[1097] in cryptography@c2.net mail archive
Re: Thoughts on ATM cards
daemon@ATHENA.MIT.EDU (Scott Baker)
Thu Jun 26 23:01:24 1997
Date: Thu, 26 Jun 1997 16:26:58 -0700
From: Scott Baker <baker@ohcu.org>
Reply-To: baker@ohcu.org
To: cryptography@c2.net
This is a multi-part message in MIME format.
--------------675D40E614CF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This is a resend, I had originally hit reply instaed of adressing itto
the list...
--------------675D40E614CF
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <33B2FA71.2C0A@ohcu.org>
Date: Thu, 26 Jun 1997 16:25:37 -0700
From: Scott Baker <baker@ohcu.org>
Reply-To: baker@ohcu.org
X-Mailer: Mozilla 3.01 (Win16; U)
MIME-Version: 1.0
To: William Allen Simpson <wsimpson@greendragon.com>
Subject: Re: Thoughts on ATM cards
References: <6121.wsimpson@greendragon.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
William Allen Simpson wrote:
>
> I'd like to support Colin's suggestion as to the next target: ATM card
> master PINs.
>
First off, what do you do once you have the Master PIN? Without knowing
how the ATM network sends and receives data, what it's looking for, and
the types of codes necessary, you couldn't use the information. For a
PIN to work you have to match the PIN to the Account.
If your trying to prove that it can be done, and that it poses a risk,
then you'd do that, but it won't change the way te cards are used until
the Federal Reserve changes card guidelines.
> >
> I think that Colin's idea of using "volunteer" ATM cards solves the
> problem. How would a prosecutor "prove" where they came from, if we
> removed the name from the published data? And in any case, what law is
> broken for a person reading their own card and publishing the data?
>
Without an account number, you can't prove you did it. Tampering with
the card violates the crad holder agreements.
> What we need to do is narrow the scope.
>
> - What kind of card to collect?
> - From what common bank?
> - Do the cards need to be closed accounts?
>
Obviously, I'm NOT going to be able to answer those questions, see
below.
> - Can we publish the data in such a fashion that enough details are
> missing to prevent disclosing the original account holder?
>
Probably not.
-- Scott
______________________________
Scott Baker
Old Hickory Credit Union
baker@ohcu.org
--------------675D40E614CF--
