Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!rutgers!sri-spam!ames!ucbcad!zen!cory.Berkeley.EDU!hanafee From: hanafee@cory.Berkeley.EDU (Brian Hanafee) Newsgroups: sci.crypt Subject: Putting two and two together (ATMs) Message-ID: <3086@zen.berkeley.edu> Date: Mon, 20-Jul-87 14:58:59 EDT Article-I.D.: zen.3086 Posted: Mon Jul 20 14:58:59 1987 Date-Received: Wed, 22-Jul-87 00:37:32 EDT Sender: news@zen.berkeley.edu Reply-To: hanafee@cory.Berkeley.EDU.UUCP (Brian Hanafee) Distribution: na Organization: University of California, Berkeley Lines: 39 Keywords: ATM, PIN Summary: Proposal to defeat an attack on ATMs I can't seem to recall the date, but awhile ago there was a front page article in the Wall Street Journal about a man who was ripping off ATMs. It seems that he had the proper machine to generate ATM cards, and he had a number of blanks. He obtained PINs using a very low-tech approach; he looked over peoples shoulders when they entered them. Since many people throw away their receipts immediately after a transaction, he was able to glean their account numbers from the trash. Simple. The bank involved was able to catch him because he apparently made some sort of mistake in his copying, but no details were given. The bank involved has also stopped printing account numbers on receipts. In a recent posting, Fred Ginsburg said that there is a space on most ATM cards for an offset, which is commonly used to adjust PINs when the customer has chosen his or her own PIN. It occurs to me that if this had been the case for any of the cards in the above case, then the man wouldn't have been able to forge the cards correctly, since he wouldn't have known the correct offset. The crucial point is that the card contains information which is never displayed in a human-readable format. Can anyone out there think of a reason why banks shouldn't automatically generate a random* offset for all their cards? It seems that the technology is already in place and the programs are running. In fact, this seems so simple that I wouldn't be surprized if someone is already doing it. Does anybody have any additional information? * Please, please, please don't turn this into another discussion on how to generate random numbers. We are not talking about a high-tech attack on a large set of numbers; we are talking about something unpredictable enough so that there is a very low probability of correctly guessing the number before the ATM gets po'd and swallows the (fake) card. ------------------------------------------------------------------------------ My opinions are mine, and I take full responsibility. So there. (signed) Brian Hanafee !ucbvax!ucbzen!ucbcory!hanafee