ATM fraud
snopes
In article <gregn.716784724@coombs>,
gr...@coombs.anu.edu.au (Gregory Newton) writes...
>An UL back in my home city australia/nsw/gosford concerned a bloke who
>entered a piece of foil from a chocalate wrapper into an ATM and was able to
>withdraw money when the machine went beserk.
Sheesh! What was it, a wrapper from a chocolate laxative?
- snopes
+-----------------------------------------------------------------------------+
| "It is about a socialist, anti-family political movement that encourages |
| women to leave their husbands, kill their children, practice witchcraft, |
| destroy capitalism, and become lesbians." |
| |
| Pat Robertson, on the equal-rights amendment |
+-----------------------------------------------------------------------------+
| David Mikkelson Digital Equipment Corporation, Culver City, CA USA |
+-----------------------------------------------------------------------------+
Wayne McDougall
>
> In article <gregn.716784724@coombs>,
> gr...@coombs.anu.edu.au (Gregory Newton) writes...
>
> >An UL back in my home city australia/nsw/gosford concerned a bloke who
> >entered a piece of foil from a chocalate wrapper into an ATM and was able to
> >withdraw money when the machine went beserk.
>
> Sheesh! What was it, a wrapper from a chocolate laxative?
>
> - snopes
In NZ there was an "issue" over the security of ATM machines. A current
affairs programme (B-D) interviewed some street kids, who demonstrated
how they deposited a Jaffa packet and entering a value of $1,000,000 and
a few days later was able to withdraw funds on the proceeds. Further
investigations, reported in the NZ Herald indicated that
a) it had happened once before to the value of $10,000
b) the street kid in question admitted that they were surprised that it
worked. It had been tried many many times, but with this once previous
success. It just happened to work for the TV.
c) it just came down to human error where an overworked and harassed
clerk had punched the validate (yopu know how it goes validate, validate,
validate....30 times...its nearly aways right) key (the default option)
in error. It was picked up by internal audit, but a day late, permitting
the $300 NZ daily limit of withdrawals for the benefit of TV cameras.
As a sideline note that the deposit capability has been removed from
EVERY ATM for EVERY bank in New Zealand.
Cheers,
Wayne McDougall
Chris Keane
>In NZ there was an "issue" over the security of ATM machines. A current
>affairs programme (B-D) interviewed some street kids, who demonstrated
>how they deposited a Jaffa packet and entering a value of $1,000,000 and
>a few days later was able to withdraw funds on the proceeds. Further
>investigations, reported in the NZ Herald indicated that
>a) it had happened once before to the value of $10,000
>b) the street kid in question admitted that they were surprised that it
>worked. It had been tried many many times, but with this once previous
>success. It just happened to work for the TV.
Funny, I heard exactly the same thing about an automatic teller
here in Bondi, Australia (But then again, that's a New Zealand
city anyway), right down to the bogus deposit being a Jaffa
packet. I heard this in about 1982, I guess.
Looks like an UL, tastes like one, sounds like one and I heard
it from a friend so it must be one.
regards...
Chris Keane. State Bank NSW ph. +61 2 259 4459
Unix Systems Administrator (Group Treasury) ch...@rufus.state.COM.AU
Famous Gravitational Joke: It must have been density that brought us together
Steven Rheault Kihara
disappointingly, I only know it's true because I was the victim.
I was in a hurry to make a transaction, and took out a small amount of
money. Just as I was leaving, I realized I had forgotten to take out
enough to but a bus pass that morning, and hurrying back to the
machine, I re-inserted my card, entered my personal identification
number and took out more cash. Still clutched in my overeager hand
was the receipt from the first transaction, which in my haste I
thought to be the receipt that indicated my second transaction was
complete.
What I did not know was that I was leaving the machine at the prompt:
"Do you wish to do any further transactions?"
The person whom I brushed past on my way out stepped up to the machine
and answered "Yes."
Since the machine was still using my personal code, he was able to
clean out $810 before he hit my daily limit.
The bank acknowledged what happened and refunded $5, the cost of the
rent cheque that bounced as a result of my account being emptied on
the first day of the month, probably moments before the rent cheque
cleared.
Bummer, eh.
For the record, the bank is the Bank of Nova Scotia, and the man who
stole my money will burn in hell.
Paul Singleton
When "cash dispensers" were a novelty in the UK (a.k.a. Britain, Great
Britain, ..), my friend withdrew cash but was short-changed by one "fiver".
Fortunately the bank was open, so he went in and complained. The assistant
asked to see the (brand new) notes he'd received, opened the back of the
(recently-installed machine), searched among the litter of fivers in the
bottom of the machine 'til she found one whose number was adjacent to
those issued to my friend, and said "Here, have this one".
----
__ __ Paul Singleton (Mr) JANET: pa...@uk.ac.keele.cs
|__) (__ Computer Science Dept. other: pa...@cs.keele.ac.uk
| . __). Keele University, Newcastle, tel: +44 (0)782 621111 x7355
Staffs ST5 5BG, ENGLAND fax: +44 (0)782 713082
bill nelson
: machine, I re-inserted my card, entered my personal identification
: number and took out more cash. Still clutched in my overeager hand
: was the receipt from the first transaction, which in my haste I
: thought to be the receipt that indicated my second transaction was
: complete.
: What I did not know was that I was leaving the machine at the prompt:
: "Do you wish to do any further transactions?"
: The person whom I brushed past on my way out stepped up to the machine
: and answered "Yes."
: Since the machine was still using my personal code, he was able to
: clean out $810 before he hit my daily limit.
Hm, you must have left your card behind also. All the machines I have
seen and used do not return the card until you respond "No" to the
"Further Transactions?" prompt.
I would expect that any other setup would be grounds for a legal action.
Here in the US, it would probably be small claims court.
Bill
Brett K. Carver
: srhe...@alfred.carleton.ca (Steven Rheault Kihara) writes:
: : What I did not know was that I was leaving the machine at the prompt:
: : "Do you wish to do any further transactions?"
:
: seen and used do not return the card until you respond "No" to the
: "Further Transactions?" prompt.
And all machines I have seen leave your card sticking out after the first
transaction. If you remove the card, the session ends and no more transactions
may be made.
I've never seen a machine that allows a transaction to take place without the
card inserted. Sounds like it's time to change banks.
Brett Carver
(707) 577-4344
br...@sr.hp.com
Kate McDonnell
>I was in a hurry to make a transaction, and took out a small amount of
>money. Just as I was leaving, I realized I had forgotten to take out
>enough to but a bus pass that morning, and hurrying back to the
>machine, I re-inserted my card, entered my personal identification
>number and took out more cash.
>What I did not know was that I was leaving the machine at the prompt:
>"Do you wish to do any further transactions?"
>The person whom I brushed past on my way out stepped up to the machine
>and answered "Yes."
>Since the machine was still using my personal code, he was able to
>clean out $810 before he hit my daily limit.
This doesn't add up. I've never seen an ATM programmed to
surrender your card yet remain connected to your account. If you
had your card in your hand when you walked away the first time,
the machine must've been broken if it gave the next person access
to your money.
Perhaps by repaying you, the bank was tacitly admitting its
machine was defective.
--
----------------------------------------------------------------------
Kate McDonnell, infographiste gre...@ozrout.uucp
----------------------------------------------------------------------
YuNoHoo
Guess we're in the wrong group again, but heck...
Bank of Scotland use a sequence that returns the card _after_ a "Yes"
response, but before you have completed the request. Never tried to
remove the card before I was finished pressing those buttons though.
---
YuNoHoo
rachel j. perkins
>All right, I've got the ultmate ATM fraud story, though somewhat
>disappointingly, I only know it's true because I was the victim.
[used atm, took out small amt. of cash]
>What I did not know was that I was leaving the machine at the prompt:
>"Do you wish to do any further transactions?"
>The person whom I brushed past on my way out stepped up to the machine
>and answered "Yes."
[bank only refunded amt. charged for bounced check]
so what the hell are those little cameras for? one would think that they could
just play back the day and time of your claimed transaction and find out who
was in line after you. or is there a law against that?
anyone know?
rachel "smile for the camera" perkins
--
-just give me what for,
rachel perkins = rper...@astro.as.arizona.edu
"Chastity..the most unnatural of all the sexual perversions...."
-Aldous Huxley
Peter Swanson
>
>Hm, you must have left your card behind also. All the machines I have
>seen and used do not return the card until you respond "No" to the
>"Further Transactions?" prompt.
>
I have used several machines that don't take your card at all: you
"swipe" your card in the manner of those credit-checker machines, and
your card never leaves your hand. I imagine this would be an easy
mistake to make on such a machine.
--
| Peter J. Swanson | pjs...@caen.engin.umich.edu |
| PhD Pre-Candidate | controls specialist |
| Electrical Engineering:Systems | |
| University of Michigan | |
Stephan Meyers
>In article <1992Oct20....@hpcvaac.cv.hp.com> bi...@hpcvaac.cv.hp.com (bill nelson) writes:
>>
>>Hm, you must have left your card behind also. All the machines I have
>>seen and used do not return the card until you respond "No" to the
>>"Further Transactions?" prompt.
>I have used several machines that don't take your card at all: you
>"swipe" your card in the manner of those credit-checker machines, and
>your card never leaves your hand. I imagine this would be an easy
>mistake to make on such a machine.
I've used those too, and thought about this, but It's not
possible. Please notice that those machines only let you do one
transaction, and do not ask if you want another (at least the one
two blocks from me at the grocery store is like that)
sbm
--
--
Stephan Meyers | ar...@uicbert.eecs.uic.edu
(Art)^n Laboratories, inventors of the Stealth Negative PHSCologram
(312) 567-3762
Ad absurdum per aspera
>just play back the day and time of your claimed transaction and find out who
>was in line after you. or is there a law against that?
Fingering the perpetrator would mean going to trial and generally
making the ATM's fallibility a matter of public record. The bank's
PR director would probably sooner shove a peanut all the way from
the offending ATM to Peter G. Neumann's doorstep with his nose.
Speaking of the redoubtable PGN, I'll bet comp.risks would be
interested in this (assuming they haven't taken it up already).
Frankly, I don't know whether the cameras above the ATMs are even
on at all times. I'm told that the lobby cameras are only activated
when somebody hits the alarm button. You've got to admit that
continuous surveillance of all the ATMs, or even motion-detector-
triggered surveillance, would result in miles and miles of tape that
not even the strangest of art majors would consider interesting.
Joe "Besides, what if somebody spotted a bare tit on the surveillance tape" Chew
Michael T Pins
->so what the hell are those little cameras for? one would think that they could
->just play back the day and time of your claimed transaction and find out who
->was in line after you. or is there a law against that?
>Fingering the perpetrator would mean going to trial and generally
>making the ATM's fallibility a matter of public record. The bank's
>PR director would probably sooner shove a peanut all the way from
>the offending ATM to Peter G. Neumann's doorstep with his nose.
>Speaking of the redoubtable PGN, I'll bet comp.risks would be
>interested in this (assuming they haven't taken it up already).
>Frankly, I don't know whether the cameras above the ATMs are even
>on at all times. I'm told that the lobby cameras are only activated
>when somebody hits the alarm button. You've got to admit that
>continuous surveillance of all the ATMs, or even motion-detector-
>triggered surveillance, would result in miles and miles of tape that
>not even the strangest of art majors would consider interesting.
I think you've been told an UL....
We have cameras in our computer labs, and they are recording 24-hours/day.
No one actually sits there and monitors the things, but if something seems
missing/out-of-place, it's simple enough to go back and review the relevent
tape.
--
*****************************************************************************
* Michael Pins | Internet: ami...@isca.uiowa.edu *
* ISCA's Amiga Librarian | #include <std.disclaimer> *
*****************************************************************************
Paul Tomblin
>In article <1992Oct20....@hpcvaac.cv.hp.com>, bi...@hpcvaac.cv.hp.com (bill nelson) writes:
>|> srhe...@alfred.carleton.ca (Steven Rheault Kihara) writes:
>|>
>|> : "Do you wish to do any further transactions?"
