RE: (getting off topic) Re: ATM card pins

Vin McLellan (vin@shore.net)
Fri, 7 Aug 1998 01:38:02 -0400

• Next message: Lewis McCarthy: "Re: archive"
• Previous message: John Gilmore: "ANNOUNCE: SATURDAY Bay Area Cypherpunks Aug 98 Meeting"
• In reply to: bill.stewart@pobox.com: "ANNOUNCE: SATURDAY Bay Area Cypherpunks Aug 98 Meeting"
• Next in thread: Alex Alten: "RE: (getting off topic) Re: ATM card pins"

        Daniel R. Oelke wrote:

>>> In fact, if I'm remembering right, the ATM send the PIN to the bank
>>> encrypted such that the clearing house doesn't see it.

        Chris Liljenstolpe added:

>single DES, just like everything else in the financial world... Each ATM
>has it's own key...

        Don't know about current standards, but maybe ten years ago I
researched an ATM fraud scheme, where a maintenance tech for one of the
smaller California-based ATM networks realized that he could take advantage
of a network switch which had been installed in a relay station, secured by
only a default password.

        Then, at least, ATM networks used link encryption (and since no
installed banking protocol changes quickly, I'd bet they still do.) Both
account info and PINs were in the clear at some stage of their processing
in the relay station. Shades of Cisco's Private Doorbell?

        Warstory wrapup: The maintenance tech was able to capture 10s of
thousands of ATM account-number/PIN combs, from hundreds of different
banks. As I recall, this Master Thief then brought in his family and a
score of buddies as accomplices. For their big hit, they decided to use
only ATM cards from Bank of America (apparently to mislead any subsequent
inquiry.) He also managed to borrow one his company's card encoding
machines to dummy up phony cards. The plan was for the whole crew, maybe 7
or 8 people, to hit BoA ATMS all over the Southwest over a long holiday
weekend.

        The US Secret Service was tipped off by one of his relatives.
(Maybe several of them independently.) When the SS raided the crew's
workshop/hideout, they found thousands of perfectly workable strips of mag
tape glued to appropriately-sized slabs of plastic (probably with the
correct PINs scribbled on each.)

        Suerte,
                _Vin

-----
      Vin McLellan + The Privacy Guild + <vin@shore.net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                         -- <@><@> --

• Next message: Lewis McCarthy: "Re: archive"
• Previous message: John Gilmore: "ANNOUNCE: SATURDAY Bay Area Cypherpunks Aug 98 Meeting"
• In reply to: bill.stewart@pobox.com: "ANNOUNCE: SATURDAY Bay Area Cypherpunks Aug 98 Meeting"
• Next in thread: Alex Alten: "RE: (getting off topic) Re: ATM card pins"