Cracking ATM Card Codes
Jason Lane
apart from end of day batching. Encyripted on track 3 is the weekly
limit of the acc. this is overwritten when you make a withdraw with time
and date and amount. so if you know what numbers they are they can be
erased and mulitple withdraws made with the same card !.
it does work ask a certain inmate of HMP. Brixton
Regards Jlane > ==========
> alt.folklore/urban #4, from ni...@audi.optimation.co.nz, 3087 chars,
Wed 31 Aug 1994 01:14:57
> ----------
> Article: 106312 of alt.folklore.urban
> Newsgroups: alt.folklore.urban
> Path:
cix.compulink.co.uk!uknet!EU.net!uunet!comp.vuw.ac.nz!actrix.gen.nz!opti
mation.co.nz!audi!nickg
> From: ni...@audi.optimation.co.nz (Nick Gridley)
> Subject: Re: Cracking ATM Card Codes
> In-Reply-To: sys...@codewks.nacjack.gen.nz's message of Sat, 27 Aug 94
14:02:56 +1200
> Message-ID: <NICKG.94A...@audi.optimation.co.nz>
> Sender: ni...@optimation.co.nz (Nick Gridley)
> Organization: Optimation Consulting
> References: <mcqCuu...@netcom.com>
<L4TqRc...@codewks.nacjack.gen.nz>
> Date: Wed, 31 Aug 1994 01:14:57 GMT
> Lines: 47
>
> In article <L4TqRc...@codewks.nacjack.gen.nz>
sys...@codewks.nacjack.gen.nz (Wayne W. McDougall) writes:
> > I have heard that one some systems, a (five digit) number is encoded
on your
> > card that is NOT your PIN. As a first check on the validity of yor
entered
> > PIN, a complex mathematical formula(TM) is used to compare your
entry to the
> > encoded number. If that is valid, then the machine chats to the
central
> > database. If the central database is offline, then the machine will
accept
> > the input number.
> >
> > Note that the number of 4 digit PINs that will pass the complex
mathematical
> > forumla(TM) is >1. For banks that assign you PINs, they simply
choose the
> > next PIN that is valid for the five digit number on your card. Hence
no
> > need to update your card.
>
> Actually, as I understand it, it's a trapdoor function derived from
> your account code and various other things known to the bank like an
> encryption key. the most I've ever found on an ATM card, track 2 is
> an bank prefix, account number, and an expiry date. some of them
> might have what's called a pin offset, which is simply added to the
> original pin, to get the user-selectable pin. I can't speak for ATMs
> but EFTPOS machines can't read more than track 2.
>
> ATM's have the ability to check pins locally, EFTPOS machines don't,
> but have the ability to grab it off you, encrypt it (2-way), and pack
> it off to the bank along with a gimme$$ request. this is why EFTPOS
> machines take longer to work out you have got it wrong.
>
> suffice to say, the thing that can check pins is well secure, and will
> forget all the encryption stuff at the first sign of tampering.
> > <snip>
>
> > When the central database is offline, some systems will allow you to
make a
> > limited withdrawal and only once per dat. Tests show that this limit
is not
> > recorded at the machine, as it is known by other machines on the
same day.
> > I suspect that there is an emergency holding database, rather than a
max
> > taken today field written on to the card. The
> > next test would be to try a different card on the same account, but
it may
> > be easier to just ask.
>
> for the wise, there are various subtle indications that the machine is
> offline. One I know has a "." after the sign on prompt if it's
> online.
>
> OBfact: urinating into an ATM will not make it give you cash, but that
> didn't stop someone in Auckland (not you, I hope) from trying it.
> - it totally fried the electronics.
>
> Nick "lurking somewhere south of the bombay hills" Gridley
HALLAM-BAKER Phillip
From phrack:
Track I is 210 bpi. Track II is 75 bpi.
The next chart shows the Magnetic Stripe Data Format (Track I)
Field # Length Name of Field
------- ------ -------------
1 1 Start Sentinel (STX)
2 1 Format Code
3 13/16 Primary Account Number
4 1 Separator (^) HEX 5E
5 2-26 Card Holder Name
6 1 Separator (^) HEX 5E
7 4 Card Expiration in format MMYY
8 3 Service Code (?) 000 WORKS.
9 0/5 Pin Verification Field
10 Discretionary Data Depends on 3, 5, 9
11 11 Visa Reserved Always last 11 positions
12 1 End Sentinel (ETX)
13 1 LRC
Maximum Record Length is 79 Characters
The next chart shows the Magnetic Stripe Data Format (Track II)
Field # Length Name of Field
------- ------ -------------
1 1 Start Sentinel (STX)
2 13/16 Primary Account Number
3 1 Separator (=) HEX 3D
4 4 Card Expiration Date in format MMYY
5 3 Service Code (?) 000 works.
6 0/5 Pin Verification Field
7 Discretionary Data Depends on 2, 6
8 1 End Sentinel (ETX)
9 1 LRC
"The LRC is calculated by performing a BITWISE XOR (Exclusive OR) on all
ASCII values of the characters in the Inquiry - EXCLUDING the <STX> but
INCLUDING the <ETX>."
<STX> is HEX 02.
<ETX> is HEX 03.
Its probably written out in some ISO standard somewhere. The cards have to be
interoperable.
It is a very silly system and one that should be improved. Fortunately
Mastercard have announced a move to using smartcards. These at least cut out
one layer of abuse - forged cards made using data from old receipts.
Hopefully AMEX and VISA will follow. It is very annoying to have to use
RSA encryption (at cost) to provide poor security safeguards when fixing the
credit card co's scheme provides much better security without needing
encryption.
Any system that depends on simple encryption (ie not digital signatures) for
authentication is inherently weak. When the comparison of the challenge key
is made there are opportunities for interception. In the case of home shopping
the accounts dept of the store in question gets to read all the data they need
to rip off the customer.
--
Phillip M. Hallam-Baker
Not Speaking for anyone else.