PDA

View Full Version : ATM card piracy - how much info is in magnetic strips?


empty filing cabinet
05-10-2005, 01:29 PM
First, a warning:
Today's news (http://www.boston.com/news/local/massachusetts/articles/2005/05/10/atm_cards_pirated_for_plenty_police_say/)

And now, a question:
So just how much of your personal info is on those magnetic strips on ATM cards and credit cards, anyways?

Hampshire
05-10-2005, 02:18 PM
On the card itself? Not much.
But both the numbers encoded on your card (account and routing number) and your pin number combined will give access to plenty of info about you and your account.
All of your personal data is stored at the bank. An ATM is an interface to that data.
Your card is just a key to access that data.

(Your name may also be stored on the card however since some ATMs will say "Hello Bob Jones" before even making the connection with the bank.)

Troy McClure SF
05-10-2005, 02:27 PM
Does anyone else think it's a bad idea to encode the PIN on the card itself? I mean, obviously most account information is on a server somewhere, why not keep the PIN there, where it would be safer? Or would a database on PINs be too tempting a target?

Bippy the Beardless
05-10-2005, 02:39 PM
I'm pretty sure the pin isn't on the card itself, otherwise when you altered your pin at a cash machine the card would need to be rewritten. This goes to show you should always cover your hand when typing in a pin.

groman
05-10-2005, 04:42 PM
I'm pretty sure the pin isn't on the card itself, otherwise when you altered your pin at a cash machine the card would need to be rewritten. This goes to show you should always cover your hand when typing in a pin.

I've never seen a cash machine that would let you alter your pin. At my bank I need to use their special ATM card writer to alter my pin, which leads me to believe the PIN IS stored on the card (or at least a hash thereof).

Troy McClure SF
05-10-2005, 04:47 PM
I've never seen a cash machine that would let you alter your pin. At my bank I need to use their special ATM card writer to alter my pin, which leads me to believe the PIN IS stored on the card (or at least a hash thereof).

Actually, now that I think about it, the card writer does call out via modem to... something. Maybe the card's in there to find the account, and the modem sends the PIN to a server.

Since I lost my ATM card for the second time in the past two weeks, I'll keep an eye on the PIN-changer when I get it back.

chrisk
05-10-2005, 05:01 PM
Does anyone else think it's a bad idea to encode the PIN on the card itself? I mean, obviously most account information is on a server somewhere, why not keep the PIN there, where it would be safer? Or would a database on PINs be too tempting a target?

I would hope that the PIN is not 'stored' anywhere but your brain and/or your records. What would be recorded on the bank server could be a pretty good one-way encryption of the PIN. The number you type in at the ATM would be encrypted and compared against what the bank server has on file, but it would be considerably more difficult to determine the PIN from the encoded version. (Then again, since most PINs are around four or five digits, someone very smart could try the encryption algorithm with most possible PINS quite quickly. I hope the bank database is pretty secure! ;) )

Balthisar
05-10-2005, 05:08 PM
On most ATM machines, you can enter any old PIN you like, and the machine will function perfectly. Perfectly, that is, until it talks to your bank and realizes the PIN is wrong.

Not too long ago, someone posted some links here to a card scanning scam that had photos of the scanner, as well as envelope dispenser with a tiny camera for getting your PIN. If the PIN were on the card, there'd be no need for a risky camera.

Bytegeist
05-10-2005, 05:28 PM
... some ATMs will say "Hello Bob Jones" before even making the connection with the bank.
Those ATMs always annoy me, because that's not my name at all.

:D

gotpasswords
05-10-2005, 07:35 PM
I've never seen a cash machine that would let you alter your pin.
Wells Fargo ATMs can do PIN changes for their customers. Otherwise, go to the bank, where they'll use the Atalla terminal.

Thinktank
05-10-2005, 08:35 PM
I'm pretty sure your PIN is stored on the strip because everytime I changed my PIN, Wachovia had to send me a new card. That's not to say everyone banks with Wachovia.

