RE: OT: Banc of America Article

[Krzysztof Adamski <k () adamski org>]

I would guess that PayPal is bit younger then 4 years, so some banks have
change the process since I was last involved with it.

For you information the ATM's of 15 years ago and the ATM's of 4[*] years
ago used the same process to deal with encryption. It was done by a black
box manufactured by a company called Excrypt. CPU power never came into
question.
 Before you jump to the conclusion that you could just steal the black box
from the ATM and have access, but if you till it, it forgets all the keys.
Also during normal operation two separate people have to enter two parts
of the key. This way no single bank employee has access to both parts of
the key.


[*] I no longer am involved with banks for the last 4 years, so I don't
know what changes have happened.

K

 On Thu, 30 Jan 2003, Temkin, David wrote:

> FYI this is completely incorrect.
>
> I have changed my PIN with both my PayPal debit card as well as my First
> Union/Wachovia card numerous times without a single contact with a physical
> bank.
>
> See: http://www.wachovia.com/helpcenter/page/0,,2372_2705,00.html
>
> To store the PIN on a card, whether hashed or not, would be foolish.   Do
> people really think that the ATM's of 15 years ago had the CPU power to
> calculate the hash of a PIN number on the fly?  I know people who are
> carrying around 10+ year old cards and they still work fine.
>
> -Dave
>
> > -----Original Message-----
> > From: Krzysztof Adamski [mailto:k () adamski org] 
> > Sent: Thursday, January 30, 2003 3:39 PM
> > To: nanog () merit edu
> > Subject: Re: OT: Banc of America Article
> >
> >
> >
> > Since nobody has given the correct information about the PIN 
> > on the card I will give a very brief description.
> >
> > There are two types of PIN, natural and customer selected.
> > The natural PIN is computed from the number on the card. The 
> > computation involves one way crypto keys. I don't remember 
> > the algorithm. For this the PIN that is stored on the card is 0000.
> >
> > Now, when a customer selects a PIN, an offset is computed 
> > between the natural PIN and selected PIN. This offset is 
> > stored on the card.
> >
> > Based on this you can see that re-encoding is needed when you 
> > change the PIN number, most ATM will do that re-encoding. So 
> > unless things have changed in the last 4 years since I worked 
> > with this, you can not change your PIN over the phone without 
> > physical contact by the bank with the card.
> >
> > Personally I carry a card without any logo as my ATM card, at 
> > one point I had access to reader/encoder for mag strip cards 
> > and I programmed a blank card with the info from my real ATM 
> > card. No encryption involved.
> >
> > K
> >
> > On Wed, 29 Jan 2003, David Charlap wrote:
> >
> > > Al Rowland wrote:
> > > > The PIN is on your card ...
> > >
> > > Not for any card I've ever owned.  I've changed my PIN several times
> > > over the years, and the bank has never re-encoded my card 
> > or sent me a 
> > > new card as a result of doing so.
> > >
> > > Maybe some banks do store the PIN on the card, but I'm certain that 
> > > it's
> > > in the server for ever bank I've used.
> > >
> > > > I use a not-my-bank ATM in the lobby at work and it 
> > doesn't initiate 
> > > > the call (you can hear the modem dial) until you're 
> > beyond the PIN 
> > > > screen and are actually requesting a transaction.
> > >
> > > I'm not surprised.  But the PIN is verified as a part of the 
> > > transaction.
> > >
> > > I've occasionally mistyped my PIN.  The ATM takes the 
> > mistake and goes
> > > straight to the menu.  It's only after requesting a 
> > transaction that it 
> > > comes back with the "invalid PIN" message.
> > >
> > > -- David
>
>
> IMPORTANT:The information contained in this email and/or its attachments is
> confidential. If you are not the intended recipient, please notify the
> sender immediately by reply and immediately delete this message and all its
> attachments.  Any review, use, reproduction, disclosure or dissemination of
> this message or any attachment by an unintended recipient is strictly
> prohibited.  Neither this message nor any attachment is intended as or
> should be construed as an offer, solicitation or recommendation to buy or
> sell any security or other financial instrument.  Neither the sender, his or
> her employer nor any of their respective affiliates makes any warranties as
> to the completeness or accuracy of any of the information contained herein
> or that this message or any of its attachments is free of viruses.