From:	texbell!rpp386!scsmo1!tim@cs.utexas.edu  5-DEC-1988 17:58:27
To:	unix-wizards@sem.brl.mil
Subj:	[1070] Re: Here's a *BRILLIANT* password idea!

>But, in the UK at least, if you abort the 'login' attempt after the 2nd
>attempt (there is a button to do this), you get your card back, and can
>then try again immediately.  Thus you have an unlimited number of attempts.
>I have not tried this on a machine in the US.

This will work in the U.S.  Some machines will kick the card out after 3
incorrect tries.  One machine I tried 8 times, it didn't take the card, but
later after the card had been slightly mutated it took it.

I had the number changed on my card,  there was an ibm pc connected to a card
reader.  I typed in the number (on a seperate keypad) and the banker
slid the card back through the card reader.  The pc was _NOT_ connected
to anything.

>This no longer has much to do with Unix.
But it does have to do with money.  How about terminals that have card readers?

The biggest security problem is users that don't think about security problems,
They tell other users their passwords (the don't like using paths to get files)

						Tim Hogard
						tim@scsmo1.uucp
						Soil Conservation Service.

From:	Phil Hughes   5-DEC-1988 17:59:32
To:	unix-wizards@sem.brl.mil
Subj:	[1842] Re: Here's a *BRILLIANT* password idea! (Sarcasm on)

In article <1526@holos0.UUCP>, lbr@holos0.UUCP (Len Reed) writes:
> From article <438@amanue.UUCP>, by jr@amanue.UUCP (Jim Rosenberg):
> = Well surprise:  This exact password system is ***IN USE***!!!  In (are you
> = ready:) ***BANKS***!!!  I am not kidding.  Do you have an Automatic Teller
> = Machine card?  What does your password look like?  Every time I've been given
> = one of those things the password was just 4 digits!!!!!!!

> You have to have physical possession of the card, too, not just knowledge
> of the account number.  

Not really true.  If you are serious about ATM fraud you can buy a mag
stripe writer for about $300.  I used to work for a company that makes
automatic gas station equipment -- stick in your card, punch in your PIN
and pump gas.  We bought a card writer.  I made myself an extra EXCHANGE
card.  Sort of fun.

By the way, track 2 on the cards is the account number.  Most bank
machines either ignore or display track 1.  Rainier Bank locally puts your
name on track one and displays it on the terminal.  Rewrite track 1 and
when you enter your card you can get a nice message like:
	GOOD AFTERNOON YOU ROTTEN CROOK
on the display.  It amuses the people waiting in line behind you.

Now, for a worse story -- as of two years ago every ATM machine in a whole
state would accept a particular 4 digit number as a valid pin for every
card.  Yes, really.  I was doing testing on a controller to hook into
their network and it wasn't getting invalid PIN errors.  As it turned out
there was a bug in our software and it wasn't sending the PIN that was
being entered.  It just happened to be sending the magic PIN for the
network.  Now that was really stupid.
-- 
Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155  (206)FOR-UNIX
    uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl

From:	Ron Natalie   9-DEC-1988 18:50:24
To:	unix-wizards@sem.brl.mil
Subj:	[1171] Re: password security

The cards themselves are easily forged.  Essentially, nothing is
encoded in the stripe that you can't see on the front of the card.
Obviously criminal elements have the ability to forge this information
because well publicised cases of credit cards (which use the same technology)
exist.  When dealing with a machine, it's even easier, the card doesn't
need to look real to the eye, just have the correct data on the stripe.

Even if the PIN records at the bank are relatively secure, there are
many ways that the 4 digit number may be discovered.  Abuse of telephone
credit card numbers (which are essentially just your account number (
phone number) and a 4 digit PIN) inidicate how vulnerable that system
is.  Banks mail PINs (albeit separately from the cards) through the
use of printthrough computer envelopes.  You don't even need to open
these to get the information.   Banks should never send the PINs out.
Here we get to go to the bank to set them.  People should safeguard their
PINs.  Be careful about the guy behind you in line.   Don't write them
down, and if you get to pick your own, don't be so bloody obvious.
I guessed my wifes with little difficulty.

