469 lines
19 KiB
Plaintext
469 lines
19 KiB
Plaintext
From: texbell!rpp386!scsmo1!tim@cs.utexas.edu 5-DEC-1988 17:58:27
|
||
To: unix-wizards@sem.brl.mil
|
||
Subj: [1070] Re: Here's a *BRILLIANT* password idea!
|
||
|
||
>But, in the UK at least, if you abort the 'login' attempt after the 2nd
|
||
>attempt (there is a button to do this), you get your card back, and can
|
||
>then try again immediately. Thus you have an unlimited number of attempts.
|
||
>I have not tried this on a machine in the US.
|
||
|
||
This will work in the U.S. Some machines will kick the card out after 3
|
||
incorrect tries. One machine I tried 8 times, it didn't take the card, but
|
||
later after the card had been slightly mutated it took it.
|
||
|
||
I had the number changed on my card, there was an ibm pc connected to a card
|
||
reader. I typed in the number (on a seperate keypad) and the banker
|
||
slid the card back through the card reader. The pc was _NOT_ connected
|
||
to anything.
|
||
|
||
>This no longer has much to do with Unix.
|
||
But it does have to do with money. How about terminals that have card readers?
|
||
|
||
The biggest security problem is users that don't think about security problems,
|
||
They tell other users their passwords (the don't like using paths to get files)
|
||
|
||
Tim Hogard
|
||
tim@scsmo1.uucp
|
||
Soil Conservation Service.
|
||
|
||
From: Phil Hughes <ssc!fyl@teltone.com> 5-DEC-1988 17:59:32
|
||
To: unix-wizards@sem.brl.mil
|
||
Subj: [1842] Re: Here's a *BRILLIANT* password idea! (Sarcasm on)
|
||
|
||
In article <1526@holos0.UUCP>, lbr@holos0.UUCP (Len Reed) writes:
|
||
> From article <438@amanue.UUCP>, by jr@amanue.UUCP (Jim Rosenberg):
|
||
> = Well surprise: This exact password system is ***IN USE***!!! In (are you
|
||
> = ready:) ***BANKS***!!! I am not kidding. Do you have an Automatic Teller
|
||
> = Machine card? What does your password look like? Every time I've been given
|
||
> = one of those things the password was just 4 digits!!!!!!!
|
||
|
||
> You have to have physical possession of the card, too, not just knowledge
|
||
> of the account number.
|
||
|
||
Not really true. If you are serious about ATM fraud you can buy a mag
|
||
stripe writer for about $300. I used to work for a company that makes
|
||
automatic gas station equipment -- stick in your card, punch in your PIN
|
||
and pump gas. We bought a card writer. I made myself an extra EXCHANGE
|
||
card. Sort of fun.
|
||
|
||
By the way, track 2 on the cards is the account number. Most bank
|
||
machines either ignore or display track 1. Rainier Bank locally puts your
|
||
name on track one and displays it on the terminal. Rewrite track 1 and
|
||
when you enter your card you can get a nice message like:
|
||
GOOD AFTERNOON YOU ROTTEN CROOK
|
||
on the display. It amuses the people waiting in line behind you.
|
||
|
||
Now, for a worse story -- as of two years ago every ATM machine in a whole
|
||
state would accept a particular 4 digit number as a valid pin for every
|
||
card. Yes, really. I was doing testing on a controller to hook into
|
||
their network and it wasn't getting invalid PIN errors. As it turned out
|
||
there was a bug in our software and it wasn't sending the PIN that was
|
||
being entered. It just happened to be sending the magic PIN for the
|
||
network. Now that was really stupid.
|
||
--
|
||
Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155 (206)FOR-UNIX
|
||
uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl
|
||
|
||
From: Ron Natalie <ron@ron.rutgers.edu> 9-DEC-1988 18:50:24
|
||
To: unix-wizards@sem.brl.mil
|
||
Subj: [1171] Re: password security
|
||
|
||
The cards themselves are easily forged. Essentially, nothing is
|
||
encoded in the stripe that you can't see on the front of the card.
|
||
Obviously criminal elements have the ability to forge this information
|
||
because well publicised cases of credit cards (which use the same technology)
|
||
exist. When dealing with a machine, it's even easier, the card doesn't
|
||
need to look real to the eye, just have the correct data on the stripe.
|
||
|
||
Even if the PIN records at the bank are relatively secure, there are
|
||
many ways that the 4 digit number may be discovered. Abuse of telephone
|
||
credit card numbers (which are essentially just your account number (
|
||
phone number) and a 4 digit PIN) inidicate how vulnerable that system
|
||
is. Banks mail PINs (albeit separately from the cards) through the
|
||
use of printthrough computer envelopes. You don't even need to open
|
||
these to get the information. Banks should never send the PINs out.
|
||
Here we get to go to the bank to set them. People should safeguard their
|
||
PINs. Be careful about the guy behind you in line. Don't write them
|
||
down, and if you get to pick your own, don't be so bloody obvious.
|
||
I guessed my wifes with little difficulty.
|
||
|
||
From: "Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa> 13-DEC-1988 14:23:12
|
||
To: security@pyrite.rutgers.edu
|
||
Subj: [983] [Nathaniel Ingersoll: ATM passwords (PINs)]
|
||
|
||
F Y I
|
||
|
||
----- Forwarded message # 1:
|
||
|
||
From: Nathaniel Ingersoll <nate@altos86.uucp>
|
||
Subject: ATM passwords (PINs)
|
||
Date: 9 Dec 88 19:58:45 GMT
|
||
To: unix-wizards@sem.brl.mil
|
||
|
||
The way I look at it, all ATM cards (at least all the ones
|
||
I've ever run across) do not have their PIN encoded on the card.
|
||
When you do a transaction, the following events must happen:
|
||
1) enter card
|
||
2) enter pin
|
||
3) select transaction
|
||
4) success: result of action
|
||
5) failure: notification
|
||
|
||
Now, if your PIN was encoded on the card, you could be informed of
|
||
PIN failure immediately after (2). However, the ATM waits to
|
||
perform all data transfer until it has all necessary information,
|
||
so it probably sends whatever you entered for a PIN, your transaction
|
||
data, and whatever else, to the remote computer, which then
|
||
validates the PIN and transaction.
|
||
|
||
Make sense?
|
||
--
|
||
Nathaniel Ingersoll
|
||
Altos Computer Systems, SJ CA
|
||
...!ucbvax!sun!altos86!nate
|
||
altos86!nate@sun.com
|
||
|
||
----- End of forwarded messages
|
||
|
||
From: "Jonathan I. Kamens" <jik@athena.mit.edu> 16-DEC-1988 2:53:42
|
||
To: unix-wizards@sem.brl.mil
|
||
Subj: [937] Re: random passwords (was Re: Worm...)
|
||
|
||
In article <5598@polya.Stanford.EDU> waters@polya.Stanford.EDU (Jim Waters) writes:
|
||
|
||
>Actually, I have a 7 digid "secret number," and I believe that 9 is the limit.
|
||
>We go to the bank to choose them, so no one else ever sees the number.
|
||
|
||
Ay, there's the rub....
|
||
|
||
My bank (BayBanks Boston) allowed me to choose a 7-digit security code
|
||
as well. However, if you watch really closely when typing the 7-digit
|
||
code into a BayBanks machine, the screen will flash momentarily after
|
||
the fourth digit is entered.
|
||
|
||
Well, boys and girls, can you guess what that means? Yes, that's
|
||
right, the BayBanks machine is only listening to the first four
|
||
digits! In fact, if you press the enter key after only the first four
|
||
digits, the machine merrily accepts your PIN.
|
||
|
||
Moral of the story: are you *sure* that all seven digits of your PIN
|
||
matter to the machine?
|
||
|
||
(This really has nothing to do with unix. Sigh.)
|
||
|
||
Jonathan Kamens
|
||
MIT Project Athena
|
||
|
||
From: Phil Hughes <ssc!fyl@teltone.com> 16-DEC-1988 4:57:26
|
||
To: unix-wizards@sem.brl.mil
|
||
Subj: [998] Re: ATM passwords (PINs)
|
||
|
||
As dumb as it may seem, here is what really happens on most ATMs (IBM
|
||
and Diebold in particular). It is not, however, the way it works on the
|
||
system I worked on. We figured a reader terminal was smart enough to
|
||
figure out what to do next :-)
|
||
|
||
1. You enter your card and the ATM sends the card number to the network
|
||
2. The network tells the ATM to get the PIN
|
||
3. The ATM asks for the PIN and waits. When it gets it, it sends it
|
||
to the network.
|
||
4. ...
|
||
|
||
You get the idea I am sure. There is a mainframe talking over a serial
|
||
line to a bunch of extremely dumb terminals. The good news is that the
|
||
PIN is encrypted at the ATM before it is sent and it is sent in a
|
||
different message than the card number. This means that tapping the
|
||
communications line does not give you the necessary information to make a
|
||
bogus card and use it in another ATM.
