In Ref To Using cards in machines that have no direct connection ie n*b
apart from end of day batching. Encyripted on track 3 is the weekly
limit of the acc. this is overwritten when you make a withdraw with time
and date and amount. so if you know what numbers they are they can be
erased and mulitple withdraws made with the same card !.
it does work ask a certain inmate of HMP. Brixton
Regards Jlane > ==========
> alt.folklore/urban #4, from ni
...@audi.optimation.co.nz, 3087 chars,
Wed 31 Aug 1994 01:14:57
> ----------
> Article: 106312 of alt.folklore.urban
> Newsgroups: alt.folklore.urban
> Path:
cix.compulink.co.uk!uknet!EU.net!uunet!comp.vuw.ac.nz!actrix.gen.nz!opti
mation.co.nz!audi!nickg
> From: ni
...@audi.optimation.co.nz (Nick Gridley)
> Subject: Re: Cracking ATM Card Codes
> In-Reply-To: sys
...@codewks.nacjack.gen.nz's message of Sat, 27 Aug 94
14:02:56 +1200
> Message-ID: <NICKG.94Aug31131
...@audi.optimation.co.nz>
> Sender: ni
...@optimation.co.nz (Nick Gridley)
> Organization: Optimation Consulting
> References: <mcqCuuowA.
...@netcom.com>
<L4TqRc1w1
...@codewks.nacjack.gen.nz>
> Date: Wed, 31 Aug 1994 01:14:57 GMT
> Lines: 47
> In article <L4TqRc1w1...@codewks.nacjack.gen.nz>
sys
...@codewks.nacjack.gen.nz (Wayne W. McDougall) writes:
> > I have heard that one some systems, a (five digit) number is encoded
on your
> > card that is NOT your PIN. As a first check on the validity of yor
entered
> > PIN, a complex mathematical formula(TM) is used to compare your
entry to the
> > encoded number. If that is valid, then the machine chats to the
central
> > database. If the central database is offline, then the machine will
accept
> > the input number.
> > Note that the number of 4 digit PINs that will pass the complex
mathematical
> > forumla(TM) is >1. For banks that assign you PINs, they simply
choose the
> > next PIN that is valid for the five digit number on your card. Hence
no
> > need to update your card.
> Actually, as I understand it, it's a trapdoor function derived from
> your account code and various other things known to the bank like an
> encryption key. the most I've ever found on an ATM card, track 2 is
> an bank prefix, account number, and an expiry date. some of them
> might have what's called a pin offset, which is simply added to the
> original pin, to get the user-selectable pin. I can't speak for ATMs
> but EFTPOS machines can't read more than track 2.
> ATM's have the ability to check pins locally, EFTPOS machines don't,
> but have the ability to grab it off you, encrypt it (2-way), and pack
> it off to the bank along with a gimme$$ request. this is why EFTPOS
> machines take longer to work out you have got it wrong.
> suffice to say, the thing that can check pins is well secure, and will
> forget all the encryption stuff at the first sign of tampering.
> > <snip>
> > When the central database is offline, some systems will allow you to
make a
> > limited withdrawal and only once per dat. Tests show that this limit
is not
> > recorded at the machine, as it is known by other machines on the
same day.
> > I suspect that there is an emergency holding database, rather than a
max
> > taken today field written on to the card. The
> > next test would be to try a different card on the same account, but
it may
> > be easier to just ask.
> for the wise, there are various subtle indications that the machine is
> offline. One I know has a "." after the sign on prompt if it's
> online.
> OBfact: urinating into an ATM will not make it give you cash, but that
> didn't stop someone in Auckland (not you, I hope) from trying it.
> - it totally fried the electronics.
> Nick "lurking somewhere south of the bombay hills" Gridley
