Re: OT: Banc of America Article
Since nobody has given the correct information about the PIN on the card I will give a very brief description. There are two types of PIN, natural and customer selected. The natural PIN is computed from the number on the card. The computation involves one way crypto keys. I don't remember the algorithm. For this the PIN that is stored on the card is . Now, when a customer selects a PIN, an offset is computed between the natural PIN and selected PIN. This offset is stored on the card. Based on this you can see that re-encoding is needed when you change the PIN number, most ATM will do that re-encoding. So unless things have changed in the last 4 years since I worked with this, you can not change your PIN over the phone without physical contact by the bank with the card. Personally I carry a card without any logo as my ATM card, at one point I had access to reader/encoder for mag strip cards and I programmed a blank card with the info from my real ATM card. No encryption involved. K On Wed, 29 Jan 2003, David Charlap wrote: Al Rowland wrote: The PIN is on your card ... Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so. Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. I'm not surprised. But the PIN is verified as a part of the transaction. I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the invalid PIN message. -- David
RE: OT: Banc of America Article
FYI this is completely incorrect. I have changed my PIN with both my PayPal debit card as well as my First Union/Wachovia card numerous times without a single contact with a physical bank. See: http://www.wachovia.com/helpcenter/page/0,,2372_2705,00.html To store the PIN on a card, whether hashed or not, would be foolish. Do people really think that the ATM's of 15 years ago had the CPU power to calculate the hash of a PIN number on the fly? I know people who are carrying around 10+ year old cards and they still work fine. -Dave -Original Message- From: Krzysztof Adamski [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 3:39 PM To: [EMAIL PROTECTED] Subject: Re: OT: Banc of America Article Since nobody has given the correct information about the PIN on the card I will give a very brief description. There are two types of PIN, natural and customer selected. The natural PIN is computed from the number on the card. The computation involves one way crypto keys. I don't remember the algorithm. For this the PIN that is stored on the card is . Now, when a customer selects a PIN, an offset is computed between the natural PIN and selected PIN. This offset is stored on the card. Based on this you can see that re-encoding is needed when you change the PIN number, most ATM will do that re-encoding. So unless things have changed in the last 4 years since I worked with this, you can not change your PIN over the phone without physical contact by the bank with the card. Personally I carry a card without any logo as my ATM card, at one point I had access to reader/encoder for mag strip cards and I programmed a blank card with the info from my real ATM card. No encryption involved. K On Wed, 29 Jan 2003, David Charlap wrote: Al Rowland wrote: The PIN is on your card ... Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so. Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. I'm not surprised. But the PIN is verified as a part of the transaction. I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the invalid PIN message. -- David IMPORTANT:The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
RE: OT: Banc of America Article
I would guess that PayPal is bit younger then 4 years, so some banks have change the process since I was last involved with it. For you information the ATM's of 15 years ago and the ATM's of 4[*] years ago used the same process to deal with encryption. It was done by a black box manufactured by a company called Excrypt. CPU power never came into question. Before you jump to the conclusion that you could just steal the black box from the ATM and have access, but if you till it, it forgets all the keys. Also during normal operation two separate people have to enter two parts of the key. This way no single bank employee has access to both parts of the key. [*] I no longer am involved with banks for the last 4 years, so I don't know what changes have happened. K On Thu, 30 Jan 2003, Temkin, David wrote: FYI this is completely incorrect. I have changed my PIN with both my PayPal debit card as well as my First Union/Wachovia card numerous times without a single contact with a physical bank. See: http://www.wachovia.com/helpcenter/page/0,,2372_2705,00.html To store the PIN on a card, whether hashed or not, would be foolish. Do people really think that the ATM's of 15 years ago had the CPU power to calculate the hash of a PIN number on the fly? I know people who are carrying around 10+ year old cards and they still work fine. -Dave -Original Message- From: Krzysztof Adamski [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 3:39 PM To: [EMAIL PROTECTED] Subject: Re: OT: Banc of America Article Since nobody has given the correct information about the PIN on the card I will give a very brief description. There are two types of PIN, natural and customer selected. The natural PIN is computed from the number on the card. The computation involves one way crypto keys. I don't remember the algorithm. For this the PIN that is stored on the card is . Now, when a customer selects a PIN, an offset is computed between the natural PIN and selected PIN. This offset is stored on the card. Based on this you can see that re-encoding is needed when you change the PIN number, most ATM will do that re-encoding. So unless things have changed in the last 4 years since I worked with this, you can not change your PIN over the phone without physical contact by the bank with the card. Personally I carry a card without any logo as my ATM card, at one point I had access to reader/encoder for mag strip cards and I programmed a blank card with the info from my real ATM card. No encryption involved. K On Wed, 29 Jan 2003, David Charlap wrote: Al Rowland wrote: The PIN is on your card ... Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so. Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. I'm not surprised. But the PIN is verified as a part of the transaction. I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the invalid PIN message. -- David IMPORTANT:The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
Re: OT: Banc of America Article
Before you jump to the conclusion that you could just steal the black box from the ATM and have access, but if you till it, it forgets all the keys. Also during normal operation two separate people have to enter two parts of the key. This way no single bank employee has access to both parts of the key. The product Krzystof mentions is likely similar to : http://gpsonsale.com/ibmcryptographiccards/products/IBM4758-002.htm http://www-3.ibm.com/security/cryptocards/ An interesting read regarding breaking into one of these black boxes : http://www.cl.cam.ac.uk/~rnc1/descrack/ - Mike
Re: OT: Banc of America Article