>|> : The person whom I brushed past on my way out stepped up to the machine
>|> : and answered "Yes."
>|> : Since the machine was still using my personal code, he was able to
>|> : clean out $810 before he hit my daily limit.
>|>
>|> Hm, you must have left your card behind also. All the machines I have
>|> seen and used do not return the card until you respond "No" to the
>|> "Further Transactions?" prompt.
>|>
>Guess we're in the wrong group again, but heck...
>Bank of Scotland use a sequence that returns the card _after_ a "Yes"
>response, but before you have completed the request. Never tried to
>remove the card before I was finished pressing those buttons though.
At the Toronto Dominion machines, they _make_ you remove your card before
you get any money, and won't do any further transactions until you go
through the card/pin ritual again. I've noticed that other brands of
machines don't do this. I've never tried any others, but I once found that
if I removed the card too early on a TD machine, it cancelled the
transaction. (I removed it after I heard the receipt printing, but before
it said "Please Remove Your Card")
From the little I've seen of bank machines in Ottawa other than TD,
I'd say Steven was using either ScotiaBank (Johnny Cash), or CS-Coop.
(ScotiaBank is the Bank of Nova Scotia, not the Bank of Scotland that was
mentioned above)
--
Paul Tomblin - speaking from but not for GeoVision Systems Inc.
There are 2656 unread articles in 46 groups - don't you think you read too
much news?
Kal
>In article <1992Oct20....@hpcvaac.cv.hp.com>, bi...@hpcvaac.cv.hp.com (bill nelson) writes:
>|> srhe...@alfred.carleton.ca (Steven Rheault Kihara) writes:
>|>
>|> : What I did not know was that I was leaving the machine at the prompt:
>|> : "Do you wish to do any further transactions?"
>|> : The person whom I brushed past on my way out stepped up to the machine
>|> : and answered "Yes."
>|> : Since the machine was still using my personal code, he was able to
>|> : clean out $810 before he hit my daily limit.
>|>
Most of the newer machines here require you to re-enter your PIN if you
answer "yes" to the further transaction question. Seems sensible enough.
>---
>YuNoHoo
===============================================================================
Kal vp...@jane.uh.edu My opinions are almost, but not quite,
entirely unlike those of my employer.
===============================================================================
Scott Cromar
> so what the hell are those little cameras for? one would think that they could
> just play back the day and time of your claimed transaction and find out who
> was in line after you. or is there a law against that?
Actually, many of the cameras are either never connected or never
repaired when they break down. That's why the new law in New York (at
least I think that it passed) requires (among other things) that the
cameras be operational. (The New York law requires that banks
operating ATMs in NYC take several steps to protect ATM customers from
muggings.)
--Scott
sc...@kuhub.cc.ukans.edu
>so what the hell are those little cameras for?
ATM camera evidence was used in a sensational murder case in Kansas City
a couple of years ago. The ATM photo showed a rather distressed [i.e.
physically abused] victim withdrawing money from her account a few
days after disappearing from work. A search of the suspect's car turned up
some money, her jewelry and ATM card. Incidently, the ATM machine logs
and the camera were not in sync. The first photo released to the media was
some guy getting some beer money. For 24 hours he was "wanted for ques-
tioning only and is not a suspect at this time" <wink> for using the
victim's ATM card. Wouldn't being a suspect in a triple homicide be a
great way to start your day!
dave
johnso...@bvc.edu
something pretty funny about the early ATM machines. I guess (if I
remember correctly) that the guy who invented the idea and earliest ATM was
a guy from Scotland. He thought up an idea to dispense money to people
outside of bank hours. The people would insert a card with a
radioactive strip (hoo boy, sure beats that dark magnetic strip on a dark
night! Heh..) on the back, and an early computer would run the machinery
to spit out the money. It was suprisingly similiar to the modern ATM, but
it had one problem.
Seems the first bank that they put it in was situated extremely close to
some high power tram lines (especially in the intersection where there was
a cross over of sorts.) So when the trams would come by and hit the
intersection, the early ATM machine had the bad habit of SPITTING OUT MONEY
FOR NO REASON. It would just up and spit out money whenever there was a
strong electrical current, to the bemusement (and gain) of passerbys.
Needless to say, they fixed that little bitty problem in a hurry.
--CLJ
bill nelson
: >|>
: >|> : What I did not know was that I was leaving the machine at the prompt:
: >|> : "Do you wish to do any further transactions?"
: >|> : The person whom I brushed past on my way out stepped up to the machine
: >|> : and answered "Yes."
: >|> : Since the machine was still using my personal code, he was able to
: >|> : clean out $810 before he hit my daily limit.
: >|>
:
: Most of the newer machines here require you to re-enter your PIN if you
: answer "yes" to the further transaction question. Seems sensible enough.
That was not the point - as far as I know, none of them do. The point was,
you do not get your card back - until you answer "No". Either that, or only
one transaction is allowed.
Bill
Kenneth Freeman
seconds or so. I once worked graveyard shift at The Night of
the Living Dead Deli, so-called because of the kids on PCP
who'd sometimes show after 2 a.m. They were jerky in real life.
---
If people did not sometimes do silly things,
nothing intelligent would ever get done. -Wittgenstein
kf...@arghouse.UUCP or ...!crash!nusdecs!arghouse!kfree
Hal Wadleigh
don't retain your card, but don't even have the ability to do so. I often
use a Fleet Bank machine on the NYCE net which has an external "swipe" bar
to read the mag strip on the card. Once you do the "swipe" to start, the
card is free and you go on about your business with whatever transactions
you desire.
OH NO!!! A NEW UL!
All ATM machines are programmed to hold your card hostage until you make nice
with them.
Einstuerzende Neubauten
actually insert it. However, in those machines, you can only do one
transaction at a time, and to do more, you have to swipe/p.i.n. again.
Also, no deposit on these machines, only cash.
By the way, there are also, frequently, ATM's without cameras.
ObUL: My friend told me- that his sister was taking money out of HER
friend's account, with her (male) friend standing behind/off to the side of
her, and the machine ate/rejected the card because "the name was male, but
she was female", so that there was, supposedly, someone monitoring the
camera. It seems a little unlikely to me, but I remember distinctly being
told that one. I hardly believe it, though. Don't remember who it was,
though.
--
N.W. Choe - nw...@midway.uchicago.edu
5454 South Shore Drive #318, Chicago, Illinois 60615
Beaver Consulting Co. Chicago
312.702.4605
Brian Scearce
> [...] kids on PCP who'd sometimes show after 2 a.m. They were jerky in
> real life.
I've had beef jerky, and even salmon and turkey jerky. Where can I get
some of this human jerky?
Brian "Pre-Congealed Product? Partially Cooked People?" Scearce
---
Brian Scearce b...@sector7g.eng.sun.com
The above does not necessarily represent Sun policy.
"You can't fit the truth on a t-shirt, man."
"That'd fit."
Charles Lasner
>
>I've had beef jerky, and even salmon and turkey jerky. Where can I get
>some of this human jerky?
>
>Brian "Pre-Congealed Product? Partially Cooked People?" Scearce
Isn't that Soylent Green?
cjl
Einstuerzende Neubauten
instead, printed out checks, usable like traveler's checks- However, due to
my silliness and unfamilarity with the system, I didn't insert the check
properly, and was charged for a check that I never used. Sigh. I didn't
turn it in on time because the first that I heard of it was too late. I
didn't receive notice that it was charged for until many months afterwards.
Oh well. It was $20, which isn't all that bad, but bad enough. I don't care
about it enough to pursue it, I think.
Eric Williams
> All right, I've got the ultmate ATM fraud story,
> machine, I re-inserted my card, entered my personal identification
> number and took out more cash.
> What I did not know was that I was leaving the machine at the prompt:
> "Do you wish to do any further transactions?"
> The person whom I brushed past on my way out stepped up to the machine
> and answered "Yes."
Did you forget your card? If your bank's ATM system allows
transactions after removal of the card, they haven't thought through
the procedures very well. *All* the ATMs I've seen complete transactions
and sign you off while ejecting the card. If you left the card in the
teller as you dashed off, shame on you!
-------- er...@npri.com ---------- or ---------- ...uunet!uupsi!npri6!eric -----
"Things don't like me. Furniture tries to trip me up."
Eric C. Williams/ NPRI/ Alexandria, VA/ USA/ (703) 683-9090/ Usual disclaimers.
Bill McCormick
>This doesn't add up. I've never seen an ATM programmed to
>surrender your card yet remain connected to your account. If you
>had your card in your hand when you walked away the first time,
>the machine must've been broken if it gave the next person access
>to your money.
It does. I have. Not necessarily.
>Perhaps by repaying you, the bank was tacitly admitting its
>machine was defective.
Bill
--
SEANEWS [] Seattle News + Mail [] Public Access [] +1 206 937 9529
E-mail for PGP key. MD5 (no sigs) is: 8e253e95133365a292261c7d0da58bcb
Jeffrey W. Dean
>>on at all times. I'm told that the lobby cameras are only activated
>>when somebody hits the alarm button. You've got to admit that
>>continuous surveillance of all the ATMs, or even motion-detector-
>>triggered surveillance, would result in miles and miles of tape that
>>not even the strangest of art majors would consider interesting.
>
>I think you've been told an UL....
>We have cameras in our computer labs, and they are recording 24-hours/day.
>No one actually sits there and monitors the things, but if something seems
>missing/out-of-place, it's simple enough to go back and review the relevent
>tape.
>
>--
>*****************************************************************************
>* Michael Pins | Internet: ami...@isca.uiowa.edu *
>* ISCA's Amiga Librarian | #include <std.disclaimer> *
>*****************************************************************************
There are three different ways I'm aware of to use these cameras.
1) Camera is turned on only when the alarm is triggered. There is a
connection made between either an existing alarm system or a system is
installed for the purpose.
2) Camera records for aprox. 6 hours (uses a special VCR but standard
high quality tapes) then automaticly rewinds and resumes recording.
3) Camera records continously. Two VCR's are used. When the tape runs
out on one, the other one automaticly kicks on. The first rewinds and
will record when the second one reaches the end of the tape. Meanwhile
you can swap tapes if you want.
Jeff
p00...@psi.com
-or-
Jef...@Houston.Relay.ucm.org
<signature under construction>
Scott Cromar
> That was not the point - as far as I know, none of them do. The point was,
> you do not get your card back - until you answer "No". Either that, or only
> one transaction is allowed.
At my bank (formerly New Brunswick Savings), several of their machines
will eat your card if you don't answer the prompt in a short period of
time (my bank manger tells me 30 seconds). This is a safety feature
to try to cut down on theft when people leave before answering the
prompt.
Also, all of the Citibank machines are of the "swipe" variety, so the
card never leaves your hand (as the commercial says). I don't know if
they allow more than one transaction per swipe.
--Scott
Gregg Woodcock
|> bi...@hpcvaac.cv.hp.com (bill nelson) writes:
|>
|> > That was not the point - as far as I know, none of them do. The point was,
|> > you do not get your card back - until you answer "No". Either that, or only
|> > one transaction is allowed.
|>
|> At my bank (formerly New Brunswick Savings), several of their machines
|> will eat your card if you don't answer the prompt in a short period of
|> time (my bank manger tells me 30 seconds). This is a safety feature
|> to try to cut down on theft when people leave before answering the
|> prompt.
My bank does this, too. It also will eat a card that has been ejected
unless it is removed from the slot within 30 seconds. I discovered this
when I ran back to the car to talk to my wife for a second while I was
waiting for the transaction to process. My card got spit out and it
beeped for about 20-30 seconds. When I went back I just saw my card being
sucked backed in! I told me to contact the bank to get it back.
--
THANX...Gregg bn...@cleveland.freenet.edu wood...@sdf.lonestar.org
ESN 444 day 214.684.7380 night 214.530.2495 *I buy used Vectrex stuff!*
Steven Rheault Kihara
unfortunate incident with an ATM. I will attempt to clarify:
1. I performed a transaction, got back my card, got a receipt
2. I remembered I needed a bus pass, and therefore had to take out
more cash.
3. Re-inserted my card, punched in my personal code, took out cash.
4. Machine asks "Do you wish to do any forther transactions?" (My card
is still in the machine, my code is still active.)
5. I count my cash on the way out, in a hurry, perhaps thinking that
because I have areceipt in my hand (from the first transaction) that I
have completed the transaction.
6. Asshole steps up to the machine, answers "Do you wish..." prompt
with a resounding "yes" and cleans out my account of $810.00
7. A couple of hours later, I notice my card missing, but it's too
late.
8. The bank says "Tough shit, buddy, you left the card in the
machine." They do refund the $5 charge for bouncing my rent cheque.
9. (projected) asshole burns in hell.
Moral: Don't walk away from the machine unless you're absolutely sure
the tranaction is over.
Steve Rheault Kihara
To know him is...well, is to know him, really
bill nelson
Most of explanation deleted ...
I believe that is what I proposed had to happen. Glad you have
verified my belief.
However:
: 6. Asshole steps up to the machine, answers "Do you wish..." prompt
: with a resounding "yes" and cleans out my account of $810.00
I still have a problem with this. I have never run across a bank that
will let you take out more than $300 in one day. Most of them limit
you to $200. I would love to find a bank that allowed me to withdraw
$500 or more in cash in one day.
Bill
Harv R Laser
>with a resounding "yes" and cleans out my account of $810.00
What bank is this that allows a single cash withdrawal as large as $810.00?
I've two ATM cards for two different banks and they both limit me to
$200.00 per day ATM cash.
Harv
Carlos Borges
>: 6. Asshole steps up to the machine, answers "Do you wish..." prompt
>: with a resounding "yes" and cleans out my account of $810.00
>I still have a problem with this. I have never run across a bank that
>will let you take out more than $300 in one day. Most of them limit
>you to $200. I would love to find a bank that allowed me to withdraw
>$500 or more in cash in one day.
My ATM will only let me take out up to $500.00 PER TRANSACTION.
All I have to do to get $810.00 is take $500.00 then $310.00
No prob...
--
///////////////////////////////////////////////////////////////////////////
// C. Miguel Borges A.K.A. Carlos M. Borges //
// an...@cleveland.freenet.edu car...@garfield.cs.mun.ca //
///////////////////////////////////////////////////////////////////////////
Steven Rheault Kihara
>Harv
This is what kills me. The Bank of Nova Scotia (Scotiabank) only
allows $200 to be taken out a time, but you can take out that $200 as
many times as you want in aday, up to the ridiculously high limit of
$900.
Asshole actually made 5 transactions. The first was for only $5. After
seeing that it was possible, he then took out $200, four times. He
actually could have taken out another $40 or something, I don't
remember, but probably gave up when the machine told him that he
couldn't take out another $200.
The point here is that it is easy to walk away with your card still in
the machine. Other banks either spit out the card before or
automatically after a cash withdrawal. Only Scotiabank makes you ask
for your card back, in effect. There is no beeping or warning if you
walk away with your card still active, and the card isn't sticking out
or anything.
Anyway, I acknowledge that I'm at fault for leaving the card in, I'm
just saying that they should realize that their system is prone to
this happening.
Steve Rheault Kihara
A man in many other respects as well.
Kevin Dooley
>The point here is that it is easy to walk away with your card still in
>the machine. Other banks either spit out the card before or
>automatically after a cash withdrawal. Only Scotiabank makes you ask
>for your card back, in effect. There is no beeping or warning if you
>walk away with your card still active, and the card isn't sticking out
>or anything.
At Royal Bank tellers the sequence is you take your card before it will
give you your money, and then it spits out the receipt. Since they know
I won't walk away without my money, they can be pretty sure I won't walk
away without my card. This is a good idea. Of course, it is still possible
to be silly and request a second transaction, taking your money from the
first and then leave with your card in the machine, but you have to kind
of work at being that addled.
Kevin
Seth Malcolm Redmore
As to the question of a "Daily Limit" on a card, most banks
will only allow you to take out X dollars per day.
However, up to about 5 years ago, there was a way around this.
(Maybe it was longer ago...)
One would take out one's (or Two's) maximum balance.
(Wait, lets see if I remember _exactly_ how this went.)
Then, one would request more money.
The machine would say "No."
So, you decrease your amount requested by 10 dollars.
The machine says "No."
After repeating this all the way down to 0.00, the machine would
relent and spit out the amount you originally requested.
The other way I saw this done (not illegally! it was on my account! )
Was to take out all but 10.00 of your daily limit,
then repeat the above process until you got down to 10.00, at which
point the machine would spit out the amount originally requested.
this technique was written up somewhere, if anyone
really cares, I can find a reference for it...
--Seth
sr...@andrew.cmu.edu
bill nelson
: >I still have a problem with this. I have never run across a bank that
: >will let you take out more than $300 in one day. Most of them limit
: >you to $200. I would love to find a bank that allowed me to withdraw
: >$500 or more in cash in one day.
:
: My ATM will only let me take out up to $500.00 PER TRANSACTION.
: All I have to do to get $810.00 is take $500.00 then $310.00
Hm. Maybe the practice is different in Canada.
Bill
clayton EDward LEIHY iii
[Steps 1 thru 5 deleted]
>6. Asshole steps up to the machine, answers "Do you wish..." prompt
>with a resounding "yes" and cleans out my account of $810.00
Around here, all the ATMs I use,
they have a daily limit on how much you can withdraw on one card.
The most I have seen is $500.
If I want more, I have to use my wife's card (different PIN).
Guess that would tend to limit the amount you might lose that way...
Ed Leihy, NCR (an ATM company)
Patrick Mancuso
>>>triggered surveillance, would result in miles and miles of tape that
>>>not even the strangest of art majors would consider interesting.
>>
>>I think you've been told an UL....
>>We have cameras in our computer labs, and they are recording 24-hours/day.
>>No one actually sits there and monitors the things, but if something seems
>>missing/out-of-place, it's simple enough to go back and review the relevent
>>tape.
>>
>
>Jeff
>p00...@psi.com
When I worked at a bank, they had 6 video cameras in the place, and the
system would rotate through all of the cameras pausing for 5 seconds
or so at each one. This was taped (on the 'long play' tapes
mentioned previously) and the tape was changed daily and sent in to
the main branch to be archived. They kept the tapes for about a month,
then they 'recycled' the tapes.
Lots of tapes... But then again, during the time I worked there,
they *were* able to catch someone using a fake ID to make a
withdrawal from an account Person X claimed their balance was wrong,
and to not have made a withdrawal; they got the tapes out, found person Y
doing the transaction on tape, showed it to X, who recognized Y...
Y got nailed.
Pat
Randall Holt
pat...@ctron.com (Patrick Mancuso) writes:
< stuff about Bank Video Camera Monitoring practices deleted >
>Lots of tapes... But then again, during the time I worked there,
>they *were* able to catch someone using a fake ID to make a
>withdrawal from an account Person X claimed their balance was wrong,
>and to not have made a withdrawal; they got the tapes out, found person Y
>doing the transaction on tape, showed it to X, who recognized Y...
>Y got nailed.
--
Randall W. Holt - rx...@cwru.po.edu | 'Bibo ergo sum'
| - Jean Descartes
| (Rene's little brother)
Seth Breidbart
(Kate McDonnell) writes:
<lots of other people have said very similar things>
>This doesn't add up. I've never seen an ATM programmed to
>surrender your card yet remain connected to your account. If you
>had your card in your hand when you walked away the first time,
>the machine must've been broken if it gave the next person access
>to your money.
Sh^H^HCitibank has a system where you swipe your card, enter your pin,
do your transaction, and swipe your card again to get cash. The
second swipe wasn't part of the system originally, but their customers
lost too much money to fraud.
Seth "Would you mind running your card through this reader? Mine
doesn't seem to work." Breidbart se...@fid.morgan.com
Mr. John T Jensen
>When I worked at a bank, they had 6 video cameras in the place, and the
>system would rotate through all of the cameras pausing for 5 seconds
>or so at each one. This was taped (on the 'long play' tapes
>mentioned previously) and the tape was changed daily and sent in to
>the main branch to be archived. They kept the tapes for about a month,
>then they 'recycled' the tapes.
>Lots of tapes... But then again, during the time I worked there,
>they *were* able to catch someone using a fake ID to make a
>withdrawal from an account Person X claimed their balance was wrong,
>and to not have made a withdrawal; they got the tapes out, found person Y
>doing the transaction on tape, showed it to X, who recognized Y...
>Y got nailed.
We have the same system here for our six computer labs, and we finally got
to use the tapes recently -- sort of. A Macintosh disappeared. We were
pretty certain the Head of Department nearest the lab had commandeered it
without asking, and this turned out to be the case. He had sent in a grad
student of his to get it. After making the HOD grovel a bit (not always the
easiest thing to do), we thought this was a good chance to test our
surveillance system so we fast-reversed the tape for the relevant period
until we saw the Mac reappear, then went slow and got two or three images of
the 'thief.' We recognised him, too --- by his long blonde pony tail.
Otherwise we would have had no real id at all. The cameras and doors are so
placed that he could come in one door, with his back to the camera, and go
out another --- still with his back to the camera.
We think there is a moral to be found in this story somewhere...
jj
John Thayer Jensen 64 9 373 7599 ext. 7543
Commerce Computer Services 64 9 373 7437 (FAX)
Auckland University jt.j...@aukuni.ac.nz
Private Bag 92019
AUCKLAND
New Zealand
Perry Clarke
A sad tale of a computer professional's complete inability to use an ATM ...
When I got my new account at Well's Fargo in California I had an awful time
with the ATMs. I never seemed to be able to do more than one one thing for
any given insertion of my card no matter how carefully I followed the
instructions about "Pressing a BLUE key for another transaction".
I began to feel somewhat stupid as I couldn't believe that the user interface
was as screwed up as my attempts would have me believe.
When the machine finished the first transaction it appeared to spit out my
card and I would cheerfully remove it and press the BLUE key as instructed.
Nothing would happen so I would curse and reinsert my card, damning the eyes
of the parentless designer of such a broken user interface and hoping that the
$100 dollars that I requested and didn't get was not being pocketed by the
bank.
After more visits to the machines than I care to admit I realized what the
problem was; there are *three* possible positions for my card:
1. Out
2. All the way in
... and ...
3. Half way in
Of course, every machine I have used prior to this (in the UK) only had two
positions for the card, in or out; I was interpreting the US machine's
ejection of the card to the half way out position as an invitation to take my
card whereas the machine meant "you can take the card now if you want but you
can also ask for another transaction".
And, yes, I had wondered what would happen if I messed up and left the
machine in the next transaction mode for the next person in line. I am
amazed at how difficult it was for me to realize the solution to my problem!
Old age I guess :-)
ObResponseToTheEnclosedPosting: These machines also make you remove the card
(all the way) before they will actually give you your money so (I think) you
must do non cash transactions first.
Perry "but I *can* program my VCR" Clarke
--
Perry Clarke pe...@unify.com (916) 928 6287
Unify Corporation, Sacramento, CA I speak only for Me, Inc.
Colette Goodyear
Toronto Dominion Bank does as does the Bank of Nova Scotia. I could
choose my limit when I switched banks. I could use my card no more
than three times in one 24 hour period and I could choose a limit
of 200, 600, 800 or 1000 dollars per day. Some machines however will not
let you withdraw more than 500 dollars at a time so it would take you
two transactions to get your daily limit of 1000 dollars.
Plays hell with your bank account ("Lessee, I should take out
a little extra...about a grand should do it...")
