the password field in /etc/passwd?) I think encryption is the key (sorry 'bout the pun). Many years ago, my father worked at a bank and as they were installing ATM's and such explained to me that the PIN and account number were dropped toghether through a trap-door algorithm and the result encoded on the card along with the account number. When you enter your PIN, the same algorithm is applied, and the results compared. Sounds just like /etc/passwd to me. I won't mention the name of the bank, since he just left the company under a complex set of circumstances. It was, however, in New Jersey, and so might be the bank Dave mentioned. This has wandered a bit from telecom, but since the answer is relevant to phone cards as well, I thought I would add my $0.02. Additional telecom trivia: I recently called my parents in NJ on 908-464-XXXX successfully; until then they didn't know which side of the 201/908 split they were on. Steve Tell tell@wsmail.cs.unc.edu CS Grad Student, UNC Chapel Hill. 919-968-1792 Former chief engineer, Duke Union Community Television, Durham, NC.