Balthisar
05-10-2005, 09:04 PM
To set my PIN on credit cards, I just have to call the issuing banks. They'll do it over the phone. The only reason to have a PIN on a credit card is to treat them like an ATM card, so, yeah, despite being a credit card rather than an ATM card, having the number not on the card would be the same.

Cerowyn
05-10-2005, 09:36 PM
PINs are emphatically not stored on the mag stripe. A few seconds thought should make it obvious why that would be a ridiculous practice for a bank that has any hope of protecting its customers from theft.

In general, it is accurate to say that secure PIN pads (which include ATM machines and cash-register debit machines) send the PINs to the issuing bank in a decipherable form (NOT a one-way encryption).

Individual financial institutions are not free to set their own standards, since there are inter-institution [global] implications. The various connecting networks have to work at the lowest common demoninator of their participating customers.

cornflakes
05-10-2005, 10:15 PM
Certainly, PIN numbers are not stored on an ATM card, and I assume that the card simply contains some sort of data string that matched to the user's account by the bank and/or the network. But what does tis data look like? How much info is in that stripe, and is it a random series of bits, in a standardized code or what? I assume that it is very much not in ASCII.

Driver8
05-10-2005, 10:17 PM
The data on the magnetic stripe is formatted in a pretty standardized way. It is divided into three sections. The first section will often contain the cardholder name, which is why some devices can greet you by name as soon as you insert your card.

The second section is the important section. It contains your card number, a service restriction code (stating how the card may be used), the expiry date and discretionary data.

How discretionary data is defined (if at all) is up to the bank. Banks will often write the encrypted PIN here (encrypted under a secret key). Sometimes a centrally stored encrypted PIN value will be used for authorization, sometimes the value written on the card will be used. I've seen instances of both.

The third section isn't really used anymore.

I know this because I transaction switching and this type of data is my job. I did do a quick google search before posting to see if this was public knowledge, and it is.

Driver8
05-10-2005, 10:20 PM
Please excuse the extra "I".

Driver8
05-10-2005, 10:28 PM
First, a warning:
Today's news (http://www.boston.com/news/local/massachusetts/articles/2005/05/10/atm_cards_pirated_for_plenty_police_say/)

And now, a question:
So just how much of your personal info is on those magnetic strips on ATM cards and credit cards, anyways?

To directly answer the OP questions, not much personal data at all. As mentioned, your name might be included, but this is rarely used for any form of authorization. However, the magnetic stripe data can be used to create an exact replica of the card, since that is all that ATM machines will read.

Meeko
05-11-2005, 01:57 AM
Snopes covered this.

counsel wolf
05-11-2005, 06:25 AM
Certainly, PIN numbers are not stored on an ATM card, and I assume that the card simply contains some sort of data string that matched to the user's account by the bank and/or the network. But what does tis data look like? How much info is in that stripe, and is it a random series of bits, in a standardized code or what? I assume that it is very much not in ASCII.

This info applies to standard ATM cards and most other cards that are full swipe cards. Hotel access cards are traditionally dip types and encoded in a proprietry format.

Basically what happens is that the mag stripe is divided horizontally into 3 sections, normally referred to as Tracks 1, 2 and 3. Readers can be bought that read track 1, tracks 1 and 2 or all three tracks. Each track has its own specification as to what characters can be encoded on it.

Track 1: restricted Alphanumeric (all basic chars, some punctuation),79 chars
Track 2: numeric 40 chars
Track 3: numeric 107 chars

Each character is encoded similarly to a bar code in that it is made up of alternating direction magnetised portions of the stripe. The encoding scheme varies between tracks to accomodate various reader tolerances (track 2 readers can be very fault tolerant, track 1 and 3, less so).

A reader will generally be either a serial device or more commonly a keyboard wedge that converts the mag stripe data to standard keyboard input, so in a sense programs that use mag stripes often see the data as plain ascii.

As to what is stored, track 1 is generally Card holder name and a few other details track 2 is account details and track 3 is blank or bank specific.

