Path: utzoo!attcan!uunet!pilchuck!ssc!fyl
From: fyl@ssc.UUCP (Phil Hughes)
Newsgroups: comp.unix.wizards
Subject: Re: ATM passwords (PINs)
Summary: Here are the facts behind the rumors
Message-ID: <1579@ssc.UUCP>
Date: 11 Dec 88 20:13:07 GMT
References: <753@altos86.UUCP>
Organization: SSC, Inc., Seattle, WA
Lines: 27

In article <753@altos86.UUCP>, nate@altos86.UUCP (Nathaniel Ingersoll) writes:
>                                     However, the ATM waits to
> perform all data transfer until it has all necessary information,
> so it probably sends whatever you entered for a PIN, your transaction
> data, and whatever else, to the remote computer, which then
> validates the PIN and transaction.

As dumb as it may seem, here is what really happens on most ATMs (IBM
and Diebold in particular).  It is not, however, the way it works on the
system I worked on.  We figured a reader terminal was smart enough to
figure out what to do next :-)

1. You enter your card and the ATM sends the card number to the network
2. The network tells the ATM to get the PIN
3. The ATM asks for the PIN and waits.  When it gets it, it sends it
   to the network.
4. ...

You get the idea I am sure.  There is a mainframe talking over a serial
line to a bunch of extremely dumb terminals.  The good news is that the
PIN is encrypted at the ATM before it is sent and it is sent in a
different message than the card number.  This means that tapping the
communications line does not give you the necessary information to make a
bogus card and use it in another ATM.
-- 
Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155  (206)FOR-UNIX
    uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl