Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!accuvax.nwu.edu!nucsrl!telecom-request
From: kaufman@Neon.Stanford.EDU (Marc T. Kaufman)
Newsgroups: comp.dcom.telecom
Subject: Re: ATM at Retailers (was: Voice Mail Passwords)
Message-ID: <12513@accuvax.nwu.edu>
Date: 24 Sep 90 02:50:12 GMT
Sender: news@accuvax.nwu.edu
Organization: Computer Science Department, Stanford University
Lines: 33
Approved: Telecom@eecs.nwu.edu
X-Submissions-To: telecom@eecs.nwu.edu
X-Administrivia-To: telecom-request@eecs.nwu.edu
X-Telecom-Digest: Volume 10, Issue 673, Message 1 of 9


In article <12469@accuvax.nwu.edu> motcid!king@uunet.uu.net (Steven
King) writes:

>In article <12439@accuvax.nwu.edu> I write:

->You are not giving your PIN number to the merchant.  The PIN is
->encrypted (mixed with your bank card number) in a ONE WAY algorithm by
->a chip that is in the PIN pad itself.  The plaintext PIN never sees
->the light of day.

>A one way algorithm?  Pray, how does the bank decode it to verify you?
>A gigantic lookup table?

No, the bank stores the encrypted PIN and does a straight match.  The
technique was invented by John Atalla, one of the early Fairchild
people.  Most of the bank PIN pads I have seen have been made by
Atalla Technovations.  The chip performs a one-way (e.g. many-to-one)
encryption of an arbitrary number of key presses.  It is sufficiently
slow (deliberately) so that even if you got one of them it would take
a VERY long time to try to find a sequence that gives you a particular
output word.  

Since you really don't have access to the data link side of the
system, you can't spoof it there.  The link between an ATM (or
merchant system) and the bank is encrypted also, so picking up the
pair outside the building won't work either.  By far the easiest way
to learn a person's PIN is to look over his shoulder while he is
typing it in (or hold him up at gunpoint).


Marc Kaufman (kaufman@Neon.stanford.edu)