From: texbell!rpp386!scsmo1!tim@cs.utexas.edu 5-DEC-1988 17:58:27 To: unix-wizards@sem.brl.mil Subj: [1070] Re: Here's a *BRILLIANT* password idea! >But, in the UK at least, if you abort the 'login' attempt after the 2nd >attempt (there is a button to do this), you get your card back, and can >then try again immediately. Thus you have an unlimited number of attempts. >I have not tried this on a machine in the US. This will work in the U.S. Some machines will kick the card out after 3 incorrect tries. One machine I tried 8 times, it didn't take the card, but later after the card had been slightly mutated it took it. I had the number changed on my card, there was an ibm pc connected to a card reader. I typed in the number (on a seperate keypad) and the banker slid the card back through the card reader. The pc was _NOT_ connected to anything. >This no longer has much to do with Unix. But it does have to do with money. How about terminals that have card readers? The biggest security problem is users that don't think about security problems, They tell other users their passwords (the don't like using paths to get files) Tim Hogard tim@scsmo1.uucp Soil Conservation Service. From: Phil Hughes 5-DEC-1988 17:59:32 To: unix-wizards@sem.brl.mil Subj: [1842] Re: Here's a *BRILLIANT* password idea! (Sarcasm on) In article <1526@holos0.UUCP>, lbr@holos0.UUCP (Len Reed) writes: > From article <438@amanue.UUCP>, by jr@amanue.UUCP (Jim Rosenberg): > = Well surprise: This exact password system is ***IN USE***!!! In (are you > = ready:) ***BANKS***!!! I am not kidding. Do you have an Automatic Teller > = Machine card? What does your password look like? Every time I've been given > = one of those things the password was just 4 digits!!!!!!! > You have to have physical possession of the card, too, not just knowledge > of the account number. Not really true. If you are serious about ATM fraud you can buy a mag stripe writer for about $300. I used to work for a company that makes automatic gas station equipment -- stick in your card, punch in your PIN and pump gas. We bought a card writer. I made myself an extra EXCHANGE card. Sort of fun. By the way, track 2 on the cards is the account number. Most bank machines either ignore or display track 1. Rainier Bank locally puts your name on track one and displays it on the terminal. Rewrite track 1 and when you enter your card you can get a nice message like: GOOD AFTERNOON YOU ROTTEN CROOK on the display. It amuses the people waiting in line behind you. Now, for a worse story -- as of two years ago every ATM machine in a whole state would accept a particular 4 digit number as a valid pin for every card. Yes, really. I was doing testing on a controller to hook into their network and it wasn't getting invalid PIN errors. As it turned out there was a bug in our software and it wasn't sending the PIN that was being entered. It just happened to be sending the magic PIN for the network. Now that was really stupid. -- Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155 (206)FOR-UNIX uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl From: Ron Natalie 9-DEC-1988 18:50:24 To: unix-wizards@sem.brl.mil Subj: [1171] Re: password security The cards themselves are easily forged. Essentially, nothing is encoded in the stripe that you can't see on the front of the card. Obviously criminal elements have the ability to forge this information because well publicised cases of credit cards (which use the same technology) exist. When dealing with a machine, it's even easier, the card doesn't need to look real to the eye, just have the correct data on the stripe. Even if the PIN records at the bank are relatively secure, there are many ways that the 4 digit number may be discovered. Abuse of telephone credit card numbers (which are essentially just your account number ( phone number) and a 4 digit PIN) inidicate how vulnerable that system is. Banks mail PINs (albeit separately from the cards) through the use of printthrough computer envelopes. You don't even need to open these to get the information. Banks should never send the PINs out. Here we get to go to the bank to set them. People should safeguard their PINs. Be careful about the guy behind you in line. Don't write them down, and if you get to pick your own, don't be so bloody obvious. I guessed my wifes with little difficulty. From: "Michael J. Chinni, SMCAR_CCS_E" 13-DEC-1988 14:23:12 To: security@pyrite.rutgers.edu Subj: [983] [Nathaniel Ingersoll: ATM passwords (PINs)] F Y I ----- Forwarded message # 1: From: Nathaniel Ingersoll Subject: ATM passwords (PINs) Date: 9 Dec 88 19:58:45 GMT To: unix-wizards@sem.brl.mil