Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!mcvax!enea!kuling!andersa From: andersa@kuling.UUCP (Anders Andersson) Newsgroups: sci.crypt Subject: Re: ATM security Message-ID: <301@kuling.UUCP> Date: Thu, 21-May-87 19:16:32 EDT Article-I.D.: kuling.301 Posted: Thu May 21 19:16:32 1987 Date-Received: Tue, 26-May-87 01:58:19 EDT References: <2071@hoptoad.uucp> <599@umnd-cs.D.UMN.EDU> <5747@eddie.MIT.EDU> <294@kuling.UUCP> <1071@aecom.YU.EDU> Sender: news@kuling.UUCP Reply-To: andersa@kuling.UUCP (Anders Andersson) Organization: Uppsala University, Sweden Lines: 37 In article <1071@aecom.YU.EDU> mkaplan@aecom.YU.EDU (Marc Kaplan) writes: >In article <294@kuling.UUCP>, andersa@kuling.UUCP (Anders Andersson) writes: >> If you make three (or maybe four) failing attempts in a row with the same >> card at a Swedish ATM, the machine will swallow the card and physically >> deface it (>burp!<), and you'll have to contact your bank to get a new one. > > While I admit a few hundred is too much, three or four is too little. >Last week I made two mistakes before getting it right. With this method, if >I came back the next morning and made *one* mistake, my card is history. For >a 'bad guy', on the other hand, four attempts are not likely to net him the >number. Four thousand is more like it. Note, in a *row*. I believe all attempts has to be done during the same session at the ATM, and even if it kept the counter "alive" for your particular card over the night (which I don't think it does), your single intermediary successful attempt should be enough to reset it. If I were to make two failing attempts in a row I would probably step aside and let next customer do his business while my counter was reset, just to make sure, or I could take a walk to another ATM (it could be that the first just had a bad keypad). If that one goofed my card at first try, I would probably complain at the bank about stupid and user-hostile algorithms. The above scheme will at least cause some considerable delay for the impostor trying to find the code either randomly or systematically. He would have to step back, waiting for the ATM session to timeout, every two or three attempts. Trying 4,000 numbers would probably take him day and night (preferrably night) for a couple of weeks. This would give the owner of the card time to report it lost, or at least the computer might be able to catch the attention of some manager during working hours. There could be other limits implemented as well, like the one you first suggested, but I haven't heard about them. After all, security is relative. -- Anders Andersson, Dept. of Computer Systems, Uppsala University, Sweden Phone: +46 18 183170 UUCP: andersa@kuling.UUCP (...!{seismo,mcvax}!enea!kuling!andersa)