|
||
--
|
||
Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155 (206)FOR-UNIX
|
||
uw-beaver!tikal!ssc!fyl or uunet!pilchuck!ssc!fyl or attmail!ssc!fyl
|
||
|
||
From: "Richard A. O'Keefe" <ok@quintus.com> 16-DEC-1988 5:00:25
|
||
To: unix-wizards@sem.brl.mil
|
||
Subj: [71] Re: random passwords (was Re: Worm...)
|
||
|
||
I had a Versatel card (Bank of America) and my PIN was 10 characters.
|
||
|
||
From: "Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa> 16-DEC-1988 13:50:25
|
||
To: security@pyrite.rutgers.edu
|
||
Subj: [2573] [ted: password security]
|
||
|
||
F Y I
|
||
|
||
From: ted@nmsu.edu
|
||
To: unix-wizards@BRL.MIL
|
||
Subject: password security
|
||
|
||
I would let all of this discussion about pin's and password protection
|
||
just slide on by, except for the fact that a friend of mine was
|
||
apparently a recent victim of an atm fraud.
|
||
|
||
The situation was that she went to the bank to make a withdrawal and
|
||
they said that her account had only $5 in it. She objected that
|
||
according to her records she had over $700 in the account and that she
|
||
had not made any withdrawals recently. The bank claimed that she had
|
||
made 5 withdrawals in one day for virtually the entire amount in the
|
||
account, leaving only the minimum in the account. Upon presentation
|
||
with a written complaint, the bank checked the camera for the atm and
|
||
found that it had been blocked during the time of the withdrawals in
|
||
question.
|
||
|
||
The bank is currently standing pat on the absolute security of the atm
|
||
system and is insisting that they have no obligation to disburse any
|
||
of the questioned funds. Combined with the recent discussion on the
|
||
net about the errors that have occurred in atm software and with the
|
||
fact that some systems store the pin (or the encrypted pin) on the
|
||
card, there is considerable doubt in my mind about whether atm's
|
||
provide even minimal levels of security.
|
||
|
||
My questions for the net are:
|
||
|
||
1) are account and pin numbers really stored on the card in such a way
|
||
that a card can be easily forged (please, no secure details, I just
|
||
need enough information to believe you).
|
||
|
||
2) how autonomous are atm machines?
|
||
|
||
3) to what degree do atm's record transactions. I know they record
|
||
the account number and amount, but do they record erroneous pin
|
||
entries, and do they record the pin number that is actually entered?
|
||
Is there enough of an audit trail to substantiate a claim of card
|
||
forgery?
|
||
|
||
4) are there any publicly available accounts of atm fraud, or
|
||
breakdowns in atm security? (the bug mentioned on the net recently
|
||
would classify, but did the company involved manage to sufficiently
|
||
hush up the problem so that it has effectively been pushed into the
|
||
apocrypha of computer security?)
|
||
|
||
If your reply is not suitable for public dissemination, please reply
|
||
by email, usmail or phone. I will or will not summarize to the net
|
||
depending on the wishes of individual respondents. I will honor
|
||
requests for anonymity, but obviously, in the current situation, I
|
||
would prefer to find experts in the field whom I can cite.
|
||
|
||
Thank you.
|
||
|
||
Ted Dunning
|
||
Computing Research Laboratory
|
||
New Mexico State University
|
||
Las Cruces, New Mexico 88003-0001
|
||
ted@nmsu.edu
|
||
(505) 646-6221
|
||
|
||
From: "Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa> 20-DEC-1988 11:47:18
|
||
To: security@pyrite.rutgers.edu
|
||
Subj: [722] [Cory Kempf: Re: password security]
|
||
|
||
F Y I
|
||
|
||
From: Cory Kempf <cory@gloom.uucp>
|
||
Subject: Re: password security
|
||
Date: 8 Dec 88 18:02:18 GMT
|
||
To: unix-wizards@sem.brl.mil
|
||
|
||
Has anyone ever noticed that most of the ATM machines that are out
|
||
there is the real world (at least in the US) have a vertical keypad?
|
||
|
||
Does anyone really think that it is possible (without being a contortionist)
|
||
to prevent the person behind you from seeing as you type in the PIN?
|
||
|
||
Can anyone come up with a way to make it *easier* for someone else to see
|
||
you type in your PIN?
|
||
|
||
Retorical question time...
|
||
|
||
why do most banks NOT use horizontal keypads (as well as other
|
||
security measures)?
