Getting into an ATM

12/25/90
——————-============< SANCTUARY >============——————-
| |
| ———–==> Town Criers Posting Board <==----------- | | | | Just another EXCRETION from the bowels of Sanctuary... | |_____ City of _____| | |_____ Beggars, _____| | | The |_____ Criminals, _____| The | | Home |_____ and Thieves _____| Hellfire | | Board of |_____ _____| Bulletin Board | | Sanctuary |_____________| 1-908-495-3926 | |_________________________________________________________________________| CALL IT!!! Originally Printed in: CYBERTEK The Cyberpunk Technical Journal Issue #4, November/December 1990 P.O. Box 64, Brewster, NY 10509 Send $2.50 for sample or ask for details. Call The Manta's Lair 206/361-5742 Sysop: The Black Manta This Phile Typed by: Havok Halcyon, Chief Magistrate of the City of Sanctuary I've added in an occasional hint or two in parenthesis to help some of the more uneducated phreaks understand some of the terms and whatever. Those help phones in ATM Machine lobbies can be very useful if you have to make an emergency phone call. They work on one of two different ways. The first (and best for us) type is the kind that you pick up the phone and press a button; which activates an autodialer that calls customer service. This one generally looks like a regular traditional style wall phone without a dial and a push button somewhere near the phone instructing you to press it to get customer service. The second type can either be a phone, or is sometimes just a handset set into a mounting on the counter which tells you to pick it up for assistance. There are variations in appearance with the two types, but the button is the giveaway. What you can do with the first type is pick up the phone and not push the button. You should just get a dialtone like in most regular phone lines, and you can dial out to anywhere by flashing the switchhook, or if the line has touchtone service, by using a portable touchtone dialer available at RADIO SHIT (er..I mean Radio Shack. Also, if you do not know how to "flash" a switchhook, consult BIOC Agent 003's Tutorials or your local phreak or phreak oriented BBS.) for $19.95. Some of these phones are hooked up to the bank's PBX (Private Branch Exchange), in which case you'll have to dial the extension for an outside line, in most places this is usually a "9", "99" or something similar. You can sometimes find out if it's on a PBX by listening to the tones coming out of the autodialer. If it puts out more than 10 digits (tones), or puts out a couple digits and pauses before dialing the rest, then it's on a PBX. Of course some autodialers mute the touch tones so you can't hear them. With the second type you can call customer service, and either ask some stupid question, or say "Sorry, wrong number". When the nice lady hangs up in MOST cases you will get a dialtone and then you can dial out. (A lot like when you use a diverter). However if the phone line does not have touch tone, you are outta luck; as the autodialer is activated by picking up the phone, the flashing of the switchhook will false start the autodialer. So, if you can't use your TT(touch tone) pad, your outta luck. Getting into ATM lobbies is pretty easy. They use magnetic strip card access. An ATM card obviously works, as well as credit cards, calling cards, and anything else with a magnetic strip on the back. The bolts on the door are often exposed and can be jimmied open. Some of the locking mechanisms don't even work. There are a few things that you have to worry about. The first is that someone might notice you staying on the phone for an extended period of time, and get suspicious (This is not a BIG risk because most people could really care less what you are doing, EXCEPT for those fucking goodie- two-shoe bitches which want to make a Citizen's Arrest so that they can get in good with your local PTA). The second is that you run the risk of being recorded when you are in the lobby. Most ATM lobbies have cameras in them. Usually the camera is located in the ATM, and only goes on when a transaction in being made, but some places have 24 hour surveillance systems. These are usually externally mounted, and quite visible. If you see a camera in the lobby, don't mess around in there. The other possibility is that the phone itself could be BUGGED by the bank. According to law they are supposed to inform you with a beep every ten seconds, but no one does that anyway (NOTE: The Gestapo [Ma Bell] is supposed to notify you in the same way if they were bugging you at your home phone, but they will usually say something like "I was checking the line to see if everything was ok, and OVERHEARD some criminal dealings". This is a common way to catch people on the phone, so be careful what you say on public telephone lines.) You could do a quick look around to see if you can find anything on the line. If you don't see anything "funny", and can trace all the wiring, then you are probably safe. All in all, your best and safest bet is to use an ATM located away from a bank, and one where you can see the wiring coming from the outside to the phone. Even then, call only people who'll forget you called right after you hang up. ___________________________________________________________________________ -=> !!!!! STUPID AND RETARDED DISCLAIMER GOES HERE !!!!! <=- -=>_____________________________________________________________________<=- Downloaded From P-80 International Information Systems 304-744-2253