The way I look at it, all ATM cards (at least all the ones I've ever run across) do not have their PIN encoded on the card. When you do a transaction, the following events must happen: 1) enter card 2) enter pin 3) select transaction 4) success: result of action 5) failure: notification Now, if your PIN was encoded on the card, you could be informed of PIN failure immediately after (2). However, the ATM waits to perform all data transfer until it has all necessary information, so it probably sends whatever you entered for a PIN, your transaction data, and whatever else, to the remote computer, which then validates the PIN and transaction. Make sense? -- Nathaniel Ingersoll Altos Computer Systems, SJ CA ...!ucbvax!sun!altos86!nate altos86!nate@sun.com ----- End of forwarded messages From: "Jonathan I. Kamens" 16-DEC-1988 2:53:42 To: unix-wizards@sem.brl.mil Subj: [937] Re: random passwords (was Re: Worm...) In article <5598@polya.Stanford.EDU> waters@polya.Stanford.EDU (Jim Waters) writes: >Actually, I have a 7 digid "secret number," and I believe that 9 is the limit. >We go to the bank to choose them, so no one else ever sees the number. Ay, there's the rub.... My bank (BayBanks Boston) allowed me to choose a 7-digit security code as well. However, if you watch really closely when typing the 7-digit code into a BayBanks machine, the screen will flash momentarily after the fourth digit is entered. Well, boys and girls, can you guess what that means? Yes, that's right, the BayBanks machine is only listening to the first four digits! In fact, if you press the enter key after only the first four digits, the machine merrily accepts your PIN. Moral of the story: are you *sure* that all seven digits of your PIN matter to the machine? (This really has nothing to do with unix. Sigh.) Jonathan Kamens MIT Project Athena From: Phil Hughes 16-DEC-1988 4:57:26 To: unix-wizards@sem.brl.mil Subj: [998] Re: ATM passwords (PINs) As dumb as it may seem, here is what really happens on most ATMs (IBM and Diebold in particular). It is not, however, the way it works on the system I worked on. We figured a reader terminal was smart enough to figure out what to do next :-) 1. You enter your card and the ATM sends the card number to the network 2. The network tells the ATM to get the PIN 3. The ATM asks for the PIN and waits. When it gets it, it sends it to the network. 4. ... You get the idea I am sure. There is a mainframe talking over a serial line to a bunch of extremely dumb terminals. The good news is that the PIN is encrypted at the ATM before it is sent and it is sent in a different message than the card number. This means that tapping the communications line does not give you the necessary information to make a bogus card and use it in another ATM. -- Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155 (206)FOR-UNIX uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl From: "Richard A. O'Keefe" 16-DEC-1988 5:00:25 To: unix-wizards@sem.brl.mil Subj: [71] Re: random passwords (was Re: Worm...) I had a Versatel card (Bank of America) and my PIN was 10 characters. From: "Michael J. Chinni, SMCAR_CCS_E" 16-DEC-1988 13:50:25 To: security@pyrite.rutgers.edu Subj: [2573] [ted: password security] F Y I From: ted@nmsu.edu To: unix-wizards@BRL.MIL Subject: password security I would let all of this discussion about pin's and password protection just slide on by, except for the fact that a friend of mine was apparently a recent victim of an atm fraud. The situation was that she went to the bank to make a withdrawal and they said that her account had only $5 in it. She objected that according to her records she had over $700 in the account and that she had not made any withdrawals recently. The bank claimed that she had made 5 withdrawals in one day for virtually the entire amount in the account, leaving only the minimum in the account. Upon presentation with a written complaint, the bank checked the camera for the atm and found that it had been blocked during the time of the withdrawals in question. The bank is currently standing pat on the absolute security of the atm system and is insisting that they have no obligation to disburse any of the questioned funds. Combined with the recent discussion on the net about the errors that have occurred in atm software and with the fact that some systems store the pin (or the encrypted pin) on the card, there is considerable doubt in my mind about whether atm's provide even minimal levels of security. My questions for the net are: 1) are account and pin numbers really stored on the card in such a way that a card can be easily forged (please, no secure details, I just need enough information to believe you). 