Colette "All the above in Canadian dollars" Goodyear
col...@morgan.ucs.mun.ca
Brad Yearwood
# srhe...@alfred.carleton.ca (Steven Rheault Kihara) writes:
#
# : 6. Asshole steps up to the machine, answers "Do you wish..." prompt
# : with a resounding "yes" and cleans out my account of $810.00
#
# I still have a problem with this. I have never run across a bank that
# will let you take out more than $300 in one day. Most of them limit
# you to $200. I would love to find a bank that allowed me to withdraw
# $500 or more in cash in one day.
#
Two points:
There is a good reason that well-designed ATMs insist that you remove
the card before delivering the cash and/or close the session after
delivering (for machines where you slide or insert and remove the card).
When I was doing ATMs in 1976, we recognized that a person would be very
likely to leave the machine quickly after receiving cash (very unlikely to
pay further attention to the machine), and that it was risky and of little
convenience value to keep the session open. We made a conscious decision to
close the session immediately after delivering. In other words, this has
been a non-problem for >15 years, except in poorly designed equipment.
Daily withdrawal limit is in many cases settable per account. If a
customer is willing to trade the increased risk of a daily withdrawal
limit > usual, against the increased convenience, some banks (like Wells
Fargo) will accommodate. I'm not certain if the higher limit will work
through the interbank networks, but it does work in the bank's own ATMs.
Kihara's bank seems exceptional, to the point of negligence, in two ways:
using poorly designed equipment, and allowing (unless he had asked the bank
to set a high limit, in which case he accepted the larger risk) an unusually
large withdrawal.
Brad Yearwood br...@optilink.com
Petaluma, California
Kathleen Bedard
SM>From: ar...@bert.eecs.uic.edu (Stephan Meyers)
SM>Organization: University of Illinois at Chicago
SM>pjs...@engin.umich.edu (Peter Swanson) writes:
SM>>In article <1992Oct20....@hpcvaac.cv.hp.com> bi...@hpcvaac.cv.hp.com
SM>ill nelson) writes:
SM>>>
SM>>>Hm, you must have left your card behind also. All the machines I have
SM>>>seen and used do not return the card until you respond "No" to the
SM>>>"Further Transactions?" prompt.
I have had a similar experience. My purse was stolen from work - I never wrote
the PIN number anywhere - yet the person was able to access my accounts through
the card and take out $200.00. I was told that I must have written the #
somewhere. I hadn't. I fought it - but was told it was my own fault. As an
added bonus they told me I was lucky the "system was down" during the
transactions as this limited them to the $200.00. Well thanks! I asked if
maybe this was why the person could use my card without the correct number and
just got the runaround as an answer. After all, if they can't access your
balance, how can they access your code?
Of course I also tried to get a "camera photo" of the person - no luck they
used a machine that had no camera pointed at it. Sure... sure...
Kathleen
---
* SLMR 2.1a *
Tony Sweeney
>SM>Newsgroups: alt.folklore.urban
>SM>From: ar...@bert.eecs.uic.edu (Stephan Meyers)
>SM>Organization: University of Illinois at Chicago
>
>SM>pjs...@engin.umich.edu (Peter Swanson) writes:
>SM>>In article <1992Oct20....@hpcvaac.cv.hp.com> bi...@hpcvaac.cv.hp.com
>SM>ill nelson) writes:
>SM>>>
>SM>>>Hm, you must have left your card behind also. All the machines I have
>SM>>>seen and used do not return the card until you respond "No" to the
>SM>>>"Further Transactions?" prompt.
>
>I have had a similar experience. My purse was stolen from work - I never wrote
>the PIN number anywhere - yet the person was able to access my accounts through
>the card and take out $200.00. I was told that I must have written the #
>somewhere. I hadn't. I fought it - but was told it was my own fault. As an
>added bonus they told me I was lucky the "system was down" during the
>transactions as this limited them to the $200.00. Well thanks! I asked if
>maybe this was why the person could use my card without the correct number and
>just got the runaround as an answer. After all, if they can't access your
>balance, how can they access your code?
>
>Of course I also tried to get a "camera photo" of the person - no luck they
>used a machine that had no camera pointed at it. Sure... sure...
>
>Kathleen
>
>---
> * SLMR 2.1a *
The first time you use a NatWest bank cashcard, you get the option to
change the 4-digit PIN to one of your choice. Nearly everyone I know who
has had this option choose the year of their birth as their PIN.
Tony "Age? Not telling." Sweeney.
Phil Gustafson
>
>Sh^H^HCitibank has a system where you swipe your card, enter your pin,
>do your transaction, and swipe your card again to get cash. The
>second swipe wasn't part of the system originally, but their customers
>lost too much money to fraud.
>
and checkout counters? I mean, I pay good money for my cards, and don't
have to swipe one. And if someone else swiped mine, I'd be seriously
pissed.
Phil "Ask Dan Quayle for two tens for a five. Repeat until rich."
Gustafson
--
Phil Gustafson <ph...@rahul.net>
wil...@vax.oxford.ac.uk
> The first time you use a NatWest bank cashcard, you get the option to
> change the 4-digit PIN to one of your choice. Nearly everyone I know who
> has had this option choose the year of their birth as their PIN.
I don't. Only 9999 numbers left now! (Anyway, I don't have a card right at this
moment)
--
Stephen Wilcox | Remember what happened to the dinosaurs!
wil...@maths.oxford.ac.uk | I did---and look what happened to me.
bill nelson
: >
: >the card and take out $200.00. I was told that I must have written the #
: >somewhere. I hadn't. I fought it - but was told it was my own fault. As an
: >added bonus they told me I was lucky the "system was down" during the
: >transactions as this limited them to the $200.00. Well thanks! I asked if
: >maybe this was why the person could use my card without the correct number and
: >just got the runaround as an answer. After all, if they can't access your
: >balance, how can they access your code?
: >
: I believe the code is encoded on the stripe.
Nope. If it was, then no card would be secure. The code is only in a file
on your bank's computer. If the machine you are using cannot connect with
your bank's computer, then you cannot get any money. So, if they said that
the system was down at the time, they are lying.
Bill
Cyberpolka On Da Jeep
> After more visits to the machines than I care to admit I realized what the
> problem was; there are *three* possible positions for my card:
>
> 1. Out
> 2. All the way in
>
> ... and ...
>
> 3. Half way in
>
> ObResponseToTheEnclosedPosting: These machines also make you remove the card
> (all the way) before they will actually give you your money so (I think) you
> must do non cash transactions first.
Yep. Thats the way that it goes. I did the "take the card" thing a
couple times before I figured it out.
However, my most RECENT game to see how well these things have been
developped is this...
Seeing *WHEN* you can take the card out... (when its half way out). I
have made such a game of this that I request my balance by default for
even just one transaction (so it becomes TWO...)
I once waited to pull the card out until I heard the internal printer
banging out my slip. I figured it wouldnt have some stupidly extra
system to munch the card or something - once its printed, its committed.
I pulled the card.
- TRANSACTION CANCELLED BY REQUEST - ONE MOMENT PLEASE -
Lots of clicking and banging inside the machine as it ATE MY SLIP
INTERNALLY! Wow.
I'm now up to counting how long it takes exactly to print a slip so I
can pull my card earlier and earlier (not later and later, I get tired
of aborting transactions when I want money...). I pulled it last week
mebbe 2 chars before the end of the print job, and it didnt abort.
(Mebbe the sensor of "card still there"? is only polled so often by the
machine... mebbe for every printed line on the slip.)
Any one else figure this out? (This is on Canada (t)Rust "bank"
machines, for the place is NOT a bank, its a hole.)
/kc
Ken Chasse - Sonic Interzone, Toronto Ont. * Inet: sizone!spo...@ee.ryerson.ca
----------- -----------
"It's stupid, it's idiotic, it's inane, it isn't art, it's dumb, it's a ripoff
of American pop culture, and we live in a sad society that tolrates it."
- NIMROD
Robin Halligan
the only one we had here in wanganui was in the foyer of the post bank
i went to use it one morning and had to wade through a pile of hundreds
of bits of paper saying invalid pin number
this seems to be a bit of bad news if i had my card pinched before i reported
it i could have my money pinched.
--
Sta...@crash.amigans.gen.nz (Robin Halligan)
Amigans Public Access UUCP Node Wanganui New Zealand
I'm a K 1 W 1 from the land of the long white cloud
from the day i begun till the day i'm done
I'm a K1W1
mor...@ramblr.enet.dec.com
The security camera system here has cameras and motion/heat sensors. When the
motion sensor indicates no one present, the video recorders record at a very
slow rate (something like 1 frame every 8 seconds or something) When the
motion detector detects someone, it records at a much higher rate (I don't
remember if it is at full speed or not)
In article <1992Nov2.0...@hpcvaac.cv.hp.com>, bi...@hpcvaac.cv.hp.com (bill nelson) writes...
>swe...@Ingres.COM (Tony Sweeney) writes:
>: I believe the code is encoded on the stripe.
>
>Nope. If it was, then no card would be secure. The code is only in a file
>on your bank's computer. If the machine you are using cannot connect with
>your bank's computer, then you cannot get any money. So, if they said that
>the system was down at the time, they are lying.
I believe the key word is encoded. The PIN is written with a 1-way encryption
I read somewhere. But that doesn't make sense, if someone stole the algorithm
a computer with a card reader could determine the PIN with a brute force
attack. But then again, how secure is a 4 digit PIN?
-Mike
Tony Sweeney
>swe...@Ingres.COM (Tony Sweeney) writes:
>: >
>: >the card and take out $200.00. I was told that I must have written the #
>: >somewhere. I hadn't. I fought it - but was told it was my own fault. As an
>: >added bonus they told me I was lucky the "system was down" during the
>: >transactions as this limited them to the $200.00. Well thanks! I asked if
>: >maybe this was why the person could use my card without the correct number and
>: >just got the runaround as an answer. After all, if they can't access your
>: >balance, how can they access your code?
>: >
>: I believe the code is encoded on the stripe.
>
>Nope.
>If it was, then no card would be secure.
you here.
>The code is only in a file
>on your bank's computer. If the machine you are using cannot connect with
>your bank's computer, then you cannot get any money. So, if they said that
>the system was down at the time, they are lying.
>
>Bill
When I use my native cashpoint machines, there are occasions when it is
unable to tell me my balance of account. It will still give me cash.
There are a number (>=2) of affiliated banks at whose ATMs I can get cash, but
not order statements, chequebooks or balance slips. I would be very
surprised if these "foreign" banks could log into my own bank and request
account information. In short, I am convinced that my PIN is encoded
onto my card. In principle, this should be no less secure than having
my unix password encoded into the passwd file. However, as the plethora
of posts on this subject will testify, "your mileage may vary".
Tony.
bill nelson
:
: In article <1992Nov2.0...@hpcvaac.cv.hp.com>, bi...@hpcvaac.cv.hp.com (bill nelson) writes...
: >
: >Nope. If it was, then no card would be secure. The code is only in a file
: >on your bank's computer. If the machine you are using cannot connect with
: >your bank's computer, then you cannot get any money. So, if they said that
: >the system was down at the time, they are lying.
:
: I believe the key word is encoded. The PIN is written with a 1-way encryption
: I read somewhere. But that doesn't make sense, if someone stole the algorithm
: a computer with a card reader could determine the PIN with a brute force
: attack. But then again, how secure is a 4 digit PIN?
The pin number is not secure against a systematic attack. That is why many
machines only allow about 3 tries before eating the card. They assume that
more attempts means that the card is stolen.
The only problem I have with the idea of the PIN being in the card is - why
would it be? There is absolutely no reason for it to be put there. It would
not speed up verification at all.
Guess I will have to try to find my old bottle of Magniflux and look at what
is on my cards.
Bill
bill nelson
: pe...@Unify.Com (Perry Clarke) writes:
:
: However, my most RECENT game to see how well these things have been
: developped is this...
:
: Seeing *WHEN* you can take the card out... (when its half way out). I
: have made such a game of this that I request my balance by default for
: even just one transaction (so it becomes TWO...)
