Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ncar!tank!mimsy!chris From: chris@mimsy.UUCP (Chris Torek) Newsgroups: comp.unix.questions Subject: Re: ATM fraud Message-ID: <15040@mimsy.UUCP> Date: 17 Dec 88 03:56:39 GMT References: <17853@adm.BRL.MIL> Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742 Lines: 41 (I was hoping not to have to post this on a comp.unix group, but things are not getting any quieter, so:) Real Facts about ATMs: > Each system is different. One cannot even count on the machines from a specific manufacturer (e.g., IBM or Diebold) all to act the same, as many (if not all) of these systems can be configured by the purchasing bank. Therefore: > Every blanket statement about ATMs is wrong (including this one). > Some common systems do put PINs on cards; some common systems do not. > Some systems allow `local' operation of an ATM station when the net is down; some do not. (Local operation may be used to overrun daily limits.) > Some systems use DES encryption (in just what ways I am not sure). Of those that do, they may not do it in a `secure' manner. (You will find it very hard to pull this particular bit of information out of your local bank, particularly if they know it is insecure.) > Some systems `batch' the PIN verification with the first operation (so that a wrong PIN is not noticed until after a deposit, etc.). Others check the PIN immediately, even if it requires a network transaction. Thus you cannot conclude anything about where the PIN is stored based on when the machine rejects an invalid PIN. > Many systems that allow more than four digits for a PIN in fact only use the first four. > Some systems count PIN errors globally; some count it per-ATM; some use a mix (count locally iff net is down). Many set a `keep the card' threshold at 3 errors. Typically the count is reset once a day. Now can we stop with ATM security messages on comp.unix.questions? (And why do I ask such a silly question? :-) ) -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris