password security

ted at nmsu.edu ted at nmsu.edu
Wed Dec 7 15:19:52 AEST 1988 

I would let all of this discussion about pin's and password protection
just slide on by, except for the fact that a friend of mine was
apparently a recent victim of an atm fraud.

The situation was that she went to the bank to make a withdrawal and
they said that her account had only $5 in it.  She objected that
according to her records she had over $700 in the account and that she
had not made any withdrawals recently.  The bank claimed that she had
made 5 withdrawals in one day for virtually the entire amount in the
account, leaving only the minimum in the account.  Upon presentation
with a written complaint, the bank checked the camera for the atm and
found that it had been blocked during the time of the withdrawals in
question.

The bank is currently standing pat on the absolute security of the atm
system and is insisting that they have no obligation to disburse any
of the questioned funds.  Combined with the recent discussion on the
net about the errors that have occurred in atm software and with the
fact that some systems store the pin (or the encrypted pin) on the
card, there is considerable doubt in my mind about whether atm's
provide even minimal levels of security.

My questions for the net are:

1) are account and pin numbers really stored on the card in such a way
that a card can be easily forged (please, no secure details, I just
need enough information to believe you).

2) how autonomous are atm machines?

3) to what degree do atm's record transactions.  I know they record
the account number and amount, but do they record erroneous pin
entries, and do they record the pin number that is actually entered?
Is there enough of an audit trail to substantiate a claim of card
forgery? 

4) are there any publicly available accounts of atm fraud, or
breakdowns in atm security? (the bug mentioned on the net recently
would classify, but did the company involved manage to sufficiently
hush up the problem so that it has effectively been pushed into the
apocrypha of computer security?)

If your reply is not suitable for public dissemination, please reply
by email, usmail or phone.  I will or will not summarize to the net
depending on the wishes of individual respondents.  I will honor
requests for anonymity, but obviously, in the current situation, I
would prefer to find experts in the field whom I can cite.

Thank you.

Ted Dunning
Computing Research Laboratory
New Mexico State University
Las Cruces, New Mexico 88003-0001

ted at nmsu.edu
(505) 646-6221

More information about the Comp.unix.wizards mailing list