Draft of the NIST Computer Security Handbook on Identification and Authentification

* * * * * * * * * * * * *  NOTE * * * * * * * * * * * * * * * * *

This file is a DRAFT chapter intended to be part of the NIST
Computer Security Handbook.  The chapters were prepared by
different parties and, in some cases, have not been reviewed by
NIST.  The next iteration of a chapter could be SUBSTANTIALLY
different than the current version.  If you wish to provide
comments on the chapters, please email them to roback@ecf.ncsl.gov
or mail them to Ed Roback/Room B154, Bldg 225/NIST/Gaithersburg, MD 
20899.  

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

DRAFT          DRAFT          DRAFT          DRAFT          DRAFT

                IDENTIFICATION AND AUTHENTICATION

1    Introduction

     Information technology (IT) systems and the data they store
and process are valuable resources which need to be protected. 
One of the first steps toward securing an IT system is the
ability to verify the identity of its users.  The process of
verifying a user's identity is typically referred to as user
identification and authentication.  Passwords are the method used
most often for authenticating computer users, but this approach
has often proven inadequate in preventing unauthorized access to
computer resources when used as the sole means of authentication. 

     New technology is emerging that can significantly improve
the protection afforded by password-only authentication.  This
chapter will discuss the elements involved in authenticating
users as well as technological advances that can be used with or
instead of passwords to help ensure that only authorized users
can access an organization's IT resources.  

2    Overview

     Determining if a user is authorized to use an IT system
includes the distinct steps of identification and authentication. 
Identification concerns the manner in which a user provides his
unique identity to the IT system.  The identity may be a name
(e.g., first or last) or a number (e.g., account number).  The
identity must be unique so that the system can distinguish among
different users.  Depending on operational requirements, one
"identity" may actually describe one individual, more than one
individual, or one (or more) individuals only part of the time.  

     For example, an identity could be "system security officer,"
which could denote any of several individuals, but only when
those individuals are performing security officer duties and not
using the system as an ordinary user.  The identity should also
be non-forgible so that one person cannot impersonate another. 
Additional characteristics, such as the role a user is assuming
(for example, the role of database administrator), may also be
specified along with an identity. 

     Authentication is the process of associating an individual
with his unique identity, that is, the manner in which the
individual establishes the validity of his claimed identity. 
There are three basic authentication means by which an individual
may authenticate his identity.       

          a.   Something an individual KNOWS (e.g., a password,
Personal ID Number (PIN), the combination to a lock, a set of
facts from a person's background).

           b.   Something an individual POSSESSES (e.g., a token
or card, a physical key to a lock).       

          c.   Something an individual IS  (e.g., personal
characteristics or "biometrics" such as a fingerprint or voice
pattern).

      These basic methods may be employed individually, but many
user login systems employ various combinations of the basic
authentication methods.  An important distinction between
identification and authentication is that identities are public
whereas authentication information is kept secret and thus
becomes the means by which an individual proves that he actually
is who he claims to be.  In addition, identification and
authentication provides the basis for future access control.

3    Technical Approaches

     The use of passwords for authentication is widespread, and a
certain amount of expense and time is required to upgrade to more
sophisticated techniques.  In the near-term, one approach to
increasing the security of IT systems is to improve the use and
management of passwords, while exploring the use of alternate
technologies over time. 

3.1  Passwords

3.1.1 Security Considerations

     The security of a password scheme is dependent upon the
ability to keep passwords secret.  Therefore, a discussion of
increasing password security should begin with the task of
choosing a password.  A password should be chosen such that it is
easy to remember, yet difficult to guess.  There are a few
approaches to guessing passwords which we will discuss, along
with methods of countering these attacks.

     Most operating systems, as well as large applications such
as Database Management Systems, are shipped with administrative
accounts that have preset passwords.  Because these passwords are
standard, outside attackers have used them to break into IT
systems.  It is a simple, but important, measure to change the
passwords on administrative accounts as soon as an IT system is
received.

