Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!gatech!hao!ames!oliveb!pyramid!prls!philabs!aecom!mkaplan
From: mkaplan@aecom.YU.EDU (Marc Kaplan)
Newsgroups: sci.crypt
Subject: Re: DES info wanted
Message-ID: <1060@aecom.YU.EDU>
Date: Sun, 10-May-87 11:00:26 EDT
Article-I.D.: aecom.1060
Posted: Sun May 10 11:00:26 1987
Date-Received: Wed, 13-May-87 01:08:33 EDT
References: <2071@hoptoad.uucp> <599@umnd-cs.D.UMN.EDU> <5747@eddie.MIT.EDU> <27595@rochester.ARPA>
Organization: Albert Einstein College of Medicine, NY
Lines: 34
Keywords: DES, UNIX
Summary: That's not a bug...

In article <27595@rochester.ARPA>, ken@rochester.ARPA (Ken Yap) writes:
> This is only vaguely related to DES so maybe I should have changed the
> subject line.
> 
> A friend of mine discovered something interesting about the way some
> (all?) ATM's work. He put in a non-participating bank's card and the
> machine cycled him through the whole validation sequence before
> spitting out the card with the message "invalid card" or something like
> that. So it looks like the ATM makes up a whole package of info before
> firing it off to the mainframe. I can just imagine the Cobol code,
> yuk!
> 
> 	Ken

	Well, I noticed the same situation when using my card with an
invalid PIN.  However, I reached a very different conclusion.  This is
(I assume) a security feature designed to make it harder for a "bad guy"
to guess someone's PIN.  Since it's only four digits, an average of 5000
attempts should give him the valid PIN.  If the machine tells him immediately
if his PIN is valid or invalid, it makes it *much* easier to sit there and
try numbers.  If he has to go through an entire transaction first, it
will take four or five times as long to try each number.  Unix uses a
similar strategy to discourage password guessing.  The password checking
program is slowed down by a large factor (25?) so the bad guy won't know
the results too quickly.  Unfortunately, the strategy works badly for
passwords, since too many users use first names, two character passwords,
etc.  

	BTW, I assume that the ATMs will temporarily invalidate a card if
a few hundred bad attempts are made to remove money.  At least, thats how
I would do it.

					Eric Safern
					...aecom!mkaplan