From:	"Michael J. Chinni, SMCAR_CCS_E"   13-DEC-1988 14:23:12
To:	security@pyrite.rutgers.edu
Subj:	[983] [Nathaniel Ingersoll:  ATM passwords (PINs)]

F Y I

----- Forwarded message # 1:

From: Nathaniel Ingersoll 
Subject: ATM passwords (PINs)
Date: 9 Dec 88 19:58:45 GMT
To:       unix-wizards@sem.brl.mil

The way I look at it, all ATM cards (at least all the ones
I've ever run across) do not have their PIN encoded on the card.
When you do a transaction, the following events must happen:
	1) enter card
	2) enter pin
	3) select transaction
	4) success: result of action
	5) failure: notification

Now, if your PIN was encoded on the card, you could be informed of
PIN failure immediately after (2).  However, the ATM waits to
perform all data transfer until it has all necessary information,
so it probably sends whatever you entered for a PIN, your transaction
data, and whatever else, to the remote computer, which then
validates the PIN and transaction.

Make sense?
-- 
Nathaniel Ingersoll
Altos Computer Systems, SJ CA
	...!ucbvax!sun!altos86!nate
	altos86!nate@sun.com

----- End of forwarded messages

From:	"Jonathan I. Kamens"   16-DEC-1988  2:53:42
To:	unix-wizards@sem.brl.mil
Subj:	[937] Re: random passwords (was Re: Worm...)

In article <5598@polya.Stanford.EDU> waters@polya.Stanford.EDU (Jim Waters) writes:

>Actually, I have a 7 digid "secret number," and I believe that 9 is the limit.
>We go to the bank to choose them, so no one else ever sees the number.

Ay, there's the rub....

My bank (BayBanks Boston) allowed me to choose a 7-digit security code
as well.  However, if you watch really closely when typing the 7-digit
code into a BayBanks machine, the screen will flash momentarily after
the fourth digit is entered.

Well, boys and girls, can you guess what that means?  Yes, that's
right, the BayBanks machine is only listening to the first four
digits!  In fact, if you press the enter key after only the first four
digits, the machine merrily accepts your PIN.

Moral of the story: are you *sure* that all seven digits of your PIN
matter to the machine?

(This really has nothing to do with unix.  Sigh.)

  Jonathan Kamens
  MIT Project Athena

From:	Phil Hughes   16-DEC-1988  4:57:26
To:	unix-wizards@sem.brl.mil
Subj:	[998] Re: ATM passwords (PINs)

As dumb as it may seem, here is what really happens on most ATMs (IBM
and Diebold in particular).  It is not, however, the way it works on the
system I worked on.  We figured a reader terminal was smart enough to
figure out what to do next :-)

1. You enter your card and the ATM sends the card number to the network
2. The network tells the ATM to get the PIN
3. The ATM asks for the PIN and waits.  When it gets it, it sends it
   to the network.
4. ...

You get the idea I am sure.  There is a mainframe talking over a serial
line to a bunch of extremely dumb terminals.  The good news is that the
PIN is encrypted at the ATM before it is sent and it is sent in a
different message than the card number.  This means that tapping the
communications line does not give you the necessary information to make a
bogus card and use it in another ATM.
-- 
Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155  (206)FOR-UNIX
    uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl

From:	"Richard A. O'Keefe"   16-DEC-1988  5:00:25
To:	unix-wizards@sem.brl.mil
Subj:	[71] Re: random passwords (was Re: Worm...)

I had a Versatel card (Bank of America) and my PIN was 10 characters.

From:	"Michael J. Chinni, SMCAR_CCS_E"   16-DEC-1988 13:50:25
To:	security@pyrite.rutgers.edu
Subj:	[2573] [ted:  password security]

F Y I

From: ted@nmsu.edu
To: unix-wizards@BRL.MIL
Subject: password security

I would let all of this discussion about pin's and password protection
just slide on by, except for the fact that a friend of mine was
apparently a recent victim of an atm fraud.

The situation was that she went to the bank to make a withdrawal and
they said that her account had only $5 in it.  She objected that
according to her records she had over $700 in the account and that she
had not made any withdrawals recently.  The bank claimed that she had
made 5 withdrawals in one day for virtually the entire amount in the
account, leaving only the minimum in the account.  Upon presentation
with a written complaint, the bank checked the camera for the atm and
found that it had been blocked during the time of the withdrawals in
question.

The bank is currently standing pat on the absolute security of the atm
system and is insisting that they have no obligation to disburse any
of the questioned funds.  Combined with the recent discussion on the
net about the errors that have occurred in atm software and with the
fact that some systems store the pin (or the encrypted pin) on the
card, there is considerable doubt in my mind about whether atm's
provide even minimal levels of security.

My questions for the net are:

1) are account and pin numbers really stored on the card in such a way
that a card can be easily forged (please, no secure details, I just
need enough information to believe you).

