Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!rutgers!sri-spam!ames!ucbcad!zen!cory.Berkeley.EDU!hanafee
From: hanafee@cory.Berkeley.EDU (Brian Hanafee)
Newsgroups: sci.crypt
Subject: Putting two and two together (ATMs)
Message-ID: <3086@zen.berkeley.edu>
Date: Mon, 20-Jul-87 14:58:59 EDT
Article-I.D.: zen.3086
Posted: Mon Jul 20 14:58:59 1987
Date-Received: Wed, 22-Jul-87 00:37:32 EDT
Sender: news@zen.berkeley.edu
Reply-To: hanafee@cory.Berkeley.EDU.UUCP (Brian Hanafee)
Distribution: na
Organization: University of California, Berkeley
Lines: 39
Keywords: ATM, PIN
Summary: Proposal to defeat an attack on ATMs


	I can't seem to recall the date, but awhile ago there was a front
page article in the Wall Street Journal about a man who was ripping off
ATMs.  It seems that he had the proper machine to generate ATM cards, and
he had a number of blanks.  He obtained PINs using a very low-tech approach;
he looked over peoples shoulders when they entered them.  Since many people
throw away their receipts immediately after a transaction, he was able to
glean their account numbers from the trash.  Simple.  The bank involved was
able to catch him because he apparently made some sort of mistake in his
copying, but no details were given.  The bank involved has also stopped
printing account numbers on receipts.

	In a recent posting, Fred Ginsburg said that there is a space on
most ATM cards for an offset, which is commonly used to adjust PINs when
the customer has chosen his or her own PIN.  It occurs to me that if this
had been the case for any of the cards in the above case, then the man
wouldn't have been able to forge the cards correctly, since he wouldn't
have known the correct offset.  The crucial point is that the card contains
information which is never displayed in a human-readable format.

	Can anyone out there think of a reason why banks shouldn't 
automatically generate a random* offset for all their cards?  It seems
that the technology is already in place and the programs are running.
In fact, this seems so simple that I wouldn't be surprized if someone
is already doing it.  Does anybody have any additional information?



*  Please, please, please don't turn this into another discussion on how
to generate random numbers.  We are not talking about a high-tech attack
on a large set of numbers; we are talking about something unpredictable
enough so that there is a very low probability of correctly guessing
the number before the ATM gets po'd and swallows the (fake) card.


------------------------------------------------------------------------------
My opinions are mine, and I take full responsibility.  So there.
				(signed) Brian Hanafee
!ucbvax!ucbzen!ucbcory!hanafee