Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56
Daniel R. Oelke (Dan.Oelke@aud.alcatel.com)
Thu, 6 Aug 1998 10:50:23 -0500
My knowledge is also US centric, but I know that the protocol used
between ATMs, the clearing houses, and the banks relies on the fact
that the PIN is OK'd by the bank. Some banks with some clearing houses
have procedures that amounts under a certian dollar value can
be ok'd without the banks ok. This means that your PIN isn't checked
in these situations. (FYI - those symbols on your ATM card for Tyme,
Cirrus, Pulse, PLUS, MoneyMaker, etc are all different clearing houses
that get a few cents for every transaction that goes through them.)
If I can, I'll get a copy of the protocol specifications and
webify it for everyone's enjoyment. Yes, I have seen/understood
them and nothing jumped out at me as insecure. I specifically
looked to make sure that the PIN was only held by the bank, and
never given to the clearing houses/ATM. In fact, if I'm remembering
right, the ATM send the PIN to the bank encrypted such that the
clearing house doesn't see it.
Dan
> From CodherPlunks-errors@toad.com Wed Aug 5 22:20:21 1998
> Date: Tue, 4 Aug 1998 02:51:22 -0400 (EDT)
> From: Rabid Wombat <wombat@mcfeely.bsfs.org>
> To: Simon R Knight <srk@tcp.co.uk>
> Cc: CodherPlunks@toad.com
> Subject: (getting off topic) Re: ATM card pins
>
>
> My knowledge is US-centric, but AFAIK, PINs have been centrally
> authenticated for quite a long time (here in US), due to the risks
> associated with storing the PIN on the card. I recently changed the PIN
> on my account, and was not issued a new card.
>
> Your PIN is probably safer than your signature, even if your PIN were on
> the card (unfortunately). Most banks these days use large clearinghouses
> to process checks, and the people doing the clearing are usually
> under-paid, sleep-deprived, working a graveyard-shift second job. I doubt
> your signature is checked closely, and possibly not checked at all.
> (again, US-centric, apologies to the rest of you)
>
> I once wrote a check out to a bank for $2000, and it made it through both
> the bank it was submitted to and the bank it was drawn on as a $20 check.
> I've also had a check clear when I'd forgotten to sign it entirely.
>
> I'd trust a PIN more than I trust signature verification, unless you are
> using an account to process a fairly small number of large denomination
> checks, and have arrangements made with your bank concerning signature
> verification.
>
> The bigger security risk (in the US, anyway), seems to be being abducted
> and taken to a cash machine and forced to withdraw cash. For this reason,
> it is best to keep a seperate "card account", and keep only a small
> amount of cash in it. Keep the rest in another account, which is not
> card-accessible.
>
> Sorry for wandering off-topic ...
>
> -r.w.
>
> On Wed, 5 Aug 1998, Simon R Knight wrote:
>
> > > I am sick of getting pushed around by the bank telling me my 'pin'
> > > number is safer than a signature. What would a bank clerke know.
> > > Does anyone know anything about pin encryption on banking mag stripe
> > > cards? I believe track 2, ABA standard, but what of the encryption?
> > > I don't want to use it, I just need some amunition. -- jImbo
> >
> > The encrypted PIN data is located on track 3, and the encryption
> > algorithm is given as a "private" algorithm determined by the bank.
> > This algorithm can be expected to be stronger than DES, the security
> > weakness of which is understood by the banks. Most PIN verification
> > is carried out directly online to the banks themselves these days
> > (not from a track 3 encrypted value), and ATM's will not pay out
> > money in offline mode. If you are concerned about phantom
> > withdrawals, simply keep a small sum in your "card" account (assuming
> > it is not a credit card), and the remainder in a deposit account to
> > which no card access has ever existed.
> >
> > Simon R Knight
> >
>
--------------------------------------------------------------------------
Dan Oelke - droelke@aud.alcatel.com Alcatel Telecom, Richardson, TX
"Did you ever have the feeling there's a WASKET in your BASKET"
- There's a Wocket in my Pocket by Dr. Seuss
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56