[1090] in cryptography@c2.net mail archive
Thoughts on ATM cards
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Thu Jun 26 01:07:32 1997
Date: Thu, 26 Jun 97 04:21:49 GMT
From: "William Allen Simpson" <wsimpson@greendragon.com>
To: cryptography@c2.net
I'd like to support Colin's suggestion as to the next target: ATM card
master PINs.
> From: Scott Baker <baker@ohcu.org>
> Not so. Most cards are actually encoded with their PIN. Only a handful
> of large banks offer programable PINs, most are coded when the card is
> pressed.
>
Hmmm, I have several with programmable PINs. One of them is now a
closed account for a large bank, that just merged with an Australian
bank.
And all my credit union cards are programmable, if I take the card to
their office. I change mine every year (probably not often enough).
> > You just need a few people with closed accounts to volunteer their
> > ATM cards to mag stripe readers. The work would be somewhat greater
> > since you need to do multiple decryptions to get a full validation;
> > you'd need to do weed out the impossible in stages.
> >
>
> Uhhh, no. Most institutions have several keys that they use, many have
> over a 100.
>
Well, so what? We only really need to do this once for proof of concept
and publicity.
> If you're caught, you'd spend a nice long time in prison. Let me just
> remind you, EVERY financial institution in the country, and the Federal
> Reserve, has a vested interest in making sure this type of thing doesn't
> happen, someone trys it and gets caught, and you can kiss them bye bye.
>
I think that Colin's idea of using "volunteer" ATM cards solves the
problem. How would a prosecutor "prove" where they came from, if we
removed the name from the published data? And in any case, what law is
broken for a person reading their own card and publishing the data?
What we need to do is narrow the scope.
- What kind of card to collect?
- From what common bank?
- Do the cards need to be closed accounts?
- Can we publish the data in such a fashion that enough details are
missing to prevent disclosing the original account holder?
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