     A second approach to discovering passwords is to guess them,
based on information about the individual who created the
password.  Using such information as the name of the individual,
spouse, pet or street address or other information such as a
birth date or birthplace can frequently yield an individual's
password.  Users should be cautioned against using information
that is easily associated with them for a password.

     There are several brute force attacks on passwords that
involve either the use of an on-line dictionary or an exhaustive
attempt at different character combinations.  There are several
tactics that may be used to prevent a dictionary attack.  They
include deliberately misspelling words, combining two or more
words together, or including numbers and punctuation in a
password.  Ensuring that passwords meet a minimum length
requirement also helps make them less susceptible to brute force
attacks.

     To assist users in choosing passwords that are unlikely to
be guessed, some operating systems provide randomly generated
passwords.  While these passwords are often described as
pronounceable, they are frequently difficult to remember,
especially if a user has more than one of them, and so are prone
to being written down.  In general, it is better for users to
choose their own passwords, but with the considerations outlined
above in mind.  

3.1.2  Management Issues

      Password length and the frequency with which passwords are
changed in an organization should be defined by the
organization's security policy and procedures and implemented by
the organization's IT system administrator(s).  The frequency
with which passwords should be changed should depend on the
sensitivity of the data.  Periodic changing of passwords can
prevent the damage done by stolen passwords, and make "brute
force" attempts to break into system more difficult.  Too
frequent changes, however, can be irritating to users and can
lead to security breaches such as users writing down passwords or
using too-obvious passwords in an attempt to keep track of a
large number of changing passwords.  This is inevitable when
users have access to a large number of machines.  Security policy
and procedures should strive for consistent, livable rules across
an organization.

     Some mainframe operating systems and many PC applications
use passwords as a means of access control, not just
authentication.  Instead of using mechanisms such as access
control lists (ACLs), access is granted by entering a password. 
The result is a proliferation of passwords that can significantly
reduce the overall security of an IT system.  While the use of
passwords as a means of access control is common, it is an
approach that is less than optimal and not cost-effective.

3.2  Memory Card

      There is a very wide variety of memory card systems with
applications for user identification and authentication.  Such
systems authenticate a user's identity based on a unique card,
i.e., something the user possesses, sometimes in conjunction with
a PIN (Personal Identification Number), i.e., something a user
knows.  The use of a physical object or token, in this case a
card, has prompted memory card systems to be referred to as token
systems.  Other examples of token systems are optical storage
cards and integrated circuit (IC) keys.

     Memory cards store, but do not process, information. 
Special reader/writer devices control the writing and reading of
data to and from the cards.  The most common type of memory card
is a magnetic stripe card.  These cards use a film of magnetic
material, similar or identical to audio and computer magnetic
tape and disk equipment, in which a thin strip, or stripe, of
magnetic material affixed to the surface of a card.  A magnetic
stripe card is inexpensive, easy to produce and has a high
storage capacity. 

     The most common forms of a memory card are the telephone
calling card, credit card, and ATM card.  The number on a
telephone calling card serves as both identification and
authentication for the user of a long distance carrier and so
must remain secret.  The card can be used directly in phones that
read cards or the number may be entered manually in a touch tone
phone or verbally to an operator.  Possession of the card or
knowledge of the number is sufficient to authenticate the user.

     Possession of a credit card, specifically the card holder's
name, card number and expiration date, is sufficient for both
identification and authentication for purchases made over the
telephone.  The inclusion of a signature and occasionally a
photograph provide additional security when the card is used for
purchases made in person.

     The ATM card employs a more sophisticated use of a memory
card, involving not only something the user possesses, namely the
card, but also something the user knows, viz. the PIN.  A lost or
stolen card is not sufficient to gain access; the PIN is required
as well.  This paradigm of use seems best suited to IT
authentication applications.

     While there are some sophisticated technical attacks that
can be made against memory cards, they can provide a marked
increase in security over password-only systems.  It is important
that users be cautioned against writing their PIN on the card
itself or there will be no increase in security over a simple
password system.  

       Memory cards can and are widely used to perform
authentication of users in a variety of circumstances from
banking to physical access.  It is important that the
considerations mentioned above for password selection are
followed for PIN selection and that the PIN is never carried with
the card to gain the most from this hybrid authentication system.

