Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!unmvax!ncar!tank!mimsy!eneevax!haven!adm!xadmx!ted@nmsu.edu From: ted@nmsu.edu Newsgroups: comp.unix.wizards Subject: password security Message-ID: <17730@adm.BRL.MIL> Date: 7 Dec 88 05:19:52 GMT Sender: news@adm.BRL.MIL Lines: 58 I would let all of this discussion about pin's and password protection just slide on by, except for the fact that a friend of mine was apparently a recent victim of an atm fraud. The situation was that she went to the bank to make a withdrawal and they said that her account had only $5 in it. She objected that according to her records she had over $700 in the account and that she had not made any withdrawals recently. The bank claimed that she had made 5 withdrawals in one day for virtually the entire amount in the account, leaving only the minimum in the account. Upon presentation with a written complaint, the bank checked the camera for the atm and found that it had been blocked during the time of the withdrawals in question. The bank is currently standing pat on the absolute security of the atm system and is insisting that they have no obligation to disburse any of the questioned funds. Combined with the recent discussion on the net about the errors that have occurred in atm software and with the fact that some systems store the pin (or the encrypted pin) on the card, there is considerable doubt in my mind about whether atm's provide even minimal levels of security. My questions for the net are: 1) are account and pin numbers really stored on the card in such a way that a card can be easily forged (please, no secure details, I just need enough information to believe you). 2) how autonomous are atm machines? 3) to what degree do atm's record transactions. I know they record the account number and amount, but do they record erroneous pin entries, and do they record the pin number that is actually entered? Is there enough of an audit trail to substantiate a claim of card forgery? 4) are there any publicly available accounts of atm fraud, or breakdowns in atm security? (the bug mentioned on the net recently would classify, but did the company involved manage to sufficiently hush up the problem so that it has effectively been pushed into the apocrypha of computer security?) If your reply is not suitable for public dissemination, please reply by email, usmail or phone. I will or will not summarize to the net depending on the wishes of individual respondents. I will honor requests for anonymity, but obviously, in the current situation, I would prefer to find experts in the field whom I can cite. Thank you. Ted Dunning Computing Research Laboratory New Mexico State University Las Cruces, New Mexico 88003-0001 ted@nmsu.edu (505) 646-6221