2) how autonomous are atm machines?

3) to what degree do atm's record transactions.  I know they record
the account number and amount, but do they record erroneous pin
entries, and do they record the pin number that is actually entered?
Is there enough of an audit trail to substantiate a claim of card
forgery? 

4) are there any publicly available accounts of atm fraud, or
breakdowns in atm security? (the bug mentioned on the net recently
would classify, but did the company involved manage to sufficiently
hush up the problem so that it has effectively been pushed into the
apocrypha of computer security?)

If your reply is not suitable for public dissemination, please reply
by email, usmail or phone.  I will or will not summarize to the net
depending on the wishes of individual respondents.  I will honor
requests for anonymity, but obviously, in the current situation, I
would prefer to find experts in the field whom I can cite.

Thank you.

Ted Dunning
Computing Research Laboratory
New Mexico State University
Las Cruces, New Mexico 88003-0001
ted@nmsu.edu
(505) 646-6221

From:	"Michael J. Chinni, SMCAR_CCS_E"   20-DEC-1988 11:47:18
To:	security@pyrite.rutgers.edu
Subj:	[722] [Cory Kempf:  Re: password security]

F Y I

From: Cory Kempf 
Subject: Re: password security
Date: 8 Dec 88 18:02:18 GMT
To:       unix-wizards@sem.brl.mil

Has anyone ever noticed that most of the ATM machines that are out
there is the real world (at least in the US) have a vertical keypad?

Does anyone really think that it is possible (without being a contortionist)
to prevent the person behind you from seeing as you type in the PIN?

Can anyone come up with a way to make it *easier* for someone else to see
you type in your PIN?

Retorical question time...

	why do most banks NOT use horizontal keypads (as well as other
	security measures)?

GAK
+C
-- 
Cory Kempf
UUCP: encore.com!gloom!cory
	"...it's a mistake in the making."	-KT

From:	"Michael J. Chinni, SMCAR_CCS_E"   20-DEC-1988 12:00:49
To:	security@pyrite.rutgers.edu
Subj:	[1556] [ted:  pins and passwords]

F Y I
Date: Mon, 12 Dec 88 14:03:20 MST
From: ted@nmsu.edu
To: unix-wizards@BRL.MIL
Subject: pins and passwords

After some checking, (and one very good reference) I have found out
that in the case of ATM's serviced by the CIRRUS network:

1) the pin is verified with the issuing bank on every transaction,
although there appears to be room for CIRRUS to interject a false
verification for testing purposes.

2) all data traffic is encrypted with DES with key distribution by
public-key methods.  Lines that go out of service are automatically
replaced by dial-ups as needed, so that tapping could be done without
much chance of detection, but the cost of attacking a 4.8Kbit DES line
is probably not worth the cost (but since atm's send pins and account
numbers directly over the line, you would completely compromise those
accounts).

3) CIRRUS does not apparently support return of account balance.  This
would explain why moving out of your local area (i.e. local banking
group) causes your balance to disappear from the atm summary.

None of this information indicates that the PIN is NOT stored on the
card, only that atm's do not ever have to take the card's word that
the pin is correct.

The information that I have found does not say anything about the
other major atm transaction networks (cash stream and the plus
system), nor does it really say anything about the atm's themselves.

Many thanks to Mark Schuldenfrei for pointing me at the August 85
issue of CACM which had a case study of CIRRUS (really an interview
with one of the honshos).

From:	Troy Landers   17-MAR-1990  2:26:29
To:	misc-security@tektronix.tek.com
Subj:	[1069] Re: Bank card tricks in Toronto

I know it is, at least on some cards.  When I lived in Illinos, the bank
that I used had this little box that resembled one of those automatic
credit card calling thingamagigs.  When I opened my account, they gave
me a card, left me alone in the room (in the vault) and told
me how to use it.  All I did was type my PIN number, press a button, and
"swipe" my card through it.  Voilla, my card was now encoded with my
PIN.  I didn't think about it too much at the time, mostly because
I wasn't aware of all the sneaky things crooks can do, and because I
was a student and didn't have any money to steal anyway :-).  Now I
think I would be more reluctant to use a bank with such a system.
Who knows?