3.3  Smart Card

      A smart card is a device typically the size and shape of a
credit card and contains one or more integrated chips that
perform the functions of a computer with a microprocessor,
memory, and input/output.  Smart cards may be used to provide
increased functionality as well as an increased level of security
over memory cards when used for identification and
authentication.

      A smart card can process, as well as store, data through
its microprocessor; therefore, the smart card itself (as opposed
to the reader/writer device), can control access to the
information stored on the card.  This can be especially useful
for applications such as user authentication in which security of
the information must be maintained.  The smart card can actually
perform the password or PIN comparisons inside the card.  

      As an authentication method, the smart card is something
the user possesses.  With recent advances, a password or PIN
(something a user knows) can be added for additional security and
a fingerprint or photo (something the user is) for even further
security.  As contrasted with memory cards, an important and
useful feature of a smart card is that it can be manufactured to
ensure the security of its own memory, thus reducing the risk of
lost or stolen cards.  

     The smart card can replace conventional password security
with something better, a PIN, which is verified by the card
versus the computer system, which may not have as sophisticated a
means for user identification and authentication.  The card can
be programmed to limit the number of login attempts as well as
ask biographic questions, or make a biometric check to ensure
that only the smart card's owner can use it.  In addition, non-
repeating challenges can be used to foil a scenario in which an
attacker tries to login using a password or PIN he observed from
a previous login.  In addition, the complexities of smart card
manufacturing makes forgery of the card's contents virtually
impossible.  

     Use of smart devices means the added expense of the card
itself, as well as the special reader devices.  Careful decisions
as to what systems warrant the use of a smart card must be made. 
The cost of manufacturing smart cards is higher than that of
memory cards but the disparity will get less and less as more and
more manufacturers switch to this technology.  On the other hand,
it should be remembered that smart cards, as opposed to memory
only cards, can effectively communicate with relatively 'dumb',
inexpensive reader devices.  

     The proper management and administration of smart cards will
be a more difficult task than with typical password
administration.  It is extremely important that responsibilities
and procedures for smart card administration be carefully
implemented.  Smart card issuance can be easily achieved in a
distributed fashion, which is well suited to a large
organizational environment.  However, just as with password
systems, care should be taken to implement consistent procedures
across all involved systems.

3.4  Hand-Held Password Generators

     Hand-held password generators are a state-of-the-art type
of smart token.  They provide a hybrid authentication, using both
something a user possesses (i.e., the device itself) and
something a user knows (e.g., a 4 to 8 digit PIN).  The device is
the size of a shirt-pocket calculator, and does not require a
special reader/writer device.  One of the main forms of password
generators is a challenge-response calculator.

     When using a challenge-response calculator, a user first
types his user name into the IT system.  The system then presents
a random challenge, for example, in the form of a 7-digit number. 
The user is required to type his PIN into the calculator and then
enter the challenge generated by the IT system into the
calculator.  The generator then provides a corresponding
response, which he then types into the IT system.  If the
response is valid, the login is permitted and the user is granted
access to the system.

     When a password generator is used for access to a computer
system in place of the traditional user name and password
combination, an extra level of security is gained.  With the
challenge response calculator, each user is given a device that
has been uniquely keyed; he cannot use someone else's device for
access.  The host system must have a process or a processor to
generate a challenge response pair for each login attempt, based
on the initially supplied user name.  Each challenge is
different, so observing a successful challenge-response exchange
gives no information for a subsequent login.  Of course, with
this system the user must memorize a PIN. 

      The hand-held password generator can be a low-cost addition
to security, but the process is slightly complicated for the
user.  He must type two separate entries into the calculator, and
then correctly read the response and type it into the computer. 
This process increases the chance for making a mistake.  

      Overall, this technology can be a useful addition to
security, but users may find some inconvenience.  Management, if
they decide to use this approach, will have to establish a plan
for integrating the technology into their IT systems.  There will
also be the administrative challenge for keying and issuing the
cards, and keeping the user database up-to-date. 

3.5  Biometrics

      Biometric authentication systems employ unique physical
characteristics (or attributes) of an individual person in order
to authenticate the person's identity.  Physical attributes
employed in biometric authentication systems include
fingerprints, hand geometry, hand-written signatures, retina
patterns and voice patterns.  Biometric authentication systems
based upon these physical attributes have been developed for
computer login applications.  