:
: I once waited to pull the card out until I heard the internal printer
: banging out my slip. I figured it wouldnt have some stupidly extra
: system to munch the card or something - once its printed, its committed.
:
: I pulled the card.
:
: - TRANSACTION CANCELLED BY REQUEST - ONE MOMENT PLEASE -
:
: Lots of clicking and banging inside the machine as it ATE MY SLIP
: INTERNALLY! Wow.
That means that the software that was written for the machine stinks.
The printer should have a buffer. Once the printer starts to print,
you should be able to do the next transaction, or remove the card to
get your cash.
There is no reason why the transaction should be aborted after the
slip starts printing.
: I'm now up to counting how long it takes exactly to print a slip so I
: can pull my card earlier and earlier (not later and later, I get tired
: of aborting transactions when I want money...). I pulled it last week
: mebbe 2 chars before the end of the print job, and it didnt abort.
: (Mebbe the sensor of "card still there"? is only polled so often by the
: machine... mebbe for every printed line on the slip.)
:
: Any one else figure this out? (This is on Canada (t)Rust "bank"
: machines, for the place is NOT a bank, its a hole.)
See above.
Bill
bill nelson
: >If it was, then no card would be secure.
: There's a U.K. lawyer (and a number of cardholders) who might agree with
: you here.
: >The code is only in a file
: >on your bank's computer. If the machine you are using cannot connect with
: >your bank's computer, then you cannot get any money. So, if they said that
: >the system was down at the time, they are lying.
: >
: >Bill
:
: When I use my native cashpoint machines, there are occasions when it is
: unable to tell me my balance of account. It will still give me cash.
: There are a number (>=2) of affiliated banks at whose ATMs I can get cash, but
: not order statements, chequebooks or balance slips. I would be very
: surprised if these "foreign" banks could log into my own bank and request
: account information. In short, I am convinced that my PIN is encoded
: onto my card. In principle, this should be no less secure than having
: my unix password encoded into the passwd file. However, as the plethora
: of posts on this subject will testify, "your mileage may vary".
Here in Oregon - if the ATM cannot get a connection with your bank, then
you cannot do any transactions.
If the bank is in the process of updating the account database, then you
cannot get your balance. That is not available until the daily transaction
update is done. You can still get cash - although you will be penalized if
you overdraw your account.
With you supplying the authorization, the banks certainly can log onto your
own bank's computer and get that information. You are also charged a fee
for using their ATM (usually) - that is deducted by your bank and paid to
the bank where you did the transaction.
Bill
YuNoHoo
|>
|> I have had a similar experience. My purse was stolen from work - I never wrote
|> the PIN number anywhere - yet the person was able to access my accounts through
|> the card and take out $200.00. I was told that I must have written the #
|> somewhere. I hadn't. I fought it - but was told it was my own fault. As an
|> added bonus they told me I was lucky the "system was down" during the
|> transactions as this limited them to the $200.00. Well thanks!
(Dunno what happened to my last posting 'bout this, but here it comes again...)
I've got a listing from a legal database in Norway about ATM-card complaints
and stuff like that. Great bed-time reading, but I'll stick to cases similar
to this.
Seems that some ATMs log the number of unsuccessful PIN attempts for every
transaction. If the card thief guesses (?) the correct PIN on first attempt
you've got a problem proving you didn't disclose the PIN. (Of course, the
logging of unsuccessful PIN attempts may be absent from the software of
your friendly local ATM. A video recording may be useful to count the number
of attempts as well.)
An interesting point about these cases is that some banks require the customer
to treat the card as if it was real money. Sounds funny to me. But, I can see
the point. At a smart-card conference recently a guy from France produced a
break-down of card fraud numbers, and alas - 30% of the stolen cards were
stolen with the PIN code. (He did not elaborate on the source of this number.
It may be nonsense if it's based on the banks saying "the thief guessed the
PIN, thus the code must have been stolen too.)
Returning to my database listing, the number of people saying that the
PIN was written down and stolen with the card is quite high. Of course
some of them claim to have hidden the PIN using (simple) encrypting or
steganography.
The BIG problem for the poor customer is to prove that the PIN was not
disclosed. I've been very lucky myself. When a credit card was stolen
from me and used the bank told me that "you must have revealed the PIN"
story. I asked for documentation that the card was used with a machine
of the kind that asks for PIN. Never got a decent reply, but the card
company didn't claim money for the transaction.
---
YuNoHoo
J.H. Huebner
I had a similar experiance some years ago. I was baby-sitting a 7 year
old and he though he had found my pin # (He had found the phone # to
my bank) in my wallet. I told him he could try and any money that kame
out was his. He dutifly punched in my number and took out 20 dollars.
I told the casher of the bank that owned the teller and they said it
didn't happen in spite of my having the reciet. Then I went to my
bank. They gave me the ATM complaints #. I called it and they said the
netwok must have been down. Perhaps some ATM's will dispens small
amounts of cash hoping your not ripping them off and they can log it
later? When I went to my bank the same day the transaction was not
logged. I don't remember (never figured out) if the transaction was
there at the end of the month.
Rob Boudrie
>would it be? There is absolutely no reason for it to be put there. It would
>not speed up verification at all.
An encoded version of the PIN is on the card. There are two standards for
how this is done, but the principle is the sameso I'll only desribe
one.
The card contains a value (called the Pin Verification Value or PVV in
one of the standards). This PVV is the result of a DES based encryption
based on your selected PIN, your account number, and the Pin Verification
Key (PVK) used by your bank. Anyone who had access to the PVK and the
details of the algorithm could program their PC for a "brute force
attack" trying all possible PINs until the PVV created matched that
on the card under attack. This standard (originated by, I think,
VISA) allows for up to 12 digit PINs but some idiot started this now
near universal tradition of 4 digit pins.
[+] This "pin on the card" provides a couple of advantages :
(1) Your "home bank" machines can validate the card, even if the
machine is not on line to the bank (machines used to go off
line a LOT 10 years ago...remember?)
(2) The bank typically stores your PVV for card duplication -
they can send you a new ATM card without needing to reprogram
it, or know you pin.
(3) Some banks have "pin setting machines"** which allow the user to
encode a pin on a brand new ATM card (these machines output a
version of the PVV for the bank to record and enter into their
machine).
[-] The disadvantages are obvious.
** - Not to be confused with "pin setting pachines" found in bowling
alleys.
Kal
Sorry. The PIN can't be on the card. When I went for a replacement card
for one that melted (don't ask...) I filled out the form, and the lady
did some things with the card machine, handed me the card, *then*
asked me to punch in a pin on a keypad on her desk. I had always thought
the PIN was on the card, that's why I noticed this.
===============================================================================
Kal vp...@jane.uh.edu My opinions are almost, but not quite,
entirely unlike those of my employer.
===============================================================================
bill nelson
:
: An encoded version of the PIN is on the card. There are two standards for
: how this is done, but the principle is the sameso I'll only desribe
: one.
:
: The card contains a value (called the Pin Verification Value or PVV in
: one of the standards). This PVV is the result of a DES based encryption
: based on your selected PIN, your account number, and the Pin Verification
: Key (PVK) used by your bank. Anyone who had access to the PVK and the
: details of the algorithm could program their PC for a "brute force
: attack" trying all possible PINs until the PVV created matched that
: on the card under attack. This standard (originated by, I think,
: VISA) allows for up to 12 digit PINs but some idiot started this now
: near universal tradition of 4 digit pins.
:
: [+] This "pin on the card" provides a couple of advantages :
:
: (1) Your "home bank" machines can validate the card, even if the
: machine is not on line to the bank (machines used to go off
: line a LOT 10 years ago...remember?)
This means that each bank on the network has the PVK for all banks
hooked to the network. The DES algorith must also be identical for
all banks. In other words, your PIN is not at all secure if someone
gets hold of your card.
: (2) The bank typically stores your PVV for card duplication -
: they can send you a new ATM card without needing to reprogram
: it, or know you pin.
: (3) Some banks have "pin setting machines"** which allow the user to
: encode a pin on a brand new ATM card (these machines output a
: version of the PVV for the bank to record and enter into their
: machine).
:
: [-] The disadvantages are obvious.
Yep. It means that there are people who can easily crack your PIN, if
they have your card. And, they would not have to use a brute force
method, they can get it directly.
Bill
Rob Boudrie
>hooked to the network. The DES algorith must also be identical for
No. See below.
>all banks. In other words, your PIN is not at all secure if someone
The alrogithm is the same; the PVK is different.
>gets hold of your card.
The PIN is not secure if someone from YOUR BANK who has the PVK can
read you card, and has details of the way the encryption is implemented
in the standard. (The PVK is "secret", the "implementation standard" is
not).
A Typical ATM Transaction validation procedure goes like this :
if(card is from this bank) /* Card from this bank */
{
if(ATM machine online) /* Machine online to bank */
{
Validate PIN (may or may not be done locally); check balance
dispense cash if appropriate)
}
else /* Machine if offline */
{
Validate PIN locallyh. Check against locally downloaded bad
card list. Dispense cash up to bank's non-verified limit
if pin validates and card is not on shitlist.
}
}
else /* card is from another bank */
{
if(able to reach other bank on network)
{
Validate PIN and balance across network. Dispense cash if
appropriate.
}
else /* Unable to reach issuing bank on network */
{
Refuse to process withdrawl request.
}
}
Many ATM's which *IMMEDIATELY* validate the PIN from THEIR OWN cards
will initially accept ANY pin from another bank's card, prompt for a
transaction request, then do the "verify & process transaction" in one
step (issuing an error if the pin does not validate). This goes against
good programming practice of validating data immediately upon entry,
but minimizes time commnicating on the network.
>Yep. It means that there are people who can easily crack your PIN, if
>they have your card. And, they would not have to use a brute force
>method, they can get it directly.
They *might* have to use the brute force method if the PVV is the
result of a one-way encryption (which DES would be if not all of the
resultant bits were kept).
>
>Bill
Rob Boudrie
rbou...@chpc.org
bill nelson
: >This means that each bank on the network has the PVK for all banks
:
: No. See below.
:
: >all banks. In other words, your PIN is not at all secure if someone
:
: The alrogithm is the same; the PVK is different.
Sure, the PVK is different for each bank - although it is likely to be
the same for all branches of that bank. Now, if any bank on the network
can validate your number - even if the phone network is down - as one
poster stated - then they can get enough from the card to validate your
PIN. If they can do that, then anyone else can - who knows the algorithm
and can read the card. The algorithm is probably public knowledge - it is
not hard to read the information on the card.
: >gets hold of your card.
:
: The PIN is not secure if someone from YOUR BANK who has the PVK can
: read you card, and has details of the way the encryption is implemented
: in the standard. (The PVK is "secret", the "implementation standard" is
: not).
Someone posted that the PVK was on your card. If either it, or your PIN
is there, then the PIN is not secure. Nor should there be any pretense
of it being secure.
... deleted ...
: else /* card is from another bank */
: {
: if(able to reach other bank on network)
: {
: Validate PIN and balance across network. Dispense cash if
: appropriate.
: }
: else /* Unable to reach issuing bank on network */
: {
: Refuse to process withdrawl request.
This is counter to the claim of several other posters, who stated that they
could make withrawals, even if the network was down. Those claims, to me,
pointed out a security problem - if their claims are true.
Bill
Matt Hucke
>
>The only problem I have with the idea of the PIN being in the card is - why
>would it be? There is absolutely no reason for it to be put there. It would
>not speed up verification at all.
It's not... when I got a MasterCard, it originally wasn't set up for ATM
use... I had to call the bank and ask for that service. I was asked to
choose a PIN, or accept a random one. This number was then sent to me by
mail, and my card worked immediately, without having to be encoded.