2) how autonomous are atm machines? 3) to what degree do atm's record transactions. I know they record the account number and amount, but do they record erroneous pin entries, and do they record the pin number that is actually entered? Is there enough of an audit trail to substantiate a claim of card forgery? 4) are there any publicly available accounts of atm fraud, or breakdowns in atm security? (the bug mentioned on the net recently would classify, but did the company involved manage to sufficiently hush up the problem so that it has effectively been pushed into the apocrypha of computer security?) If your reply is not suitable for public dissemination, please reply by email, usmail or phone. I will or will not summarize to the net depending on the wishes of individual respondents. I will honor requests for anonymity, but obviously, in the current situation, I would prefer to find experts in the field whom I can cite. Thank you. Ted Dunning Computing Research Laboratory New Mexico State University Las Cruces, New Mexico 88003-0001 ted@nmsu.edu (505) 646-6221 From: "Michael J. Chinni, SMCAR_CCS_E" 20-DEC-1988 11:47:18 To: security@pyrite.rutgers.edu Subj: [722] [Cory Kempf: Re: password security] F Y I From: Cory Kempf Subject: Re: password security Date: 8 Dec 88 18:02:18 GMT To: unix-wizards@sem.brl.mil Has anyone ever noticed that most of the ATM machines that are out there is the real world (at least in the US) have a vertical keypad? Does anyone really think that it is possible (without being a contortionist) to prevent the person behind you from seeing as you type in the PIN? Can anyone come up with a way to make it *easier* for someone else to see you type in your PIN? Retorical question time... why do most banks NOT use horizontal keypads (as well as other security measures)? GAK +C -- Cory Kempf UUCP: encore.com!gloom!cory "...it's a mistake in the making." -KT From: "Michael J. Chinni, SMCAR_CCS_E" 20-DEC-1988 12:00:49 To: security@pyrite.rutgers.edu Subj: [1556] [ted: pins and passwords] F Y I Date: Mon, 12 Dec 88 14:03:20 MST From: ted@nmsu.edu To: unix-wizards@BRL.MIL Subject: pins and passwords After some checking, (and one very good reference) I have found out that in the case of ATM's serviced by the CIRRUS network: 1) the pin is verified with the issuing bank on every transaction, although there appears to be room for CIRRUS to interject a false verification for testing purposes. 2) all data traffic is encrypted with DES with key distribution by public-key methods. Lines that go out of service are automatically replaced by dial-ups as needed, so that tapping could be done without much chance of detection, but the cost of attacking a 4.8Kbit DES line is probably not worth the cost (but since atm's send pins and account numbers directly over the line, you would completely compromise those accounts). 3) CIRRUS does not apparently support return of account balance. This would explain why moving out of your local area (i.e. local banking group) causes your balance to disappear from the atm summary. None of this information indicates that the PIN is NOT stored on the card, only that atm's do not ever have to take the card's word that the pin is correct. The information that I have found does not say anything about the other major atm transaction networks (cash stream and the plus system), nor does it really say anything about the atm's themselves. Many thanks to Mark Schuldenfrei for pointing me at the August 85 issue of CACM which had a case study of CIRRUS (really an interview with one of the honshos). From: Troy Landers 17-MAR-1990 2:26:29 To: misc-security@tektronix.tek.com Subj: [1069] Re: Bank card tricks in Toronto I know it is, at least on some cards. When I lived in Illinos, the bank that I used had this little box that resembled one of those automatic credit card calling thingamagigs. When I opened my account, they gave me a card, left me alone in the room (in the vault) and told me how to use it. All I did was type my PIN number, press a button, and "swipe" my card through it. Voilla, my card was now encoded with my PIN. I didn't think about it too much at the time, mostly because I wasn't aware of all the sneaky things crooks can do, and because I was a student and didn't have any money to steal anyway :-). Now I think I would be more reluctant to use a bank with such a system. Who knows? Troy ------------------------------------------------------------------------------- Troy Landers Sequent Computer Systems Inc. UUCP: ...!sequent!tlanders 15450 S.W. Koll Parkway Phone: (503) 626-5700 x4491 Beaverton, Oregon 97006-6063 *** My opinions are precisely that! *** From: netcom!onymouse@claris.com (John Debert) 17-MAR-1990 2:27:11 To: misc-security@ames.arc.nasa.gov Subj: [440] Re: Bank card tricks in Toronto Many banks, not-so-long-ago, did record passcodes on the card. That way, they didn't have to use their computer resources for such piddly things. Also, access control software was not yet being produced that was reliable. It was much easier to leave such things up to the ATM. A certain American bank still records passcodes in some cards, if not all. They still use ATM's that expect the passcode to be there. jd onymouse@netcom.UUCP From: night@pawl.rpi.edu (Trip Martin) 17-MAR-1990 2:50:37 To: ??? Subj: [378] Re: Bank card tricks in Toronto When I got my cash card back in Sept, the bank told me that the access code was indeed put on the card itself, and implied that this was better because then no bank records would have the access code. In fact, they had my type in my desired access code into a machine which then then ran the card through. Trip Martin night@pawl.rpi.edu -- Trip Martin night@pawl.rpi.edu From: roeber@portia.caltech.edu 19-MAR-1990 23:14:01 To: security@pyrite.rutgers.edu Subj: [821] Bank card tricks An article in the Los Angeles Times, about some people who made phony ATM cards from paper stock and audio magnetic tape, indicates that the PIN code is not stored on the cards. The people could program the cards with bank account numbers, but the security hole that allowed them to steal money was that one of them, an employee or ex-employee, could reprogram the PINs in the bank database. If the PIN was stored on the card, they could have just picked any number. However, my bank insists that to change my PIN they must re-issue my card. Perhaps there is some type of encryption/verification going on? Question: ATMs use phone lines. Is there any sort of encryption on these lines, to prevent wiretappers from gleaning valid account/PIN combinations? Frederick Roeber roeber@caltech.bitnet roeber@caltech.edu From: Craig Leres 20-MAR-1990 4:30:19 To: security@rutgers.edu Subj: [273] Re: Bank card tricks in Toronto Quite some time ago, the transaction cards spawned by my bank's ATMs were changed so that the last two digits of the account number are printed as XX. This helps protect those people who leave them behind. (It doesn't help them balance their checkbooks, though.) Craig From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) 21-MAR-1990 7:56:01 To: misc-security@sdcsvax.ucsd.edu Subj: [1143] Re: Bank card tricks in Toronto Many teller machines have cameras associated with them. They can photograph the person making every transaction. }Does anyone know if the access code is, in fact, also on the mag }stripe? This varies by bank. While the ANSI standard does give a format for each of the three tracks on the magnetic strip, in practice each issuing organization uses proprietary systems. Putting the card number on track two is pretty universal. Track one often includes a repeat of the card number and the card holder's name, among other things. Track three is writable and may include up to date account information. A few banks are foolish enough to put the cardholder's PIN on the card -- sometimes encrypted, sometimes not. Many systems only look at track two. I'm not sure what you mean by "access code." The card number includes fields that identify the issuing bank. -- The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com) Citicorp(+)TTI Illegitimis non 3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe From: "Don't have a cow, man!" 23-MAR-1990 16:25:55 To: security@ohstvma Subj: [1030] PIN on Bank Cards (was tricks in Toronto) A large commercial bank at which I used to bank had a system for "initializing" and changing one's PIN as follows: 1. An administrator's card was swiped into a medium-sized device that had an LED screen and numeric keypad. After entering his/her code, the customer's card was "swiped". 2. The administrator entered the card/account number. 3. The customer entered the desired PIN twice. Futhermore, American Express offers a program called "Cash Now". Essentially, it enables you to withdrawl cash or purchase travelers checks at almost any ATM around the world. On more than one occasion, I have forgotten my PIN number for my AMEX card. After calling the 800 number, and providing information about my account (last purchase, etc.), I have been able to change the PIN over the phone. Scary, isn't it? My *guess* is that the PIN is not stored on the Mag strip. Rather, it is accessed into the bank/institution's computer. Just a guess. Jeffrey Walsh AEWALSH@FORDMURH