On Thu, 2003-01-30 at 15:39, Krzysztof Adamski wrote: Based on this you can see that re-encoding is needed when you change the PIN number, most ATM will do that re-encoding. So unless things have changed in the last 4 years since I worked with this, you can not change your PIN over the phone without physical contact by the bank with the card. The last two banks I've used both allowed me to do it over telephone banking. -Paul -- Paul Timmins [EMAIL PROTECTED] / http://www.timmins.net/ H: 248-683-7295 / C: 248-379-7826 / DC: 130*116*24495 A: noweb4u / R: KC8QAY
OT: Banc of America Article
I believe specific account data is not kept on the local machine. I may be wrong, not to mention the data strip on the card... Nothing new. Look at what happened to the Chicago Board of Trade a few years back. I wonder how WCOM reported the out-of-court settlement for that one their books. ;0 The original NSI SI, National-Security-Internet-(Survivable-Infrastructure), model was replaced years ago by the BBC, Best-Business-Case model, puns intended. Best regards, __ Al Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 9:47 AM To: Al Rowland Cc: [EMAIL PROTECTED] Subject: RE: Banc of America Article IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction. Too bad it is not the case, but lets presume that it is. How does it explain branches not being able to process direct withdrawals either? The incident on hand illustrates that the design of our financial networks is broken. If a non sophisticated worm managed to create so many problems, what is going to happen should a real attack be mounted against the networks used by financial services? Alex
OT: Banc of America Article
Just for grins, The PIN is on your card, likely encrypted, this based on the fact that most ATMs will reject your card at the initial PIN prompt before you try to execute any transaction, as is likely your balance and daily withdrawal limit but the Kwik-E-Mart system might not have a way to see that you've already withdrawn your daily limit from three other ATMs etc. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. My daily limit at my home bank is significantly higher than my daily limit at non-home-bank ATMs so that might be a local feature rather than hard coded to your card. (or readable by the particular machine you're using, who knows what your bank considers privacy or proprietary information.) Just conjecture, no way to know how this specifically works without looking at the BoA specific ATM code but I'd be willing to bet the code errs on the side of customer convenience over absolute security. See most software as examples. Best regards, __ Al Rowland -Original Message- From: Charles Sprickman [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 10:19 AM To: Al Rowland Cc: [EMAIL PROTECTED] Subject: RE: Banc of America Article On Wed, 29 Jan 2003, Al Rowland wrote: Or, IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction. So you're telling me that if I go to Kwik-E-Mart, cut the wires, put my card with a $0 balance in it will happily let me withdraw money? Somehow that doesn't sound right. How would it know my PIN, or would it assume I entered it correctly? How would it know my daily card limit? Charles Best regards, __ Al Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leo Bicknell Sent: Tuesday, January 28, 2003 8:03 PM To: [EMAIL PROTECTED] Subject: Re: Banc of America Article FWIW: http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28 .html About 13,000 Bank of America cash machines had to be shut down. The bank's ATMs sent encrypted information through the Internet, and when the data slowed to a crawl, it stymied transactions, according to a source, who said customer financial information was never in danger of being stolen. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
Re: OT: Banc of America Article
On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote: The PIN is on your card, likely encrypted, We're off-topic now, so I won't go into detail, but the PIN is sometimes on the card and sometimes not. There are different ways of doing it. (If the sampling of cards in my wallet is representative, then mostly, the PINs aren't on the card anymore (I still have one card that has the PIN on the card).) -- Brett
OT: Banc of America Article
Your assumption is my account is at my local branch. Neither is my safe deposit box. It's at a different, larger branch in the adjacent suburb. My 'account' is likely in one of their corporate monoliths downtown, hence the network connection. That's why my card works as well in Virginia (my most recent trip) as it does at my local branch in LA. My local ATM also needs access to other bank networks if they have any hope of collecting that usury fee for not-my-bank customers using the teller. It's about the Benjamins. I completely agree with your second point but don't expect change until outside forces affect change in the current business model. Just my 2ยข. Best regards, __ Al Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 29, 2003 9:47 AM To: Al Rowland Cc: [EMAIL PROTECTED] Subject: RE: Banc of America Article IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction. Too bad it is not the case, but lets presume that it is. How does it explain branches not being able to process direct withdrawals either? The incident on hand illustrates that the design of our financial networks is broken. If a non sophisticated worm managed to create so many problems, what is going to happen should a real attack be mounted against the networks used by financial services? Alex
Re: OT: Banc of America Article
Al Rowland wrote: The PIN is on your card ... Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so. Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. I'm not surprised. But the PIN is verified as a part of the transaction. I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the invalid PIN message. -- David
Re: OT: Banc of America Article
Halleluljah. A voice of knowledge as opposed to conjecture. Different bank ATMs operate differently. There are online and offline modes. The PIN may or may not be recorded on the card. Some of these differences are due to the fact that not all financial institutions were connected to interbank networks over two decades ago. And yes, some banks' ATMs dispense limited amounts of cash while disconnected from the network. This is a compromise between customer service and fraud exposure. You won't be able to get rich that way. There are plenty of resources on and offline related to magnetic stripe cryptographic security and PIN verification methods such as Atalla Identikey, Visa PW, IBM 3624, etc. Those making the most noise should take a look at their own network security, data security, and redundancy practices as they rail against large financial networks and systems. Regards, Sharif --- Whenever I'm caught between two evils, I take the one I've never tried. - Mae West On Wed, 29 Jan 2003 13:15:54 -0600, Brett Frankenberger wrote: On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote: The PIN is on your card, likely encrypted, We're off-topic now, so I won't go into detail, but the PIN is sometimes on the card and sometimes not. There are different ways of doing it. (If the sampling of cards in my wallet is representative, then mostly, the PINs aren't on the card anymore (I still have one card that has the PIN on the card).) -- Brett
