Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:55
Jon Vincent (jonboy@osiris.ml.org)
Thu, 6 Aug 1998 09:49:16 -0400 (EDT)
I passed this thread onto a friend that knows some stuff about how cards
work. His reply:
"Yes the number is on the card. But is is encrypted. It isn't very
complex encryption though, only 16 or 32 bit. Haven't done alot of study
on that though. Give me a week and I can probably tell you exactly how
they work. But I am certain the number is on the mag stripe. When I was
in bloomington IL I used a little funny stand alone ATM. Well when I used
it it didn't even initiate an outside connection until after I had entered
my PIN and how much money I wanted. It only used a 14.4kbps modem and I
could hear it dial. So unless that thing has even PIN for every bank
account in the world stored on it somewhere, it's on the card. Besides I
just swiped my card through a reader here at work. The account number is
in plain numbers, the expiration date is in plain numbers, but the pin
appears to be encrypted. I am guessing no more than 32 bit encryption.
Probably very easy to crack."
- Jon
On Thu, 6 Aug 1998, Chris Liljenstolpe wrote:
> Greetings,
>
> I don't know about outside the US, but my bank can change the pin w/o
> taking posession of the card, and I can use the card in most foreign atm's
> I've tried, so I can only assume that it isn't required to be on the card.
>
> Chris
>
>
> --On Thursday, 06 August, 1998, 09:21 +1000 someone claiming to be Jamen
> Porteus <jporteus@tassie.net.au> scribed:
>
> > Hi again,
> > Are we all sure this is not a bank misinformation campaign.
> > If the pin is not on the card why do the bank need the card back to
> > change it.
> > A friend had his pin changed to one of his own choice and they put the
> > card in a
> > stand-alone reader/writer machine. This was only connected to 240V power
> > and I don't think these banks are up with AC line modems yet, so their
> > computers don't know of the change.
> > That explains why the bank say your pin is so secure even they don't
> > know what it is.
> > Can anyone else relate to this experience.
> > I know my girlfriend can.
> > She lost $1000 from an ATM after someone stole her debit/credit card
> > with only 3 possible explanations.
> > 1. inside bank job
> > 2. shoulder surfer got the pin, then stole the card
> > 3. smart crim stole the card and decyphered the pin
> >
> > thanks for the bandwidth
> > jImbo
> >
> > Chris Liljenstolpe wrote:
> >
> >> Greetings,
> >>
> >> In all the implimentations I am aware of today, the PIN is
> >> actually
> >> stored at the bank in the tandem (i.e. as part of the account info).
> >> The
> >> comms between the ATM and the bank are DES encrypted. There is no
> >> PIN on
> >> the card...
> >>
> >> Chris
> >>
> >> --On Wednesday, 05 August, 1998, 23:32 +0800 someone claiming to be
> >> Enzo
> >> Michelangeli <em@who.net> scribed:
> >>
> >> > At http://www.atalla.com/prod/A4000_network.html , the description
> >> > mentions DES keys stored in the ATM machine and in the various other
> >>
> >> > nodes involved in the transaction; there is no reference to any
> >> on-card
> >> > encrypted pin. Such creature (encrypted PIN on ABA track 2, in the
> >> > "Additional Data" field) was indeed mentioned in an old issue of
> >> Phrack.
> >> > However,
> >> > http://www.idt-net.com/magenc.htm describes a layout of Track 2
> >> where that
> >> > field seems to be used for a country code.
> >> >
> >> > It is possible that in early days of the ATM, when disconnected
> >> operations
> >> > were commonplace, the card contained the PIN encrypted with some
> >> fixed
> >> > key, in order to allow offline verification. Nowadays I see little
> >> scope
> >> > for it.
> >> >
> >> > Enzo
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: Rabid Wombat <wombat@mcfeely.bsfs.org>
> >> > To: Jamen Porteus <jporteus@tassie.net.au>
> >> > Cc: CodherPlunks@toad.com <CodherPlunks@toad.com>
> >> > Date: Wednesday, August 05, 1998 11:00 PM
> >> > Subject: Re: ATM card pins
> >> >
> >> >
> >> >>
> >> >> If your PIN is encrypted and stored on your ATM card, they're doing
> >> it
> >> > wrong.
> >> >>
> >> >> -r.w.
> >> >>
> >> >> On Wed, 5 Aug 1998, Jamen Porteus wrote:
> >> >>
> >> >>> I am sick of getting pushed around by the bank telling me my 'pin'
> >>
> >> >>> number is safer than a signature. What would a bank clerke know.
> >> >>> Does anyone know anything about pin encryption on banking mag
> >> stripe
> >> >>> cards?
> >> >>> I believe track 2, ABA standard, but what of the encryption?
> >> >>> I don't want to use it, I just need some amunition.
> >> >>> --
> >> >>> jImbo
> >> >>>
> >> >>>
> >> >>
> >> >
> >>
> >> --
> >> Chris Liljenstolpe - Network Engineer, NOC - McMurdo Station
> >> Antarctica
> >> Antarctic Supt. Assoc. - under contract to USAP, Nat. Science
> >> Foundation OPP
> >> mailto:cds@mcmurdo.gov TEL: +1 509 689 6270 FAX: +1 509
> >> 689 6293
> >> PSC 469, Box 700, APO AP 96599-5700 USA Lat: 77 50 53 S Long: 166
> >> 40 06 E
> >
> >
>
>
>
> --
> Chris Liljenstolpe - Network Engineer, NOC - McMurdo Station Antarctica
> Antarctic Supt. Assoc. - under contract to USAP, Nat. Science Foundation OPP
> mailto:cds@mcmurdo.gov TEL: +1 509 689 6270 FAX: +1 509 689 6293
> PSC 469, Box 700, APO AP 96599-5700 USA Lat: 77 50 53 S Long: 166 40 06 E
>
>
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:55