--
And now, Deep Thoughts, by Jack Handey:
If you ever fall off the Sears Tower, go real limp, so people will think
you're a dummy, and they'll try to catch you, because hey, free dummy!
hu...@ux1.cso.uiuc.edu _ V_ a_ l_ h_ a_ l_ l_ a BBS, 217-352-3682, WWIV4.21, 14.4k
YuNoHoo
>
> The PIN is not secure if someone from YOUR BANK who has the PVK can
> read you card, and has details of the way the encryption is implemented
> in the standard. (The PVK is "secret", the "implementation standard" is
> not).
There was a long discussion on this in one (or more) of the security groups
some time ago. One of the things I noticed was:
ObUL: Some banks choose really daft PVKs
---
YuNoHoo "guess PVK is a German acronym as well"
Ross Anderson
currently running a class action against the UK banks on behalf of hundreds
of customers who've been ripped off by ATMs.
People often find debits on their accounts which they didn't make. It seems
that the banks' transaction error rate is somewhere between 1 in 10,000 and 1
in 100,000 (depending on the bank) and if you're unlucky you get charged
someone else's withdrawal (or one of your own twice).
There are also lucky people who make withdrawals for years and don't get
debited. Perhaps electronic banking should fall under casino legislation!
In the old days of brass bound ledgers you could go to the manager and say
`produce the voucher'. He had to do this or give you your money back.
But now that banking is electronic, they just say that the computer can do no
wrong and tell you to get stuffed.
The Bank of England supports the banks' argument that there is an overriding
public interest in `maintaining confidence in the banking system' (the same
argument they used to cover up the problems of the Bank of Crooks and Cocaine
International).
Needless to say, there's a growing amount of ATM fraud; bank staff know that if
they rip off customers, the customers' complaints will not be taken seriously.
It's a good job that most bank tellers are honest!
Back in March I wrote an article on the various ways in which the ATM system
gets ripped off. This is now extremely out of date as I have come across a lot
of new tricks since. However here it is for anyone who's interested.
Ross Anderson
University of Cambridge Computer Laboratory
Pembroke Street, Cambridge CB2 3QG, England
rj...@cl.cam.ac.uk
*****************************************************************************
\documentstyle[a4,11pt]{article}
\parskip 12pt plus 1pt minus 1pt
\begin{document}
\begin{center}
{\LARGE \bf Security Issues of PIN Based Payment Systems}
\vspace{3.5ex}
{\em Ross J. Anderson\\
Computer Laboratory\\
Pembroke Street, Cambridge CB2 3QG}
\end{center}
\vspace{3.5ex}
{\noindent\Large\bf Abstract}
We give an outline history of the development of Automatic Teller Machines
(ATMs). Most of these systems still use a combination of magnetic strip card
and personal identification number (PIN) to identify users. We examine a
number of threats to the current ways of managing PINs, and outline some
options for designers wishing to create more secure systems in the future.
\vspace{3.5ex}
{\noindent\bf Keywords:} {\em computer security, cryptography, banking, ATMs,
PINs, fraud, biometrics, smartcards}
\section{Introduction}
The ancestry of modern payment systems can be traced to twelfth century
Italy, where city states such as Genoa and Venice established trading empires
which stretched the length and breadth of the Mediterranean and eventually as
far as China. One of the main problems encountered by their merchants was
that of piracy.
The Roman empire had been built on military prowess and had effectively
suppressed piracy in the Mediterranean during the rule of Julius Caesar. In
the modern epoch, however, the Barbary pirates continued to plague the trade
of Southern Europe until after the Napoleonic war.
This combination of renascent prosperity and military weakness was very
hard for merchants, who had to carry gold and silver with them to trade.
It created a demand for a safe means of effecting payments, and this was met
by the moneychangers, who began to issue gold receipts which could be traded.
Money became a paper document, validated by a banker's signature, which
entitled the bearer, or a named beneficiary, to receive value. This went some
way to solving the robbery problem, but at the cost of creating a new risk:
forgery.
\pagebreak
During the ensuing eight hundred years, many countries have developed a body
of statute and case law which seeks to allocate liability in the event
of a forged document being discovered in the payments system. However, this
law does not tackle the basic problem of how to spot a forged document reliably
in the first place. So long as the checking process involves visual inspection
of a handwritten signature, it will remain slow and error prone, and may be
completely omitted where large transaction volumes make it expensive, or in
clearing networks where the specimen signature is in a different location from
the voucher entry process.
The first attempts at solving this problem were made during the mid nineteenth
century. As the telegraph pioneers linked up the world's main cities,
businessmen could close deals within minutes, and demanded the ability to
settle them at the same speed. The early telegraph systems could not, however,
carry the graphic information needed to represent a traditional signature, and
a new approach was needed.
This was the `test key' - a sequence of digits which was obtained by applying
the significant digits of the transaction to a permutation table and hashing
the results. This test key, once calculated, was appended to the telegraphic
message and functioned as a digital signature.
Test keys are still in use today, particularly in less developed countries
where banks do not possess the equipment needed to participate in modern
wholesale funds transfer networks. However their main influence has been in the
adoption of the personal identification number, or PIN, as the near universal
means of identifying users of ATM networks.
\section{The Development of ATM Systems}
Automatic Teller Machines, or ATMs, were like most computer systems in that
they were originally developed without much concern for security other than
the obvious protection against violent external assault. The first examples
simply accepted a punched card and a PIN, checked the PIN against the card,
and issued a fixed amount (\pounds 10 in the UK in the early 1970's). The
card was retained by the ATM and returned to the customer at the end of the
month. The PIN, which was inspired by the test key, was introduced for a
simple reason: without it, the card could have been used by anyone to draw
cash, and so would have been of no more use than cash to most customers.
The security procedures for these early machines were quite primitive, being
essentially limited to balancing cash loaded against cards captured, and the
PIN was really an add-on, an incentive to get customers to use ATMs
and thus save teller time and costs.
\pagebreak
A fraud problem arose in some countries overseas, where criminals (and in
Israel, even enterprising but misguided students) worked out the relationship
between the holes punched in the card and the corresponding PIN. There was
also a concern about what would happen if a customer repudiated a transaction.
How could a bank satisfy a judge the their system was secure, even in the face
of testimony from a plausible witness?
These pressures led to a number of research programs being carried out into
ATM security, and in particular PIN security, in the late 1970's and early
1980's, with the aim of tackling the forgery problem once and for all. At
this time, computer security was an embryonic discipline, and inspiration was
drawn from US government guidelines. These defined three categories of
identification data as being (roughly) something the user knows, like a
password; something he has, like a key; and something he `is', such as his
voice, his signature or his facial features. Users accessing classified
systems had to pass checks from two of these three categories.
At that time, automated recognition of faces, fingerprints and voiceprints was
too unreliable, and this forced designers of unattended systems such as ATMs
to base user identification on the first two criteria, in effect on a password
and a token. Moreover, studies of time sharing computer systems had shown
that, given the chance, many people will choose a password that is easy for
others to guess, such as their initials. For this reason, the research program
led designers to specify a randomly generated password, and considerations of
cost, reliability and user acceptance dictated that these passwords should be
numeric only. In this way, the status of the PIN was confirmed.
A number of systems were developed, of which two captured most of the market.
These were the IBM system, launched in 1979, which had been developed by Meyer,
Matyas and others at IBM; and the VISA system, which had been developed by
Carl Campbell, launched by his company Transaction Security Products Inc.
in 1981 and taken over by VISA in 1983. They share a core concept, which is
described in the next section.
\section{Derived PINs}
The IBM and VISA systems relate the PIN to the account number in a secret
way. The idea is to avoid having a file of PINs, as this file might be stolen
or copied. and to give the option of remote validation of PINs in systems where
offline transactions are permitted. The definitive reference is [MM]; there is
a shorter account in [DP].
We take the last five significant digits of the account number, and prefix
them by eleven digits of validation data. These may be simply the first eleven
digits of the account number, or could be a function of the month of card
issue. In any case, the resulting sixteen digit value is input to an
encryption algorithm (which for IBM and VISA systems is DES, the US Data
Encryption Standard algorithm), and encrypted using a sixteen digit key called
the PIN key. The first four digits of the result are decimalised, and the
result is called the `Natural PIN'.
Many institutions started off by issuing the natural PIN to their customers.
However, some institutions decided that they wished to offer their customers
the facility to choose their own PIN, or to change a PIN if it became known to
somebody else, and for this reason there is a four digit number called the
offset, which is added to the natural PIN to give the customer PIN, that is,
the number which must be entered at the ATM keyboard to authorise a
transaction.
Here is an example of the process:
{\tt
\begin{tabbing}
First four digits decimalised (Natural PIN) are : \= 01234567890\=12345 \kill
Account number: \> 4506602100091715 \\
Last 5 digits: \> \> 91715\\
Validation data: \> 88070123456 \\
Input to DES algorithm: \> 8807012345691715 \\
PIN key: \> FEFEFEFEFEFEFEFE \\
Result of DES algorithm: \> A2CE126C69AEC82D \\
Decimalisation table: \> 0123456789012345 \\
First four digits decimalised (Natural PIN): \> 0224\\
Offset: \> 6565\\
Customer PIN: \> 6789\\
\end{tabbing}
}
It should be clear that the security of the system depends on keeping the
PIN key absolutely secret. However there are other aspects of system design
which are also important in deterring certain types of attack, and we
shall see examples of this below.
\section{The IBM and VISA Systems}
In the original IBM system design, the PIN was always validated at the ATM.
This meant that the PIN key had to be present in two places, namely at the
central computer site where PIN mailers were printed for new customers, and
within each ATM itself. In order to limit the number of staff with access to
the PIN key, a facility was provided whereby this key could be supplied in
two printed components. These would be carried to the ATM by two separate
officials and input at the keyboard there, whereupon they would combine to
form the live PIN key.
\pagebreak
It was still possible however for bank staff to get at the live PINs, or
keys, or both, as the IBM products (the 3848, PCF and CUSP) only provided
the encryption step of the above process, and left the other manipulations to
be performed by a mainframe computer program, which had to be written
anew by each bank. For this reason, the overall system security was predicated
not just on the cryptographic product, but also on the control exercised over
general system resources and, crucially, on the skill and integrity of each
bank's system development and maintenance staff.
Carl Campbell's innovation was to devise a system in which no key or PIN ever
becomes available to any bank employee. This system is quite involved and
details of one implementation can be found in, for example, [NSM]. In what
follows, we give a brief summary.
The basic concept is that all the central cryptographic operations are
performed in a device called a security module (SM) which controls all
of an institution's keys and PINs. The SM produces master keys for ATMs,
which, as in the IBM case, are printed in separate components for secure
conveyance to the ATM, and similar keys (called `Zone keys') for conveyance
to other institutions or other SMs in the same institutions.
Once a remote device, be it an ATM or another SM, has been equipped with
a master key (or zone key), it is supplied with working keys. These are keys
which will be used to encrypt PINs, other keys, or service messages during
routine operation of the system. The management of these working keys is fully
automatic.
The hierarchy of master keys, zone keys and working keys is so devised that
it should not be possible for any individual in the bank to get hold of the
clear value of any PIN or key. Once they have been generated, all keys and PINs
appear only as encrypted data blocks while outside of secure devices such as
ATMs and SMs. As for the initial generation and printing process, this is
performed on special printers attached to the SM, so that it can be closely
controlled. PINs are printed on security mailers and dispatched directly to
the branch or post office; keys are produced in multiple components which are
handed at once to separate officials.
The security module concept has now finally been adopted by IBM in their
latest product line, the 4753. However, this only came after two international
banking organisations, Mastercard and VISA, issued regulations making the use
of security modules mandatory in interbank networks. These organisations are
network providers and managers, and, when large numbers of banks connect their
ATMs together, the security of the whole network can be that of its weakest
link. For this reason, they considered the original IBM approach to be
unacceptable, as it would make every bank's PIN security depend on the
integrity of all the hundreds of thousands of technical staff who have access
to ATM and card issue systems in the twelve thousand member banks worldwide.
Incidentally, IBM resisted this decision as it was seen as a criticism of IBM's
cryptographic strategy and product offerings.
