Path: utzoo!attcan!uunet!nih-csl!lhc!adm!husc6!wuarchive!mailrus!accuvax.nwu.edu!nucsrl!telecom-request From: cellar!martin@bellcore.bellcore.com (Martin Harriss (ACP)) Newsgroups: comp.dcom.telecom Subject: Re: ATM at Retailers Message-ID: <12666@accuvax.nwu.edu> Date: 26 Sep 90 19:11:58 GMT Sender: news@accuvax.nwu.edu Reply-To: "Martin Harriss (ACP" Organization: Bellcore Lines: 54 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 10, Issue 684, Message 5 of 11 I thought that Digest readers may be interested in the following "hard evidence" about banks and ATM PINS. About six months ago I opened a new account at a nearby bank. I also requested an ATM card to go with the new account. The ATM card arrived a few days later and with it was a note saying I could stop by the bank to select a PIN and have the card activated. So I went to the bank, and they got out this machine, punched a PIN in while the bank employee wasn't looking, then she punched my account number in and then ran my card through the machine. Presto - a working ATM card. Now I, like many others, had always assumed that the machine encrypted some combination of the PIN and the account number and stored that on the card. I don't remember seeing any external connection on this machine, such as a data link to the bank's computer, but at the time I probably wasn't looking for one. As I remember, the card worked immediately - I went straight to the ATM after activation to check it out. In other words, I believed all the information needed to use the card was encoded on the card itself, and needed no information about the PIN at the central computer. I thought. Now it so happens that this bank was acquired by another bank, and with the takeover they sent me a new card. Fine, I thought; I really don't care who's logo is on the card as long as it works. With the new card was a note telling me that a new PIN would be sent to me in a few days. (It seems to be quite common that banks select a PIN for you and mail it in those envelopes with the carbon on the inside, so you can't see the PIN until you open it.) Well, I was a little upset about this because I rather liked the PIN that I had - I had been using it at this and another bank for some years; in an odd sort of way it was, in fact, telecom related. Anyway, my new PIN arrived yesterday. You guessed it - it was the same as the old one. I attribute this to one of three scenarios: 1. Coincidence. (not likely.) 2. They decoded my PIN. (also, I suspect, unlikely.) 3. They knew my PIN all along. I strongly suspect number 3. When I opened the envelope I was somewhat surprised, even shocked, that they knew it, but know it they do. Comments, anyone? Martin Harriss martin@cellar.bae.bellcore.com