From:	texbell!rpp386!scsmo1!tim@cs.utexas.edu  5-DEC-1988 17:58:27

To:	unix-wizards@sem.brl.mil

Subj:	[1070] Re: Here's a *BRILLIANT* password idea!



>But, in the UK at least, if you abort the 'login' attempt after the 2nd

>attempt (there is a button to do this), you get your card back, and can

>then try again immediately.  Thus you have an unlimited number of attempts.

>I have not tried this on a machine in the US.



This will work in the U.S.  Some machines will kick the card out after 3

incorrect tries.  One machine I tried 8 times, it didn't take the card, but

later after the card had been slightly mutated it took it.



I had the number changed on my card,  there was an ibm pc connected to a card

reader.  I typed in the number (on a seperate keypad) and the banker

slid the card back through the card reader.  The pc was _NOT_ connected

to anything.



>This no longer has much to do with Unix.

But it does have to do with money.  How about terminals that have card readers?



The biggest security problem is users that don't think about security problems,

They tell other users their passwords (the don't like using paths to get files)



						Tim Hogard

						tim@scsmo1.uucp

						Soil Conservation Service.



From:	Phil Hughes <ssc!fyl@teltone.com>  5-DEC-1988 17:59:32

To:	unix-wizards@sem.brl.mil

Subj:	[1842] Re: Here's a *BRILLIANT* password idea! (Sarcasm on)



In article <1526@holos0.UUCP>, lbr@holos0.UUCP (Len Reed) writes:

> From article <438@amanue.UUCP>, by jr@amanue.UUCP (Jim Rosenberg):

> = Well surprise:  This exact password system is ***IN USE***!!!  In (are you

> = ready:) ***BANKS***!!!  I am not kidding.  Do you have an Automatic Teller

> = Machine card?  What does your password look like?  Every time I've been given

> = one of those things the password was just 4 digits!!!!!!!



> You have to have physical possession of the card, too, not just knowledge

> of the account number.  



Not really true.  If you are serious about ATM fraud you can buy a mag

stripe writer for about $300.  I used to work for a company that makes

automatic gas station equipment -- stick in your card, punch in your PIN

and pump gas.  We bought a card writer.  I made myself an extra EXCHANGE

card.  Sort of fun.



By the way, track 2 on the cards is the account number.  Most bank

machines either ignore or display track 1.  Rainier Bank locally puts your

name on track one and displays it on the terminal.  Rewrite track 1 and

when you enter your card you can get a nice message like:

	GOOD AFTERNOON YOU ROTTEN CROOK

on the display.  It amuses the people waiting in line behind you.



Now, for a worse story -- as of two years ago every ATM machine in a whole

state would accept a particular 4 digit number as a valid pin for every

card.  Yes, really.  I was doing testing on a controller to hook into

their network and it wasn't getting invalid PIN errors.  As it turned out

there was a bug in our software and it wasn't sending the PIN that was

being entered.  It just happened to be sending the magic PIN for the

network.  Now that was really stupid.

-- 

Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155  (206)FOR-UNIX

    uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl



From:	Ron Natalie <ron@ron.rutgers.edu>  9-DEC-1988 18:50:24

To:	unix-wizards@sem.brl.mil

Subj:	[1171] Re: password security



The cards themselves are easily forged.  Essentially, nothing is

encoded in the stripe that you can't see on the front of the card.

Obviously criminal elements have the ability to forge this information

because well publicised cases of credit cards (which use the same technology)

exist.  When dealing with a machine, it's even easier, the card doesn't

need to look real to the eye, just have the correct data on the stripe.



Even if the PIN records at the bank are relatively secure, there are

many ways that the 4 digit number may be discovered.  Abuse of telephone

credit card numbers (which are essentially just your account number (

phone number) and a 4 digit PIN) inidicate how vulnerable that system

is.  Banks mail PINs (albeit separately from the cards) through the

use of printthrough computer envelopes.  You don't even need to open

these to get the information.   Banks should never send the PINs out.

Here we get to go to the bank to set them.  People should safeguard their

PINs.  Be careful about the guy behind you in line.   Don't write them

down, and if you get to pick your own, don't be so bloody obvious.

I guessed my wifes with little difficulty.



From:	"Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa>  13-DEC-1988 14:23:12

To:	security@pyrite.rutgers.edu

Subj:	[983] [Nathaniel Ingersoll:  ATM passwords (PINs)]



F Y I



----- Forwarded message # 1:



From: Nathaniel Ingersoll <nate@altos86.uucp>

Subject: ATM passwords (PINs)

Date: 9 Dec 88 19:58:45 GMT

To:       unix-wizards@sem.brl.mil



The way I look at it, all ATM cards (at least all the ones

I've ever run across) do not have their PIN encoded on the card.

