ATM fraud

[Chris Torek]

(I was hoping not to have to post this on a comp.unix group, but
things are not getting any quieter, so:)

Real Facts about ATMs:

> Each system is different.  One cannot even count on the machines from
  a specific manufacturer (e.g., IBM or Diebold) all to act the same, as
  many (if not all) of these systems can be configured by the purchasing
  bank.  Therefore:

> Every blanket statement about ATMs is wrong (including this one).

> Some common systems do put PINs on cards; some common systems do not.

> Some systems allow `local' operation of an ATM station when the net
  is down; some do not.  (Local operation may be used to overrun daily
  limits.)

> Some systems use DES encryption (in just what ways I am not sure).
  Of those that do, they may not do it in a `secure' manner.  (You will
  find it very hard to pull this particular bit of information out of
  your local bank, particularly if they know it is insecure.)

> Some systems `batch' the PIN verification with the first operation
  (so that a wrong PIN is not noticed until after a deposit, etc.).
  Others check the PIN immediately, even if it requires a network
  transaction.  Thus you cannot conclude anything about where the
  PIN is stored based on when the machine rejects an invalid PIN.

> Many systems that allow more than four digits for a PIN in fact only
  use the first four.

> Some systems count PIN errors globally; some count it per-ATM; some
  use a mix (count locally iff net is down).  Many set a `keep the card'
  threshold at 3 errors.  Typically the count is reset once a day.

Now can we stop with ATM security messages on comp.unix.questions?
(And why do I ask such a silly question? :-) )
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris at mimsy.umd.edu	Path:	uunet!mimsy!chris