johnl@think.UUCP (John R. Levine) (02/24/88)
In article <8802230101.AA05346@ucbvax.Berkeley.EDU> Patrick_A_Townson@cup.portal.COM writes: >Very curiously, I happen to have an Illinois Bell Calling Card, an AT&T >Calling Card and an MCI Credit Card. The first two have the identical >data on them including the PIN. The MCI card differs only in one respect; >the PIN is different (by a couple digits!). Apparently AT&T assigns all the >PIN's and other details on these, regardless of which OCC (or themself) has >the account. No, actually the local operating company assigns your calling card number, and provides it to AT&T. (This info from my cousin who runs a small telco in Vermont and finds making up the calling card numbers to be a minor pain. The RBOCs provide the info directly, the small companies via a trade group that maintains their data base.) It appears that the various OCCs invent card numbers by themselves, using a scheme which resembles the original, i.e. your 10-digit phone number followed by 4 extra digits except when toll fraud is a problem in which case they make up all 14 digits. If the various long distance companies are really all equally at arms' length from the local telcos, I see no reason why the OCCs couldn't get their calling card numbers from the telcos, so that you would have one calling card number that would work no matther what long distance company a phone exchange happened to route your call to, making life much easier for us who use pay phones in airports. -- John R. Levine, IECC, PO Box 349, Cambridge MA 02238-0349, +1 617 492 3869 { ihnp4 | decvax | cbosgd | harvard | yale }!ima!johnl, Levine@YALE.something Rome fell, Babylon fell, Scarsdale will have its turn. -G. B. Shaw
jgd@gatech.edu (John G. De Armond) (02/02/90)
In article <3386@accuvax.nwu.edu> comcon!roy@uunet.uu.net (Roy M. Silvernail) writes: >> Another interesting fact concerns the insecurity of PINs. We already >> know that the last digit is computed. On most AT&T/BOC cards, the PIN >> starts with a "2". >Alaska PINs don't seem to start with '2', and both of my 4-digit PINs >have different beginning digits. I've gotten several comments on this subject. My comments regarding the pin starting with "2" is as a result of looking at perhaps 50,000 transactions in the 1988 timeframe. The AOS I was contracted to served primarily Georgia and Tennessee. The overwhelming majority of pins from this area started with "2". I'd like to think that the fact that peoples' pins are different now means that someone woke up and realized the exposure. >Does this mean that if I were to compute a 'logically correct' >14-digit CC number, I could slip it by the AOS sleazeballs? (not that >I'm planning it, but.....:-) Yep, sure does. At least with the AOS operators I'm familiar with, they do NOT rent a subscriber database from a carrier or access it. The trick that some have used of placing a test call to AT&T is now clearly not permitted so the algorithm verification is probably all they do. John De Armond, WD4OQC | We can no more blame our loss of freedom on congress- Radiation Systems, Inc. | men than we can prostitution on pimps. Both simply Atlanta, Ga | provide broker services for their customers. emory!rsiatl!jgd | - Dr. W Williams | **I am the NRA**