|
||
|
||
GAK
|
||
+C
|
||
--
|
||
Cory Kempf
|
||
UUCP: encore.com!gloom!cory
|
||
"...it's a mistake in the making." -KT
|
||
|
||
From: "Michael J. Chinni, SMCAR_CCS_E" <mchinni@ardec.arpa> 20-DEC-1988 12:00:49
|
||
To: security@pyrite.rutgers.edu
|
||
Subj: [1556] [ted: pins and passwords]
|
||
|
||
F Y I
|
||
Date: Mon, 12 Dec 88 14:03:20 MST
|
||
From: ted@nmsu.edu
|
||
To: unix-wizards@BRL.MIL
|
||
Subject: pins and passwords
|
||
|
||
After some checking, (and one very good reference) I have found out
|
||
that in the case of ATM's serviced by the CIRRUS network:
|
||
|
||
1) the pin is verified with the issuing bank on every transaction,
|
||
although there appears to be room for CIRRUS to interject a false
|
||
verification for testing purposes.
|
||
|
||
2) all data traffic is encrypted with DES with key distribution by
|
||
public-key methods. Lines that go out of service are automatically
|
||
replaced by dial-ups as needed, so that tapping could be done without
|
||
much chance of detection, but the cost of attacking a 4.8Kbit DES line
|
||
is probably not worth the cost (but since atm's send pins and account
|
||
numbers directly over the line, you would completely compromise those
|
||
accounts).
|
||
|
||
3) CIRRUS does not apparently support return of account balance. This
|
||
would explain why moving out of your local area (i.e. local banking
|
||
group) causes your balance to disappear from the atm summary.
|
||
|
||
None of this information indicates that the PIN is NOT stored on the
|
||
card, only that atm's do not ever have to take the card's word that
|
||
the pin is correct.
|
||
|
||
The information that I have found does not say anything about the
|
||
other major atm transaction networks (cash stream and the plus
|
||
system), nor does it really say anything about the atm's themselves.
|
||
|
||
Many thanks to Mark Schuldenfrei for pointing me at the August 85
|
||
issue of CACM which had a case study of CIRRUS (really an interview
|
||
with one of the honshos).
|
||
|
||
From: Troy Landers <sequent!tlanders@cse.ogi.edu> 17-MAR-1990 2:26:29
|
||
To: misc-security@tektronix.tek.com
|
||
Subj: [1069] Re: Bank card tricks in Toronto
|
||
|
||
I know it is, at least on some cards. When I lived in Illinos, the bank
|
||
that I used had this little box that resembled one of those automatic
|
||
credit card calling thingamagigs. When I opened my account, they gave
|
||
me a card, left me alone in the room (in the vault) and told
|
||
me how to use it. All I did was type my PIN number, press a button, and
|
||
"swipe" my card through it. Voilla, my card was now encoded with my
|
||
PIN. I didn't think about it too much at the time, mostly because
|
||
I wasn't aware of all the sneaky things crooks can do, and because I
|
||
was a student and didn't have any money to steal anyway :-). Now I
|
||
think I would be more reluctant to use a bank with such a system.
|
||
Who knows?
|
||
|
||
Troy
|
||
|
||
-------------------------------------------------------------------------------
|
||
Troy Landers Sequent Computer Systems Inc.
|
||
UUCP: ...!sequent!tlanders 15450 S.W. Koll Parkway
|
||
Phone: (503) 626-5700 x4491 Beaverton, Oregon 97006-6063
|
||
|
||
*** My opinions are precisely that! ***
|
||
|
||
From: netcom!onymouse@claris.com (John Debert) 17-MAR-1990 2:27:11
|
||
To: misc-security@ames.arc.nasa.gov
|
||
Subj: [440] Re: Bank card tricks in Toronto
|
||
|
||
Many banks, not-so-long-ago, did record passcodes on the card. That way,
|
||
they didn't have to use their computer resources for such piddly things.
|
||
Also, access control software was not yet being produced that was reliable.
|
||
It was much easier to leave such things up to the ATM.
|
||
|
||
A certain American bank still records passcodes in some cards, if not all.
|
||
They still use ATM's that expect the passcode to be there.
|
||
|
||
jd
|
||
onymouse@netcom.UUCP
|
||
|
||
From: night@pawl.rpi.edu (Trip Martin) 17-MAR-1990 2:50:37
|
||
To: ???
|
||
Subj: [378] Re: Bank card tricks in Toronto
|
||
|
||
When I got my cash card back in Sept, the bank told me that the access
|
||
code was indeed put on the card itself, and implied that this was better
|
||
because then no bank records would have the access code. In fact, they
|
||
had my type in my desired access code into a machine which then then ran
|
||
the card through.
|
||
|
||
Trip Martin
|
||
night@pawl.rpi.edu
|
||
--
|
||
|
||
Trip Martin
|
||
night@pawl.rpi.edu
|
||
|
||
From: roeber@portia.caltech.edu 19-MAR-1990 23:14:01
|
||
To: security@pyrite.rutgers.edu
|
||
Subj: [821] Bank card tricks
|
||
|
||
An article in the Los Angeles Times, about some people who made phony ATM
|
||
cards from paper stock and audio magnetic tape, indicates that the PIN
|
||
code is not stored on the cards. The people could program the cards with
|
||
bank account numbers, but the security hole that allowed them to steal
|
||
money was that one of them, an employee or ex-employee, could reprogram
|
||
the PINs in the bank database. If the PIN was stored on the card, they
|
||
could have just picked any number. However, my bank insists that to
|
||
change my PIN they must re-issue my card. Perhaps there is some type of
|
||
encryption/verification going on?
|
||
|
||
Question: ATMs use phone lines. Is there any sort of encryption on these
|
||
lines, to prevent wiretappers from gleaning valid account/PIN combinations?
|
||
|
||
Frederick Roeber
|
||
roeber@caltech.bitnet
|
||
roeber@caltech.edu
|
||
|
||
From: Craig Leres <leres@helios.ee.lbl.gov> 20-MAR-1990 4:30:19
|
||
To: security@rutgers.edu
|
||
Subj: [273] Re: Bank card tricks in Toronto
|
||
|
||
Quite some time ago, the transaction cards spawned by my bank's ATMs
|
||
were changed so that the last two digits of the account number are
|
||
printed as XX. This helps protect those people who leave them behind.
|
||
(It doesn't help them balance their checkbooks, though.)
|
||
|
||
Craig
|
||
|
||
From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) 21-MAR-1990 7:56:01
|
||
To: misc-security@sdcsvax.ucsd.edu
|
||
Subj: [1143] Re: Bank card tricks in Toronto
|
||
|
||
Many teller machines have cameras associated with them. They can
|
||
photograph the person making every transaction.
|
||
|
||
}Does anyone know if the access code is, in fact, also on the mag
|
||
}stripe?
|
||
|
||
This varies by bank. While the ANSI standard does give a format for each
|
||
of the three tracks on the magnetic strip, in practice each issuing
|
||
organization uses proprietary systems. Putting the card number on track
|
||
two is pretty universal. Track one often includes a repeat of the card
|
||
number and the card holder's name, among other things. Track three is
|
||
writable and may include up to date account information. A few banks are
|
||
foolish enough to put the cardholder's PIN on the card -- sometimes
|
||
encrypted, sometimes not. Many systems only look at track two.
|
||
|
||
I'm not sure what you mean by "access code." The card number includes
|
||
fields that identify the issuing bank.
|
||
|
||
--
|
||
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
|
||
Citicorp(+)TTI Illegitimis non
|
||
3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum
|
||
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
|
||
|
||
From: "Don't have a cow, man!" <AEWALSH@fordmurh.bitnet> 23-MAR-1990 16:25:55
|
||
To: security@ohstvma
|
||
Subj: [1030] PIN on Bank Cards (was tricks in Toronto)
|
||
|
||
A large commercial bank at which I used to bank had a system for "initializing"
|
||
and changing one's PIN as follows:
|
||
1. An administrator's card was swiped into a medium-sized device
|
||
that had an LED screen and numeric keypad. After entering his/her
|
||
code, the customer's card was "swiped".
|
||
2. The administrator entered the card/account number.
|
||
3. The customer entered the desired PIN twice.
|
||
|
||
Futhermore, American Express offers a program called "Cash Now". Essentially,
|
||
it enables you to withdrawl cash or purchase travelers checks at almost any
|
||
ATM around the world. On more than one occasion, I have forgotten my PIN number
|
||
for my AMEX card. After calling the 800 number, and providing information
|
||
about my account (last purchase, etc.), I have been able to change the PIN
|
||
over the phone. Scary, isn't it?
|
||
|
||
My *guess* is that the PIN is not stored on the Mag strip. Rather, it is
|
||
accessed into the bank/institution's computer. Just a guess.
|
||
|
||
Jeffrey Walsh
|
||
AEWALSH@FORDMURH
|