Troy

-------------------------------------------------------------------------------
Troy Landers                                   Sequent Computer Systems Inc.
UUCP:  ...!sequent!tlanders                    15450 S.W. Koll Parkway
Phone: (503) 626-5700 x4491                    Beaverton, Oregon 97006-6063

                  *** My opinions are precisely that! ***

From:	netcom!onymouse@claris.com (John Debert)  17-MAR-1990  2:27:11
To:	misc-security@ames.arc.nasa.gov
Subj:	[440] Re: Bank card tricks in Toronto

Many banks, not-so-long-ago, did record passcodes on the card. That way,
they didn't have to use their computer resources for such piddly things.
Also, access control software was not yet being produced that was reliable.
It was much easier to leave such things up to the ATM. 

A certain American bank still records passcodes in some cards, if not all.
They still use ATM's that expect the passcode to be there.

jd 
onymouse@netcom.UUCP

From:	night@pawl.rpi.edu (Trip Martin)  17-MAR-1990  2:50:37
To:	???
Subj:	[378] Re: Bank card tricks in Toronto

When I got my cash card back in Sept, the bank told me that the access
code was indeed put on the card itself, and implied that this was better
because then no bank records would have the access code.  In fact, they
had my type in my desired access code into a machine which then then ran
the card through.  

Trip Martin
night@pawl.rpi.edu
-- 

Trip Martin
night@pawl.rpi.edu

From:	roeber@portia.caltech.edu  19-MAR-1990 23:14:01
To:	security@pyrite.rutgers.edu
Subj:	[821] Bank card tricks

An article in the Los Angeles Times, about some people who made phony ATM
cards from paper stock and audio magnetic tape, indicates that the PIN
code is not stored on the cards.  The people could program the cards with
bank account numbers, but the security hole that allowed them to steal
money was that one of them, an employee or ex-employee, could reprogram
the PINs in the bank database.  If the PIN was stored on the card, they
could have just picked any number.  However, my bank insists that to
change my PIN they must re-issue my card.  Perhaps there is some type of
encryption/verification going on?

Question: ATMs use phone lines.  Is there any sort of encryption on these
lines, to prevent wiretappers from gleaning valid account/PIN combinations?

Frederick Roeber
roeber@caltech.bitnet
roeber@caltech.edu

From:	Craig Leres   20-MAR-1990  4:30:19
To:	security@rutgers.edu
Subj:	[273] Re: Bank card tricks in Toronto

Quite some time ago, the transaction cards spawned by my bank's ATMs
were changed so that the last two digits of the account number are
printed as XX. This helps protect those people who leave them behind.
(It doesn't help them balance their checkbooks, though.)

		Craig

From:	hollombe%sdcsvax@ttidca.tti.com (The Polymath)  21-MAR-1990  7:56:01
To:	misc-security@sdcsvax.ucsd.edu
Subj:	[1143] Re: Bank card tricks in Toronto

Many teller machines have cameras associated with them.  They can
photograph the person making every transaction.

}Does anyone know if the access code is, in fact, also on the mag
}stripe?

This varies by bank.  While the ANSI standard does give a format for each
of the three tracks on the magnetic strip, in practice each issuing
organization uses proprietary systems.  Putting the card number on track
two is pretty universal.  Track one often includes a repeat of the card
number and the card holder's name, among other things.  Track three is
writable and may include up to date account information.  A few banks are
foolish enough to put the cardholder's PIN on the card -- sometimes
encrypted, sometimes not.  Many systems only look at track two.

I'm not sure what you mean by "access code." The card number includes
fields that identify the issuing bank.

-- 
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI                                    Illegitimis non
3100 Ocean Park Blvd.   (213) 450-9111, x2483       Carborundum
Santa Monica, CA  90405 {csun | philabs | psivax}!ttidca!hollombe

From:	"Don't have a cow, man!"   23-MAR-1990 16:25:55
To:	security@ohstvma
Subj:	[1030] PIN on Bank Cards (was tricks in Toronto)

A large commercial bank at which I used to bank had a system for "initializing"
and changing one's PIN as follows:
        1.  An administrator's card was swiped into a medium-sized device
            that had an LED screen and numeric keypad.  After entering his/her
            code, the customer's card was "swiped".
        2.  The administrator entered the card/account number.
        3.  The customer entered the desired PIN twice.

Futhermore, American Express offers a program called "Cash Now".  Essentially,
it enables you to withdrawl cash or purchase travelers checks at almost any
ATM around the world.  On more than one occasion, I have forgotten my PIN number
for my AMEX card.  After calling the 800 number, and providing information
about my account (last purchase, etc.), I have been able to change the PIN
over the phone.  Scary, isn't it?

My *guess* is that the PIN is not stored on the Mag strip.  Rather, it is
accessed into the bank/institution's computer.  Just a guess.

Jeffrey Walsh
AEWALSH@FORDMURH