A sample interbank transaction is described in the appendix, so that the
interested reader can acquire some feel for the mechanics of the security
module system.
There is no doubt that PINs give a useful first line of defence against fraud.
Indeed, VISA reports that the incidence of fraud on systems which are PIN-based
is about one hundredth of that from signature-based cards. Given that fraud on
the latter varies from 0.1\% and 1\% depending on the country and the issuing
bank, PINs must be saving billions. However, PIN-based systems have a number
of weaknesses which are not always well understood, and as bankers become
more complacent about their systems, and technical knowledge of them continues
to spread, both the incidence of fraud and the likelihood of a really major
loss continue to grow.
\section{Attacks on ATM Systems}
If an attacker gets hold of a bank's PIN key, the situation is potentially
disastrous. For that reason, attacks of this type will be considered
separately in the next section. In this section, we describe a number of less
dramatic ways in which an ATM system can be subverted.
(1) The system can be compromised easily by poor administration. For example,
in February this year the author asked for an increased card limit: the bank
sent not one, but two, cards and PINs through the post. This was a near miss:
the cards arrived only a few days after intruders had got hold of the apartment
block's mail and torn it up looking for valuables. There appear to be no
statistics available for losses arising from this kind of incident, but we
expect that they account for thousands of cases a year.
(2) In our experience, banks in the English speaking world dismiss, or ask for
the resignation of, about one percent of their staff every year for
disciplinary reasons. A nontrivial proportion of these are for petty fraud or
embezzlement, in which ATMs are often involved. A clearing bank with 50,000
staff, which issued PINs predominantly through the branches rather than by
post, could expect about two incidents per business day of staff stealing cards
and PINs. These could be test cards, or cards otherwise used to milk the bank's
internal accounts; but it is simpler, and so much more common, for dishonest
staff to issue duplicate cards on ordinary accounts, or help themselves to
cards which have not yet been issued to customers.
(3) It may in some cases be possible for a dishonest teller to pass to a
customer's account a debit which masquerades as an ATM withdrawal, without
going near the ATM system. Such facilities may be provided in general banking
systems in order to allow branch staff to rectify mistakes, and may be abused
from time to time. An established policy of denying all liability for
`phantom withdrawals', and telling customers that they must have been defrauded
by their own relatives, may be expected to encourage this kind of embezzlement.
(4) Another source of trouble at some institutions has been the existence of
undocumented test transactions. There was a test facility on one of the
Olivetti 2000 series ATMs which would output ten banknotes when a fourteen
digit sequence was entered at the keyboard. One bank published this sequence
in its branch manual, and there was a spate of fraud until all the banks using
this type of machine had changed the software to disable this transaction.
(5) Various program bugs and operational errors will also cause a certain
percentage of mistakes such as duplicate transactions and debits posted to the
wrong account. These are familiar enough to heavy users of any bank's cheque
processing facilities, who correct them by reconciling their accounts and
demanding to see vouchers for stray debits. However, with ATM systems, the
customer cannot usually demand to inspect tally rolls, transaction logs and
balancing records; and any attempt at checking a disputed transaction is
generally frustrated in various ways by the bank. In view of the precedent
set by dispute resolution on cheque accounts, this may be a weak point in
the banks' legal case. From our own banking systems experience, we would
expect an error rate of between 0.1\% and 0.01\% of transactions; this is in
order-of-magnitude agreement with surveys which show that some 35\% of UK
cardholders have experienced a `phantom withdrawal' at some time in their
lives.
(6) In addition to the above general problems, there are a number of
technical ways in which ATM systems can be attacked. One of the most
famous, at least within the computer security community, occurred at the
Chemical Bank in New York in about 1985. An ATM technician, who had been
dismissed, stood in ATM queues and observed customers' PINs as they were
entered. He would then pick up the discarded receipt, which contained the
account number, and write this number to the magnetic strip of a blank
card. He managed to steal over \$80,000 before the bank saturated the
area with security men and caught him in the act. Needless to say, the
emergence of worldwide ATM networks during the past few years makes such
attacks much more easy to mount, and much more difficult to stop. In fact,
the attack worked against Chemical Bank because they issued their customers
with the natural PIN, so almost all their offsets were zero; and since then
it has been standard security practice worldwide to print only the last six
digits of the account number on the receipt, to issue cards with random
offsets, or both.
\pagebreak
(7) An even more sophisticated attack was reported from the USA in 1988. In
this case, the fraudsters had constructed a vending machine which would
accept any card and PIN, and dispense a packet of cigarettes. They placed this
in a shopping mall, and used the PINs and magnetic strip information it
recorded to forge cards for use in ATMs. Attacks of this type cannot be
prevented by purely technical means so long as the ISO standard
magnetic card is used, and this incident has been a spur to the development of
card types which are hard to forge, such as watermark cards and smartcards.
(8) Another technical attack relies on the fact that most ATM networks do not
encrypt the authorisation response to the ATM. This means that an attacker can
record a `pay' response from the bank to the machine, and continually replay it
until the machine is empty. This technique, known as `jackpotting', is not
limited to outside `hackers' - it appears to have been used in South Africa in
1987 by a bank's operations staff, who used network control devices to jackpot
ATMs where accomplices were waiting.
(9) Some banks decided to hold the encrypted PINs on a database. This meant
that a programmer, who knew that his own PIN was 1537, would observe that his
encrypted PIN was (say) {\tt 132AD6409BCA4331}, and then search the database
for all other account numbers with the same PIN. If the bank has five
million cards outstanding, there should be about five hundred of these -
and using forged cards to take \pounds 50 from each of these accounts would
yield a tidy \pounds 25,000. Furthermore, as these account holders would be
randomly distributed around the country, and since the one or two complaints
per branch would be unnoticed among those arising from random errors, the
chances of the fraud being detected would be quite small. For this reason,
VISA recommends that where a file of encrypted PINs is to be held, the account
number should be combined with the PIN before encryption, so as to make each
encrypted block unique.
(10) Banks which used IBM encryption products such as the 3848 are open to much
more direct attacks. A system programmer can simply observe clear PINs going
through the mainframe, compile a list of corresponding account numbers and
PINs, and make up forged cards.
Of the above, (1) to (3) will typically manifest as bogus transaction around
the time of card issue, or after a loss has been reported. (5) to (10) will
present as phantom withdrawals on accounts in normal use; and of these,
(6) and (7) will tend to be geographically localised, while (5), (8), (9) and
(10) would usually result in frauds scattered at random throughout the issued
card base. However, if a bank has a policy of denying all disputed transactions
outright and keeps no central record of them, a fraud might be very far
advanced before it came to the attention of top management.
\pagebreak
\section{Security of the PIN Key}
There are a number of ways in which a PIN key can be obtained by an
attacker. In fact, there are two such incidents of which the author has
personal knowledge, having consulted to the victim institutions.
(11) In the first, the bank had a policy that only IBM terminals could be
purchased. The security modules they used, which were a standard product
supplied by VISA, would not accept IBM terminals but required VT type devices
instead. This caused a problem as the institution wished to establish a zone
key with a new network, and had no terminals with which to perform the required
transactions at the security module. The card development team were asked to
help, and the project leader obligingly supplied a portable PC with
communications software which emulated a VT100 terminal. With this the
internal auditors, senior managers and assorted dignitaries duly created
the required zone keys and carted them off to the network switch. However, the
communications software had a facility to record all the transactions, and this
facility had been turned on by the miscreant. He later used the zone key to
decrypt the bank's PIN key.
(12) In the second, the bank had no proper ATM test environment. When it
decided to join a network, the equipment vendor's systems engineer could not
get the system working and used undocumented tricks to get hold of the clear
PIN key in order to debug the system.
In both these cases, the problem stemmed from poor management and was
compounded by audit and security staff who were not really technically
aware. Most institutions would admit that the latter, at least, is a common
enough problem - it is unlikely that good engineers will be happy for
long in a security role, unless they can become involved in research, product
design or consultancy work. The banks affected were lucky, in that the damage
was limited to embarrassment; but it is only a matter of time before a bank
becomes very unlucky indeed, as there are a number of other ways in which
a PIN key can be compromised.
(13) The most obvious vulnerability in many banking systems is that PIN keys
are loaded into ATMs in order to facilitiate offline transactions. The usual
procedure is that the PIN key is encrypted under the terminal master key and
downline loaded to the ATM as KMT(KP) during the first service transaction
after each maintenance operation. It follows that if the maintenance engineer
can get his hands on KMT, and then record KMT(KP), he can decrypt KP and hold
the bank to ransom. In our experience, the control procedures surrounding
the custody of the KMT component mailers at bank branches are weak and
this kind of attack is a very present possibility.
\pagebreak
(14) Where the encryption at the bank's mainframe computer is performed in
software, such as using IBM's PCF product, the key can be found trivially by
programmers. Even where the bank changes to security modules, a knowledge of
the PIN key may persist for years afterward: it is, after all, useful in
debugging systems.
(15) Certain technical attacks are possible on certain makes of security
module by people with physical access to them. The author has twice needed to
assist at such an attack: once for a bank which had lost a key for one of its
security module systems, and once to arrange to transfer a set of master keys
from one make of security module to another. In such cases, the bank is
competely at the mercy of the experts carrying out the operation.
(16) We have heard of cases where a bank has given live keys to an
equipment vendor or maintenance organisation and asked them to set up or
run part of the system. There have also been cases where PIN keys have been
shared between two or more institutions. In any case where the bank shares
a key, it can no longer be sure how secure its keys are, and so cannot in
good faith plead to a disgruntled customer that its systems are infallible.
It is also significant that engineering firms do not usually share the same
security culture as the banks, and will often have not just a higher
turnover of staff, but of the most dangerous type of staff - young, bright
technical specialists with the combination of curiosity and skill which can
lead to innovative attacks on security systems.
(17) A determined attacker could use parallel computing hardware to find
the PIN key by brute force search through the set of all possible keys. Recent
studies [A], [GO] show that such an attack would cost about \pounds 30,000
worth of specialist computer time. It follows that such an attack is not just
confined to government agencies but could be carried out by a reasonably well
off private individual. It is also possible that cryptanalytic facilities in
the former Soviet Union could be misused for private gain.
(18) Certain types of security module may cut the amount of work needed to
carry out an analytic attack. This is because the random numbers which they
generate for use as keys are often not anything like as random as the
manufacturers claim. Security product quality has been of sufficient concern
for the EC to introduce standards and procedures [ITSEC] for certifying all
such products sold in Europe, but as these standards were only published last
year, one would expect that most systems in use still fall short in some
respects.
The symptoms of a lost PIN key might vary widely. Well organised criminals
would presumably design their attack pattern to confuse the bank and so prolong
the time until countermeasures are taken. If the attackers were not
particularly well organised, one would expect a steady and growing incidence
of loss, initially in restricted geographical areas. In particular, one might
expect PC software to be created which would work out the PIN on any card
issued by the bank. In this case, credit and debit cards stolen in areas where
this software was in circulation would be used in ATMs, rather than in the
usual pattern of Switch cashouts and purchases at electrical and sports goods
stores. Of course, banks which do not monitor disputed transactions centrally
could again be suffering large losses by the time they noticed that anything
was amiss.
\section{Conclusions}
ATMs have been described as one of the top 100 ideas of the 20th century.
However, the security technology of ISO magnetic strip cards with PINs may be
nearing the end of its economic life, or at the very least be due for review
and upgrade. Recently reported figures [ST] show that plastic card fraud in the
UK was \pounds 166,000,000 in 1991, up 35\% from 1990. There will be a further
sharp increase next year, as the banks have now agreed that the customer will
bear only the first \pounds 50 of loss for stolen cards and disputed
transactions. This will force many losses previously borne by customers to
be recorded in the official figures. With some two million plastic cards
stolen every year, the consequences of any large scale compromise of PIN
security would be very serious indeed for the affected banks.
