Re: ATM card pins

Simon R Knight (srk@tcp.co.uk)
Thu, 6 Aug 1998 20:22:12 0000

• Next message: Mike Stay: "Re: (getting off topic) Re: ATM card pins"
• Previous message: bram: "Re: RSA chips from Japan?"
• In reply to: Mok-Kong Shen: "Re: RSA chips from Japan?"

> >Yes, but if you have a card reader, you can see that the PIN is in fact on
> >that card, encrypted of course. It was stated in an earlier part of the
> >email.
> >
> >- Jon
> >
> Well there is probably some data on the magstrip which your friend
> can not interpret but in order to conclude that it is the encrypted
> PIN he probably would have to break the "encryption". And he admits
> that he has not done that yet.

If the BS/ISO/ANSI standards provide a field for an encrypted PIN
value, and that field contains a value, then it is quite logical and
reasonable to conclude that a PIN value is present, especially when
an ATM verifies a transaction without going online.

> If you do it properly there is simply no technical reason to store
> the PIN or any other secret information in any form on the mag
> stripe of an ATM card. In the worst case (ATM offline), the ATM has
> to know the PIN generation key. If the ATM operates only online the
> ATM not even has to know the PIN generation key.

There are very good technical reasons why "secret" information has
been stored on the magnetic stripes of (many) bank cards. ATM
transaction verifying was originally conducted offline, and for small
transactions, often still is. The increased use of online PIN
verification is a direct result of the extensive ATM fraud which has
occurred since their original introduction.

The whole ATM system is quite flexible, and can be set up to run in a
number of ways. Secure online verification via leased lines may be
cost effective for a busy high street bank, but not for many remote
branches or poorer countries, and a bank is not going to lose
important customers because one of their ATM's refuse to pay out
while uploading transaction data, or unable to go online. A bank can
write encrypted data to the magnetic stripe that will cause an ATM to
verify a transaction offline for much higher values than are
permitted for ordinary customers, so that the only time an ATM
refuses to pay out to these customers is when it is empty or
out-of-order.

Simon R Knight

• Next message: Mike Stay: "Re: (getting off topic) Re: ATM card pins"
• Previous message: bram: "Re: RSA chips from Japan?"
• In reply to: Mok-Kong Shen: "Re: RSA chips from Japan?"