When you do a transaction, the following events must happen:

	1) enter card

	2) enter pin

	3) select transaction

	4) success: result of action

	5) failure: notification



Now, if your PIN was encoded on the card, you could be informed of

PIN failure immediately after (2).  However, the ATM waits to

perform all data transfer until it has all necessary information,

so it probably sends whatever you entered for a PIN, your transaction

data, and whatever else, to the remote computer, which then

validates the PIN and transaction.



Make sense?

-- 

Nathaniel Ingersoll

Altos Computer Systems, SJ CA

	...!ucbvax!sun!altos86!nate

	altos86!nate@sun.com



----- End of forwarded messages



From:	"Jonathan I. Kamens" <jik@athena.mit.edu>  16-DEC-1988  2:53:42

To:	unix-wizards@sem.brl.mil

Subj:	[937] Re: random passwords (was Re: Worm...)



In article <5598@polya.Stanford.EDU> waters@polya.Stanford.EDU (Jim Waters) writes:



>Actually, I have a 7 digid "secret number," and I believe that 9 is the limit.

>We go to the bank to choose them, so no one else ever sees the number.



Ay, there's the rub....



My bank (BayBanks Boston) allowed me to choose a 7-digit security code

as well.  However, if you watch really closely when typing the 7-digit

code into a BayBanks machine, the screen will flash momentarily after

the fourth digit is entered.



Well, boys and girls, can you guess what that means?  Yes, that's

right, the BayBanks machine is only listening to the first four

digits!  In fact, if you press the enter key after only the first four

digits, the machine merrily accepts your PIN.



Moral of the story: are you *sure* that all seven digits of your PIN

matter to the machine?



(This really has nothing to do with unix.  Sigh.)



  Jonathan Kamens

  MIT Project Athena



From:	Phil Hughes <ssc!fyl@teltone.com>  16-DEC-1988  4:57:26

To:	unix-wizards@sem.brl.mil

Subj:	[998] Re: ATM passwords (PINs)



As dumb as it may seem, here is what really happens on most ATMs (IBM

and Diebold in particular).  It is not, however, the way it works on the

system I worked on.  We figured a reader terminal was smart enough to

figure out what to do next :-)



1. You enter your card and the ATM sends the card number to the network

2. The network tells the ATM to get the PIN

3. The ATM asks for the PIN and waits.  When it gets it, it sends it

   to the network.

4. ...



You get the idea I am sure.  There is a mainframe talking over a serial

line to a bunch of extremely dumb terminals.  The good news is that the

PIN is encrypted at the ATM before it is sent and it is sent in a

different message than the card number.  This means that tapping the

communications line does not give you the necessary information to make a

bogus card and use it in another ATM.

-- 

Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155  (206)FOR-UNIX

    uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl



From:	"Richard A. O'Keefe" <ok@quintus.com>  16-DEC-1988  5:00:25

To:	unix-wizards@sem.brl.mil

Subj:	[71] Re: random passwords (was Re: Worm...)



I had a Versatel card (Bank of America) and my PIN was 10 characters.



From:	"Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa>  16-DEC-1988 13:50:25

To:	security@pyrite.rutgers.edu

Subj:	[2573] [ted:  password security]



F Y I



From: ted@nmsu.edu

To: unix-wizards@BRL.MIL

Subject: password security



I would let all of this discussion about pin's and password protection

just slide on by, except for the fact that a friend of mine was

apparently a recent victim of an atm fraud.



The situation was that she went to the bank to make a withdrawal and

they said that her account had only $5 in it.  She objected that

according to her records she had over $700 in the account and that she

had not made any withdrawals recently.  The bank claimed that she had

made 5 withdrawals in one day for virtually the entire amount in the

account, leaving only the minimum in the account.  Upon presentation

with a written complaint, the bank checked the camera for the atm and

found that it had been blocked during the time of the withdrawals in

question.



The bank is currently standing pat on the absolute security of the atm

system and is insisting that they have no obligation to disburse any

of the questioned funds.  Combined with the recent discussion on the

net about the errors that have occurred in atm software and with the

fact that some systems store the pin (or the encrypted pin) on the

card, there is considerable doubt in my mind about whether atm's

provide even minimal levels of security.



My questions for the net are:



1) are account and pin numbers really stored on the card in such a way

that a card can be easily forged (please, no secure details, I just

need enough information to believe you).



2) how autonomous are atm machines?