A number of prospective successor technologies are available and have been
aggressively marketed for several years now. These include watermark cards,
smart cards, and biometrics.
Perhaps one of the more novel developments is in the South African
homeland of kwaZulu, where Chief Buthelezi's government is using mobile voice
activated ATMs to pay pensions in rural areas. Previously, fraud by pension
officials was a considerable source of grievance to the community, and the
authorities for their part were suspicious of the very low mortality reported
among pensioners; now, pension cash is only dispensed after the beneficiary
states his surname and the spectral features of this utterance are checked
against a reference file. The system has been found to have an error rate of
about one percent, which is an enourmous improvement on previous arrangements,
but still not perhaps good enough for use in a developed country banking
environment where unattended operation and 99.9\% reliability have come to be
expected.
Another biometric project is underway in India, where Nixdorf is recognising
bank customers by their fingerprints. This technology is now fairly reliable,
thanks to decades of investment by the world's police forces, but is probably
not acceptable in most western markets because of its criminal associations.
IBM's new cryptographic product range includes an automatic signature
verification device. This may become a standard in future. A previous signature
based system promoted by Unisys merely stored a picture of the specimen
signature, and was vulnerable to good forgeries in the same way as manual
systems. However the new generation products such as IBM's check the signature
dynamics too, and it will be interesting to see what sort of error rates are
achieved in practice.
Watermark cards have been introduced in Scandinavia. These have a two-layer
magnetic strip, of which the lower layer is made read-only and furnished
with a unique serial number at the time of manufacture. This serial number,
plus the normal strip contents, are used to calculate a cryptographic
checksum which ensures that any alterations of the data on the strip will
be detected. These cards offer the least change from the current card
technology and also the lowest upgrade cost, but do not offer the system
developer any really new options; he is still limited to a few hundred bytes
of data storage and this severely restricts the range of applications which
can be delivered.
Smartcards, pioneered in France, offer almost total resistance to forgery,
together with much greater on-card data storage and the ability to program
applications directly into the card itself. This gives the ability to work
off-line and may be a decisive advantage in those areas of the world which
have recently been liberated from central economic planning, and where banking
systems have to be established quickly despite the lack of a telecommunications
infrastructure. An example of a state-of-the-art system is UEPS, the Universal
Electronic Payment System, which we designed for a French systems company
around the GemPlus smartcard [UEPS].
In conclusion, it is high time for ATM operators to start planning the next
generation of payment systems. There is no shortage of options, and these
now offer the prospect that, after eight hundred years, we may succeed in
eliminating forgery as a significant cost in the banking industry. On the
other hand, any institution which suffers serious losses from using
elderly and insecure technology will probably not be able to pass the cost on
to the public. It would much more likely see its profitability, and perhaps
even its customer base, eroded quite substantially as a result.
\begin{thebibliography}{ITSEC}
\bibitem[A]{A}
R. J. Anderson,
\newblock ``How to Break DES'',
\newblock In {\em Virus Fax International}, March 1990, pp 10 - 13
\bibitem[DP]{DP}
D. W. Davies and W. L. Price,
\newblock {\em `Security for Computer Networks'}, John Wiley and Sons 1984.
\bibitem[GO]{GO}
G. Garon and R. Outerbridge,
\newblock ``DES Watch: An examination of the Sufficiency of the Data
Encryption Standard for Financial Institution Information Security in the
1990's,
\newblock In {\em Cryptologia}, {\bf XV}, no. 3 (July 1991) pp 177 - 193
\bibitem[ITSEC]{ITSEC}
{\em Information Technology Security Evaluation Criteria}, Provisional
Harmonised Criteria, June 1991, EC document COM(90) 314
\bibitem[MM]{MM}
C. H. Meyer and S. M. Matyas,
\newblock{\em Cryptography: A New Dimension in Computer Data Security},
John Wiley and Sons 1982.
\bibitem[NSM]{NSM}
{\em Network security Module - Application Developer's Manual},
Computer Security Associates, 1990
\bibitem[ST]{ST}
{\em Sunday Telegraph}, 8 March 1991
\bibitem[UEPS]{UEPS}
R. J. Anderson,
\newblock ``UEPS - A Second Generation Electronic Wallet'', {\em to appear}
\end{thebibliography}
\vspace{3.5ex}
{\center\bf\Large Appendix - Sample Interbank Transaction}
We will now illustrate how the security module concept operates in practice by
describing a sample interbank transaction, in which our bank accepts a card
issued by a correspondent. We use the notation KA(X) to denote the data block
X encrypted under the key KA.
{\bf Preliminaries:}
(1) Our ATM is issued with two terminal key components, KMTA and KMTB. These
are printed in a secure room on a printer attached to the SM, and conveyed to
the device by two trusted officials. The ATM combines them and forms its
terminal master key: KMT = KMTA + KMTB.
(2) Our SM now creates a terminal transaction key, KTT, which is encrypted
under the terminal master key and sent to the ATM as KMT(KTT). The ATM decrypts
it and stores it.
(3) Our SM creates three zone key components ZMK1, ZMK2, and ZMK3. These are
conveyed with much ceremony to the correspondent bank and entered into their
security module, SM*, in the presence of a large number of directors, auditors
etc. SM* combines these components to form the zone key, ZMK, which it now
shares with our SM.
(4) Our SM sends a working key, AWK, to SM*, encrypted under ZMK, that is, as
ZMK(AWK). This operation typically takes place at the start of the business
day. Our bank is now ready to process transactions from our correspondent's
cardholders.
(5) Each of their cardholders has meanwhile been issued a PIN which is
essentially his account number encrypted under their PIN key, KP*, using the
process described above. These are printed in their secure room on a printer
attached to SM*.
{\bf Operation:}
(6) The cardholder presents his card at our ATM. The ATM reads his account and
offset data from the track, checks that the issuing bank is a correspondent,
and asks for the PIN to be entered.
(7) The cardholder enters the PIN, which is encrypted under the transaction
key and sent to our SM as KTT(PIN).
(8) Our SM decrypts the PIN. It cannot be checked locally, as we only have
our own PIN key KP, not the correspondent's KP*. So our SM reencrypts the PIN
under the shared working key, and transmits it to the correspondent as
AWK(PIN).
(9) SM* decrypts the PIN and checks it against the account number using
KP*.
(10) The answer, `PIN correct' or `PIN incorrect', is sent back to the
correspondent bank's mainframe.
(11) This mainframe checks the balance available and sends an authorisation
response (basically `pay', `retry', `refuse' or `confiscate card') back through
the network.
(12) This authorisation response is processed by our bank's mainframe,
for journalling and audit purposes, and sent on to the ATM, which dispenses
the cash, or rejects or confiscates the card, as instructed.
The above sequence of actions appears at first sight to have removed the
risk of fraud by bank systems staff. After all, the PIN is now not known to
any employee of either bank, and neither is any key; and an outsider who is
monitoring the various communication lines has only seen the encrypted data
blocks KMT(KTT), ZMK(AWK), KTT(PIN) and AWK(PIN).
In practice, as we have seen, current security module systems can be
circumvented in various ways, but still do make fraud much more difficult
than might otherwise be the case.
\end{document}
Perry Clarke
>In article <1992Nov2.1...@pony.Ingres.COM>, swe...@Ingres.COM (Tony Sweeney) writes...
>>In article <1992Nov2.0...@hpcvaac.cv.hp.com> bi...@hpcvaac.cv.hp.com (bill nelson) writes:
>>>swe...@Ingres.COM (Tony Sweeney) writes:
[polarized debate on where PINs are stored deleted]
I think that we might find that different countries have different systems.
My experiences in the UK and the US would lead me to believe that the PIN is
stored on the card in the UK and in the host computer in the US (it is used
to certify the transaction).
Proof of this is in the way that invalid PINs at foreign ATMs are dealt
with. In the US I have to get all the way to end of the session (entering
PIN, amount of money, etc) before it reports that my PIN was invalid, in the
UK the report is given as soon as the bad PIN is entered.
Another piece of information stored on UK cards is the amount of money
withdrawn in the current "period" (used to enforce #300 per day, or
whatever).
Yes, this does make the UK system less secure. Try getting a bank to admit
that, though.
Perry
--
Perry Clarke pe...@unify.com (916) 928 6287
Unify Corporation, Sacramento, CA Manager, Peacock Project
YuNoHoo
>
> My experiences in the UK and the US would lead me to believe that the PIN is
> stored on the card in the UK and in the host computer in the US (it is used
> to certify the transaction).
>
> Proof of this is in the way that invalid PINs at foreign ATMs are dealt
> with. In the US I have to get all the way to end of the session (entering
> PIN, amount of money, etc) before it reports that my PIN was invalid, in the
> UK the report is given as soon as the bad PIN is entered.
This _is_ alt.folklore.urban, isn't it?
Well, he proved it, so it must be true...
---
YuNoHoo "I was told we didn't do empirical science for a.f.u"
Neil Townsend
>I think that we might find that different countries have different systems.
Makes sense.
>My experiences in the UK and the US would lead me to believe that the PIN is
>stored on the card in the UK and in the host computer in the US (it is used
>to certify the transaction).
>
>Proof of this is in the way that invalid PINs at foreign ATMs are dealt
>with. In the US I have to get all the way to end of the session (entering
>PIN, amount of money, etc) before it reports that my PIN was invalid, in the
>UK the report is given as soon as the bad PIN is entered.
Although some machines in England follow this procedure, I know of
several which follow the procedure you define as american here in
Oxford. In fact, I can't remember using a Lloyds machine which
followed what you define as the UK procedure.
Neil `PIN? but what does the I stand for'
--
Neil Townsend | ne...@uk.ac.ox.robots | enough already
Paul Tomblin
>Perry Clarke writes:
>>I think that we might find that different countries have different systems.
>Makes sense.
And then in Spain, I got through everything - Select language, enter PIN,
select account, select amount, it started to print something, and then it
told me that my card wasn't on a network that they could access. Damn
`Servi-Red' - not hooked up to Cirrus, Plus or Interac.
What I found bizarre in the UK (I may have mentioned this before) is that I
use my Visa as my bank card, and ATMs in the UK would never give me a
choice, but would sometimes take it as a withdrawal from chequing, and
sometimes as a Visa cash advance. What a pain in the ass. I wouldn't find
out until the bills came. (Even machines that in December were giving me
withdrawals were giving me cash advances in January.)
--
Paul Tomblin, p...@geovision.gvc.com
(This is not an official opinion of GeoVision Systems Inc.)
"I don't have time to think it through: I've got to get this code written!"
Stu Mountjoy
> In article <gregn.716784724@coombs>,
> gr...@coombs.anu.edu.au (Gregory Newton) writes...
> >An UL back in my home city australia/nsw/gosford concerned a bloke who
> >entered a piece of foil from a chocalate wrapper into an ATM and was able to
> >withdraw money when the machine went beserk.
> Sheesh! What was it, a wrapper from a chocolate laxative?
> - snopes
> +-----------------------------------------------------------------------------+
> | "It is about a socialist, anti-family political movement that encourages |
> | women to leave their husbands, kill their children, practice witchcraft, |
> | destroy capitalism, and become lesbians." |
> | |
> | Pat Robertson, on the equal-rights amendment |
> +-----------------------------------------------------------------------------+
> | David Mikkelson Digital Equipment Corporation, Culver City, CA USA |
> +-----------------------------------------------------------------------------+
I was trying to find the right Google search, for the story of the kid / adult in USA, who [a] put a wrapper in the ATM envelope, [b] entered $1,000,000 and [c] the bank in question accidentally put the amount in the person's account AND for one whole year, did not reverse it and tried suing them. The person didn't do anything with the "money" (at this point, just numbers in the account) and the account didn't even earn interest. Might be along the same lines as "flustered worker pressing OK let it happen" instead of "do your job bank person".
Have just seen, on Netflix, a story about Harrier Jet Pepsi LOL - https://en.wikipedia.org/wiki/Leonard_v._Pepsico,_Inc.