Searching \ for '[OT]: Project offer any one interested? ATM scams' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=project+offer+any
Search entire site for: 'Project offer any one interested? ATM scams'.

Exact match. Not showing close matches.
PICList Thread
'[OT]: Project offer any one interested? ATM scams'
2005\02\22@095909 by Alan B. Pearce

face picon face
>I believe they didn't think it was safe to use a PIN on
>the swipe of the magstripe, for the reasons being discussed.

The bit that amuses me about this is that NZ has been using Pins on swipe
cards in shops for something approaching 20 years. How can that be any less
secure than using a pin at an ATM?

I couldn't get over how antiquated the UK banking system is when I moved
here in '97.

2005\02\23@190956 by Howard Winter

face
flavicon
picon face
Alan,

On Tue, 22 Feb 2005 14:59:05 -0000, Alan B. Pearce wrote:

> The bit that amuses me about this is that NZ has been using Pins on swipe cards in shops for something
approaching 20 years.

Much smaller market, much easier to make changes and install new equipment.  There may well be more retail
outlets in the UK than there are people in NZ!  :-)

> How can that be any less secure than using a pin at an ATM?

Because the PIN at ATMs is checked back with the bank, not from the card itself?  Reading a stripe is
straightforward, and it's just a question of decoding it (not trivial, but not impossible).  With "Chip & PIN"
I believe the PIN is on the chip, but you have to ask it nicely before it will reveal it (and in fact I wonder
whether it ever does, or just tells the reader whether it's right or wrong).  This is guessing, by the way - I
don't have any inside knowledge, but the thing is that a stripe is a recording medium, the chip is (or can be)
a computer, so you don't have to reveal the PIN (or anything else) to the reader, the chip can make the
comparison without the data leaving the card.  Imagine the difference between having a memory chip connected
to the card's interface pads, versus having a PIC and memory, with the PIC connected to the pads and the
memory only accessible to the PIC.

> I couldn't get over how antiquated the UK banking system is when I moved here in '97.

Then nip across the pond and be even more startled by how even more antiquated the US banking system is - they
don't even have chips on cards, and when paying a cheque into an ATM you have to fill in a paying-in slip
first!  (My girlfriend, in New York, is still paid by cheque, and has to do this every payday - I have been
paid electronically in every job for the past 30+ years).  If I go into my bank and pay in a cheque, I post
the cheque itself into a slot, and it scans it and shows it to me on the screen, and will print an image of it
on the receipt-slip.

Cheers,


Howard Winter
St.Albans, England


2005\02\23@205434 by Russell McMahon

face
flavicon
face
>> How can that be any less secure than using a pin at an ATM?
>
> Because the PIN at ATMs is checked back with the bank, not from the
> card itself?  Reading a stripe is
> straightforward, and it's just a question of decoding it (not
> trivial, but not impossible).

Transaction from swipe machine to bank is done "while you wait" using
(s0 far mainly) phone line connection - takes about 10 seconds. PIN
confirmation can therefore be done with bank.

       RM

2005\02\24@015452 by cdb

flavicon
face

:: I couldn't get over how antiquated the UK banking system is when I
:: moved
::
:: here in '97.

I worked for a largish retailer, when debit cards were first making an
appearence in the early 80's.

Originally the pin on a debit card was going to be used, and the
company I worked for trailed it for 8 months. However, technology at
the time was not what it is today, and a special secure server that
actually 'held' onto pin numbers had to be installed and that was
actually going to be a server per outlet (then 80 supermarkets and 30
dept stores).

There were problems with the server, not least that under certain
conditions, the accounting staff had access to pin#'s plus the Civil
Liberties people had an apolectic fit with this new fangled stuff.

So the banks agreed to treat debit cards similar to cheques in that
most banks would not apply the debit for approx 3 days and the
security feature was that a personal signature was required.

And just for added info, a cheque guarantee card does not guarantee
the retailer, the bank will pay.

Colin

--
cdb, spam_OUTcolinTakeThisOuTspambtech-online.co.uk on Thursday,24 February,2005

Web presence: http://www.btech-online.co.uk  

Hosted by:  http://www.1and1.co.uk/?k_id=7988359

Light travels faster than sound. That's why some people appear bright
until they speak!



2005\02\24@073335 by Alan B. Pearce

face picon face
>>> finger, and use it as a glove

>> Boy, there've been some really great tips out of the list this week
>> ;-)

>This one is a finger tip

There will now be a fingertip search of all PICList members ...

2005\02\24@203108 by ?J=2E_Pe=F1a?=

flavicon
face
> > The bit that amuses me about this is that NZ has been using Pins on swipe cards in shops for something
> approaching 20 years.
> > How can that be any less secure than using a pin at an ATM?

> Because the PIN at ATMs is checked back with the bank, not from the card itself?

At least here (Argentina) the PIN is checked with the bank. The reader
calls the bank and ask for authorization.

Saludos,
                                       HoraPe
---
Horacio J. Peña
.....horapeKILLspamspam@spam@compendium.com.ar
horapespamKILLspamuninet.edu

2005\02\24@204145 by Dave VanHorn

flavicon
face
At 08:31 PM 2/24/2005, Horacio J. Peña wrote:
> > > The bit that amuses me about this is that NZ has been using Pins on
> swipe cards in shops for something
> > approaching 20 years.
>
> > > How can that be any less secure than using a pin at an ATM?
>
> > Because the PIN at ATMs is checked back with the bank, not from the
> card itself?
>
>At least here (Argentina) the PIN is checked with the bank. The reader
>calls the bank and ask for authorization.

I'm still under non-disclosure, but the terminal doesn't remember anything from the transaction, and you pin never appears with less than DES encryption on it anywhere in the chain.

2005\02\24@222830 by Jinx

face picon face
> I'm still under non-disclosure, but the terminal doesn't remember anything
> from the transaction, and you pin never appears with less than DES
> encryption on it anywhere in the chain.

No, it doesn't, that's a requirement by the banks for anyone wanting to
make readers (POS terminals for example). I was involved in a project
a couple of years ago and was surprised to find that (at the time) the
NZ/Aus banks were one step behind with DES. A little fuzzy on details
without looking up the banking group specs CD, but I think they were
running 2DES at some point internally (maybe externally too) and asking
everyone else to use 3DES. I'm sure they said they had no immediate
plans to upgrade to a new DES. Anyone with an exceptionally good
memory might remember a thread I started at the time about 512-bit
keys on a PIC

More... (looser matching)
- Last day of these posts
- In 2005 , 2006 only
- Today
- New search...