This website (http://www.tech-faq.com/mag-stripe-cards.shtml) seems correct in most detail

Bippy the Beardless
05-11-2005, 11:52 AM
In general, it is accurate to say that secure PIN pads (which include ATM machines and cash-register debit machines) send the PINs to the issuing bank in a decipherable form (NOT a one-way encryption).


Do you know why the PINs are sent in a decipherable form as opposed to one-way encryption?
It seems a dangerous method since a mistakenly entered pin could well be the correct pin for a different card, and that would be something the user wouldn't want known to the ATM operators or recorded.

Rayne Man
05-11-2005, 12:19 PM
In the UK we changing over to chip and PIN cards. These are supposed to be much more secure than the magnetic strip cards. At point of sale you don't sign a slip , just input your PIN on a card reader. Is the US going down this same path ?

BTW , you can change your PIN on these new cards on most ATMs.

Driver8
05-11-2005, 12:54 PM
Do you know why the PINs are sent in a decipherable form as opposed to one-way encryption?
It seems a dangerous method since a mistakenly entered pin could well be the correct pin for a different card, and that would be something the user wouldn't want known to the ATM operators or recorded.

It's too inconvenient to have one way encryption. The bank might want to mail out secure envelopes with the clear PIN when they issue the cards.

The encryption of the customer typed PIN often involves formatting in a way dependant on the card number, so if both cards ...0001 and ...0002 have the same PIN, the encypted values will be wildly different.

gotpasswords
05-11-2005, 03:32 PM
In the UK we changing over to chip and PIN cards. These are supposed to be much more secure than the magnetic strip cards. At point of sale you don't sign a slip , just input your PIN on a card reader. Is the US going down this same path ?
Yes. This is what's known as a debit card transaction, as opposed to a credit card transaction, which does involve a signature.

Rayne Man
05-11-2005, 03:43 PM
Yes. This is what's known as a debit card transaction, as opposed to a credit card transaction, which does involve a signature.

Both credit card and debit cards in the UK are going over to chip and pin. So neither sort of card will not need a signature. All the information is held on a microchip and not on a magnetic strip. This way there are much more secure.

Rayne Man
05-11-2005, 03:44 PM
Sorry for the double negative. That sentence should read "neither sort of card will need a signature" :smack:

Uncommon Sense
05-11-2005, 04:14 PM
Excuse me, but there's an elephant in this room that no one noticed.

This guy uses card readers that are fake to get the card numbers, correct?
That means that the card reader is NOT connected (linked) to the actual ATM terminal, right?
Now, if the fake card reader is NOT linked to the terminal, then why are people entereing their PIN numbers when there is no way the ATM machine is prompting them to do so?

jnglmassiv
05-11-2005, 04:31 PM
The article said the cards were used in places other than the machine, like one might need to swipe the card to open the door to the ATM booth.

There's also these:
http://www.utexas.edu/admin/utpd/atm.html

Tower Dweller
05-11-2005, 05:15 PM
Now, if the fake card reader is NOT linked to the terminal, then why are people entereing their PIN numbers when there is no way the ATM machine is prompting them to do so?

Take a look at jnglmassiv's link, there's a photo of one way this scam works - the thief's card reader sits right on top of the ATM's card reader. Your ATM card passes right through the fake one (where it's scanned) and into the ATM. Then the camera captures you typing in your PIN, and they have all the data they need.

Putting the reader on the door is clever too though - I hadn't heard of that before. A lot easier to mess with the door lock than to mold a peice of plastic that blends in with the ATM.

jnglmassiv
05-11-2005, 05:33 PM
Putting the reader on the door is clever too though
Especially since its just a simple circuit you have to get working. A single signal to buzz the door.

Many of the card access door buzzers I've seen at ATM booths seem to not read the card at all. It instead just looks for ANY magnetic card. I once noticed the door seemed to buzz before I pushed the card even most of the way in. I tried it with supermarket discount card and then with a paper subway pass. All of them open the door. A clever crook could remove the real card reader, install his own with logging or wireless capability and easily wire it to buzz the door.