First, a warning:
Today’s news
And now, a question:
So just how much of your personal info is on those magnetic strips on ATM cards and credit cards, anyways?
On the card itself? Not much.
But both the numbers encoded on your card (account and routing number) and your pin number combined will give access to plenty of info about you and your account.
All of your personal data is stored at the bank. An ATM is an interface to that data.
Your card is just a key to access that data.
(Your name may also be stored on the card however since some ATMs will say “Hello Bob Jones” before even making the connection with the bank.)
Does anyone else think it’s a bad idea to encode the PIN on the card itself? I mean, obviously most account information is on a server somewhere, why not keep the PIN there, where it would be safer? Or would a database on PINs be too tempting a target?
I’m pretty sure the pin isn’t on the card itself, otherwise when you altered your pin at a cash machine the card would need to be rewritten. This goes to show you should always cover your hand when typing in a pin.
I’ve never seen a cash machine that would let you alter your pin. At my bank I need to use their special ATM card writer to alter my pin, which leads me to believe the PIN IS stored on the card (or at least a hash thereof).
Actually, now that I think about it, the card writer does call out via modem to… something. Maybe the card’s in there to find the account, and the modem sends the PIN to a server.
Since I lost my ATM card for the second time in the past two weeks, I’ll keep an eye on the PIN-changer when I get it back.
I would hope that the PIN is not ‘stored’ anywhere but your brain and/or your records. What would be recorded on the bank server could be a pretty good one-way encryption of the PIN. The number you type in at the ATM would be encrypted and compared against what the bank server has on file, but it would be considerably more difficult to determine the PIN from the encoded version. (Then again, since most PINs are around four or five digits, someone very smart could try the encryption algorithm with most possible PINS quite quickly. I hope the bank database is pretty secure! 
)
On most ATM machines, you can enter any old PIN you like, and the machine will function perfectly. Perfectly, that is, until it talks to your bank and realizes the PIN is wrong.
Not too long ago, someone posted some links here to a card scanning scam that had photos of the scanner, as well as envelope dispenser with a tiny camera for getting your PIN. If the PIN were on the card, there’d be no need for a risky camera.
Those ATMs always annoy me, because that’s not my name at all.
Wells Fargo ATMs can do PIN changes for their customers. Otherwise, go to the bank, where they’ll use the Atalla terminal.
I’m pretty sure your PIN is stored on the strip because everytime I changed my PIN, Wachovia had to send me a new card. That’s not to say everyone banks with Wachovia.
To set my PIN on credit cards, I just have to call the issuing banks. They’ll do it over the phone. The only reason to have a PIN on a credit card is to treat them like an ATM card, so, yeah, despite being a credit card rather than an ATM card, having the number not on the card would be the same.
PINs are emphatically not stored on the mag stripe. A few seconds thought should make it obvious why that would be a ridiculous practice for a bank that has any hope of protecting its customers from theft.
In general, it is accurate to say that secure PIN pads (which include ATM machines and cash-register debit machines) send the PINs to the issuing bank in a decipherable form (NOT a one-way encryption).
Individual financial institutions are not free to set their own standards, since there are inter-institution [global] implications. The various connecting networks have to work at the lowest common demoninator of their participating customers.
Certainly, PIN numbers are not stored on an ATM card, and I assume that the card simply contains some sort of data string that matched to the user’s account by the bank and/or the network. But what does tis data look like? How much info is in that stripe, and is it a random series of bits, in a standardized code or what? I assume that it is very much not in ASCII.
The data on the magnetic stripe is formatted in a pretty standardized way. It is divided into three sections. The first section will often contain the cardholder name, which is why some devices can greet you by name as soon as you insert your card.
The second section is the important section. It contains your card number, a service restriction code (stating how the card may be used), the expiry date and discretionary data.
How discretionary data is defined (if at all) is up to the bank. Banks will often write the encrypted PIN here (encrypted under a secret key). Sometimes a centrally stored encrypted PIN value will be used for authorization, sometimes the value written on the card will be used. I’ve seen instances of both.
The third section isn’t really used anymore.
I know this because I transaction switching and this type of data is my job. I did do a quick google search before posting to see if this was public knowledge, and it is.
Please excuse the extra “I”.
To directly answer the OP questions, not much personal data at all. As mentioned, your name might be included, but this is rarely used for any form of authorization. However, the magnetic stripe data can be used to create an exact replica of the card, since that is all that ATM machines will read.
Snopes covered this.
This info applies to standard ATM cards and most other cards that are full swipe cards. Hotel access cards are traditionally dip types and encoded in a proprietry format.
Basically what happens is that the mag stripe is divided horizontally into 3 sections, normally referred to as Tracks 1, 2 and 3. Readers can be bought that read track 1, tracks 1 and 2 or all three tracks. Each track has its own specification as to what characters can be encoded on it.
Track 1: restricted Alphanumeric (all basic chars, some punctuation),79 chars
Track 2: numeric 40 chars
Track 3: numeric 107 chars
Each character is encoded similarly to a bar code in that it is made up of alternating direction magnetised portions of the stripe. The encoding scheme varies between tracks to accomodate various reader tolerances (track 2 readers can be very fault tolerant, track 1 and 3, less so).
A reader will generally be either a serial device or more commonly a keyboard wedge that converts the mag stripe data to standard keyboard input, so in a sense programs that use mag stripes often see the data as plain ascii.
As to what is stored, track 1 is generally Card holder name and a few other details track 2 is account details and track 3 is blank or bank specific.
This website seems correct in most detail
Do you know why the PINs are sent in a decipherable form as opposed to one-way encryption?
It seems a dangerous method since a mistakenly entered pin could well be the correct pin for a different card, and that would be something the user wouldn’t want known to the ATM operators or recorded.