OT: Banc of America Article

Thu Jan 30 20:49:00 UTC 2003

FYI this is completely incorrect.

I have changed my PIN with both my PayPal debit card as well as my First
Union/Wachovia card numerous times without a single contact with a physical
bank.

See: http://www.wachovia.com/helpcenter/page/0,,2372_2705,00.html

To store the PIN on a card, whether hashed or not, would be foolish.   Do
people really think that the ATM's of 15 years ago had the CPU power to
calculate the hash of a PIN number on the fly?  I know people who are
carrying around 10+ year old cards and they still work fine.

-Dave

> -----Original Message-----
> From: Krzysztof Adamski [mailto:k at adamski.org] 
> Sent: Thursday, January 30, 2003 3:39 PM
> To: nanog at merit.edu
> Subject: Re: OT: Banc of America Article
> 
> 
> 
> Since nobody has given the correct information about the PIN 
> on the card I will give a very brief description.
> 
> There are two types of PIN, natural and customer selected.
> The natural PIN is computed from the number on the card. The 
> computation involves one way crypto keys. I don't remember 
> the algorithm. For this the PIN that is stored on the card is 0000.
> 
> Now, when a customer selects a PIN, an offset is computed 
> between the natural PIN and selected PIN. This offset is 
> stored on the card.
> 
> Based on this you can see that re-encoding is needed when you 
> change the PIN number, most ATM will do that re-encoding. So 
> unless things have changed in the last 4 years since I worked 
> with this, you can not change your PIN over the phone without 
> physical contact by the bank with the card.
> 
> Personally I carry a card without any logo as my ATM card, at 
> one point I had access to reader/encoder for mag strip cards 
> and I programmed a blank card with the info from my real ATM 
> card. No encryption involved.
> 
> K
> 
> On Wed, 29 Jan 2003, David Charlap wrote:
> 
> > 
> > Al Rowland wrote:
> > > 
> > > The PIN is on your card ...
> > 
> > Not for any card I've ever owned.  I've changed my PIN several times
> > over the years, and the bank has never re-encoded my card 
> or sent me a 
> > new card as a result of doing so.
> > 
> > Maybe some banks do store the PIN on the card, but I'm certain that 
> > it's
> > in the server for ever bank I've used.
> > 
> > > I use a not-my-bank ATM in the lobby at work and it 
> doesn't initiate 
> > > the call (you can hear the modem dial) until you're 
> beyond the PIN 
> > > screen and are actually requesting a transaction.
> > 
> > I'm not surprised.  But the PIN is verified as a part of the 
> > transaction.
> > 
> > I've occasionally mistyped my PIN.  The ATM takes the 
> mistake and goes
> > straight to the menu.  It's only after requesting a 
> transaction that it 
> > comes back with the "invalid PIN" message.
> > 
> > -- David
> > 
> 

IMPORTANT:The information contained in this email and/or its attachments is
confidential. If you are not the intended recipient, please notify the
sender immediately by reply and immediately delete this message and all its
attachments.  Any review, use, reproduction, disclosure or dissemination of
this message or any attachment by an unintended recipient is strictly
prohibited.  Neither this message nor any attachment is intended as or
should be construed as an offer, solicitation or recommendation to buy or
sell any security or other financial instrument.  Neither the sender, his or
her employer nor any of their respective affiliates makes any warranties as
to the completeness or accuracy of any of the information contained herein
or that this message or any of its attachments is free of viruses.