3) to what degree do atm's record transactions.  I know they record

the account number and amount, but do they record erroneous pin

entries, and do they record the pin number that is actually entered?

Is there enough of an audit trail to substantiate a claim of card

forgery? 



4) are there any publicly available accounts of atm fraud, or

breakdowns in atm security? (the bug mentioned on the net recently

would classify, but did the company involved manage to sufficiently

hush up the problem so that it has effectively been pushed into the

apocrypha of computer security?)



If your reply is not suitable for public dissemination, please reply

by email, usmail or phone.  I will or will not summarize to the net

depending on the wishes of individual respondents.  I will honor

requests for anonymity, but obviously, in the current situation, I

would prefer to find experts in the field whom I can cite.



Thank you.



Ted Dunning

Computing Research Laboratory

New Mexico State University

Las Cruces, New Mexico 88003-0001

ted@nmsu.edu

(505) 646-6221



From:	"Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa>  20-DEC-1988 11:47:18

To:	security@pyrite.rutgers.edu

Subj:	[722] [Cory Kempf:  Re: password security]



F Y I



From: Cory Kempf <cory@gloom.uucp>

Subject: Re: password security

Date: 8 Dec 88 18:02:18 GMT

To:       unix-wizards@sem.brl.mil



Has anyone ever noticed that most of the ATM machines that are out

there is the real world (at least in the US) have a vertical keypad?



Does anyone really think that it is possible (without being a contortionist)

to prevent the person behind you from seeing as you type in the PIN?



Can anyone come up with a way to make it *easier* for someone else to see

you type in your PIN?



Retorical question time...



	why do most banks NOT use horizontal keypads (as well as other

	security measures)?



GAK

+C

-- 

Cory Kempf

UUCP: encore.com!gloom!cory

	"...it's a mistake in the making."	-KT



From:	"Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa>  20-DEC-1988 12:00:49

To:	security@pyrite.rutgers.edu

Subj:	[1556] [ted:  pins and passwords]



F Y I

Date: Mon, 12 Dec 88 14:03:20 MST

From: ted@nmsu.edu

To: unix-wizards@BRL.MIL

Subject: pins and passwords



After some checking, (and one very good reference) I have found out

that in the case of ATM's serviced by the CIRRUS network:



1) the pin is verified with the issuing bank on every transaction,

although there appears to be room for CIRRUS to interject a false

verification for testing purposes.



2) all data traffic is encrypted with DES with key distribution by

public-key methods.  Lines that go out of service are automatically

replaced by dial-ups as needed, so that tapping could be done without

much chance of detection, but the cost of attacking a 4.8Kbit DES line

is probably not worth the cost (but since atm's send pins and account

numbers directly over the line, you would completely compromise those

accounts).



3) CIRRUS does not apparently support return of account balance.  This

would explain why moving out of your local area (i.e. local banking

group) causes your balance to disappear from the atm summary.



None of this information indicates that the PIN is NOT stored on the

card, only that atm's do not ever have to take the card's word that

the pin is correct.



The information that I have found does not say anything about the

other major atm transaction networks (cash stream and the plus

system), nor does it really say anything about the atm's themselves.



Many thanks to Mark Schuldenfrei for pointing me at the August 85

issue of CACM which had a case study of CIRRUS (really an interview

with one of the honshos).



From:	Troy Landers <sequent!tlanders@cse.ogi.edu>  17-MAR-1990  2:26:29

To:	misc-security@tektronix.tek.com

Subj:	[1069] Re: Bank card tricks in Toronto



I know it is, at least on some cards.  When I lived in Illinos, the bank

that I used had this little box that resembled one of those automatic

credit card calling thingamagigs.  When I opened my account, they gave

me a card, left me alone in the room (in the vault) and told

me how to use it.  All I did was type my PIN number, press a button, and

"swipe" my card through it.  Voilla, my card was now encoded with my

PIN.  I didn't think about it too much at the time, mostly because

I wasn't aware of all the sneaky things crooks can do, and because I

was a student and didn't have any money to steal anyway :-).  Now I

think I would be more reluctant to use a bank with such a system.

Who knows?



Troy



-------------------------------------------------------------------------------

Troy Landers                                   Sequent Computer Systems Inc.

UUCP:  ...!sequent!tlanders                    15450 S.W. Koll Parkway

Phone: (503) 626-5700 x4491                    Beaverton, Oregon 97006-6063



                  *** My opinions are precisely that! ***



From:	netcom!onymouse@claris.com (John Debert)  17-MAR-1990  2:27:11

To:	misc-security@ames.arc.nasa.gov

Subj:	[440] Re: Bank card tricks in Toronto



Many banks, not-so-long-ago, did record passcodes on the card. That way,

they didn't have to use their computer resources for such piddly things.

Also, access control software was not yet being produced that was reliable.

It was much easier to leave such things up to the ATM. 



A certain American bank still records passcodes in some cards, if not all.

They still use ATM's that expect the passcode to be there.



jd 

onymouse@netcom.UUCP



From:	night@pawl.rpi.edu (Trip Martin)  17-MAR-1990  2:50:37

To:	???

Subj:	[378] Re: Bank card tricks in Toronto



When I got my cash card back in Sept, the bank told me that the access

code was indeed put on the card itself, and implied that this was better

because then no bank records would have the access code.  In fact, they

had my type in my desired access code into a machine which then then ran

the card through.  



Trip Martin

night@pawl.rpi.edu

-- 



Trip Martin

night@pawl.rpi.edu



From:	roeber@portia.caltech.edu  19-MAR-1990 23:14:01

To:	security@pyrite.rutgers.edu

Subj:	[821] Bank card tricks



An article in the Los Angeles Times, about some people who made phony ATM

cards from paper stock and audio magnetic tape, indicates that the PIN

code is not stored on the cards.  The people could program the cards with

bank account numbers, but the security hole that allowed them to steal

money was that one of them, an employee or ex-employee, could reprogram

the PINs in the bank database.  If the PIN was stored on the card, they

could have just picked any number.  However, my bank insists that to

change my PIN they must re-issue my card.  Perhaps there is some type of

encryption/verification going on?



Question: ATMs use phone lines.  Is there any sort of encryption on these

lines, to prevent wiretappers from gleaning valid account/PIN combinations?



Frederick Roeber

roeber@caltech.bitnet

roeber@caltech.edu



From:	Craig Leres <leres@helios.ee.lbl.gov>  20-MAR-1990  4:30:19

To:	security@rutgers.edu

Subj:	[273] Re: Bank card tricks in Toronto



Quite some time ago, the transaction cards spawned by my bank's ATMs

were changed so that the last two digits of the account number are

printed as XX. This helps protect those people who leave them behind.

(It doesn't help them balance their checkbooks, though.)



		Craig



From:	hollombe%sdcsvax@ttidca.tti.com (The Polymath)  21-MAR-1990  7:56:01

To:	misc-security@sdcsvax.ucsd.edu

Subj:	[1143] Re: Bank card tricks in Toronto



Many teller machines have cameras associated with them.  They can

photograph the person making every transaction.



}Does anyone know if the access code is, in fact, also on the mag

}stripe?



This varies by bank.  While the ANSI standard does give a format for each

of the three tracks on the magnetic strip, in practice each issuing

organization uses proprietary systems.  Putting the card number on track

two is pretty universal.  Track one often includes a repeat of the card

number and the card holder's name, among other things.  Track three is

writable and may include up to date account information.  A few banks are

foolish enough to put the cardholder's PIN on the card -- sometimes

encrypted, sometimes not.  Many systems only look at track two.



I'm not sure what you mean by "access code." The card number includes

fields that identify the issuing bank.



-- 

The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)

Citicorp(+)TTI                                    Illegitimis non

3100 Ocean Park Blvd.   (213) 450-9111, x2483       Carborundum

Santa Monica, CA  90405 {csun | philabs | psivax}!ttidca!hollombe



From:	"Don't have a cow, man!" <AEWALSH@fordmurh.bitnet>  23-MAR-1990 16:25:55

To:	security@ohstvma

Subj:	[1030] PIN on Bank Cards (was tricks in Toronto)



A large commercial bank at which I used to bank had a system for "initializing"

and changing one's PIN as follows:

        1.  An administrator's card was swiped into a medium-sized device

            that had an LED screen and numeric keypad.  After entering his/her

            code, the customer's card was "swiped".

        2.  The administrator entered the card/account number.

        3.  The customer entered the desired PIN twice.



Futhermore, American Express offers a program called "Cash Now".  Essentially,

it enables you to withdrawl cash or purchase travelers checks at almost any

ATM around the world.  On more than one occasion, I have forgotten my PIN number

for my AMEX card.  After calling the 800 number, and providing information

about my account (last purchase, etc.), I have been able to change the PIN

over the phone.  Scary, isn't it?



My *guess* is that the PIN is not stored on the Mag strip.  Rather, it is

accessed into the bank/institution's computer.  Just a guess.



Jeffrey Walsh

AEWALSH@FORDMURH

.