      Biometric authentication systems generally operate in the
following manner:      

Prior to any authentication attempts, a user is "enrolled" by
creating a reference profile (or template) based on the desired
physical attribute.  The reference profile is usually based on
the combination of several measurements.  The resulting template
is associated with the identity of the user and stored for later
use.

When attempting to authenticate themselves, the user enters his
login name or, alternatively, the user may provide a card/token
containing identification information.  

The user's physical attribute is then measured.

The previously stored reference profile of the physical attribute
is then compared with the measured profile of the attribute taken
from the user.  The result of the comparison is then used to
either accept or reject the user.

     Biometric systems can provide an increased level of security
for IT systems, but the technology is still less mature than
memory or smart cards.  Imperfections in biometric authentication
devices arise from technical difficulties in measuring and
profiling physical attributes as well as from the somewhat
variable nature of physical attributes.  Many physical attributes
change depending on various conditions.  For example, a person's
speech pattern may change under stressful conditions or when
suffering from a sore throat or cold.

Biometric systems are typically used in conjunction with other
authentication means in environments requiring high security.

3.6  Cryptography

    Cryptography can play many different roles in user
authentication.  Cryptographic authentication systems provide
authentication capabilities through the use of cryptographic keys
known or possessed only by authorized entities.  Cryptography
also supports authentication through its widespread use in other
authentication systems.  For example, password systems often
employ cryptography to encrypt stored password files, card/token
system often employ cryptography to protect sensitive stored
information, and hand-held password generators often employ
cryptography to generate random, dynamic passwords.  Cryptography
is frequently used in distributed applications to convey
identification and authentication information from one system to
another over a network.

       Cryptographic authentication systems authenticate a user
based on the knowledge or possession of a cryptographic key. 
Cryptographic authentication systems can be based on either
private key cryptosystems or public key cryptosystems.  

     Private key cryptosystems use the same key for the functions
of both encryption and decryption.  Cryptographic authentication
systems based upon private key cryptosystems rely upon a shared
key between the user attempting access and the authentication
system.  

     Public key cryptosystems separate the functions of
encryption and decryption, typically using a separate key to
control each function.  Cryptographic authentication systems
based upon public key cryptosystems rely upon a key known only to
the user attempting access.  

4  Issues

     In addition to the actual choice of identification and
authentication technology, there are a number of other issues
that should be addressed to ensure the overall success and
security of one's IT system.  

4.1  Networks and Applications

     With the increased use of networks connecting multiple
hosts, an average IT user may find himself logging onto several
different computers, some of them remotely through a network. 
This situation poses a number of options with respect to user
identification and authentication.  In one option, the user must
authenticate himself to each computer separately, with a possibly
different password each time.  If there is a different password
for each computer, then that user will have difficulty in
remembering them.  If one password is used for all systems, then
the compromise of the password will have more far reaching
effects.

     A more desirable situation is one in which the user need
only authenticate himself to the first computer he logs into and
that computer passes the authentication data to each of the other
computers the user then needs to access.  This scheme requires
that all of the computers on the network are capable of reliably
handling this authentication data.  Standardization efforts such
as Open System Environment (OSE), Portable Operating System
Interface (POSIX) and Government Open Systems Interconnection
Profile (GOSIP) can contribute to this goal of transparent
authentication across networks.

     Related to the issue of user authentication across different
platforms is the issue of user authentication across different
applications on the same platform.  Large applications, such as
database management systems (DBMS), frequently require that users
login to them as well as to the underlying operating system. 
This second application login is considered an unnecessary burden
by many users.  As discussed in the network context above, if
authentication data can be reliably shared between an operating
system and the applications running on it, then the task of
authenticating a user to a complex IT system becomes simpler. 

4.2  Procurement Considerations

     An organization must answer numerous questions when it
decides to implement an advanced authentication system.  The
following discussion highlights many of the issues involved in
evaluating, procuring, and integrating these systems.

4.2.1  Sources of information 

     A variety of sources should be used when evaluating
authentication systems.  Vendor product literature can be very
helpful in describing specific details of product operation,
and in understanding the range of products offered.  There are
several annual conferences devoted to computer security, network
access control, and authentication technology.  In addition to
the papers presented at these conferences, there are usually
large vendor exhibit halls   and product forums.  Many
organizations, particularly those in the government sector, have
published information on the selection and integration of
advanced authentication technology.  These publications are
often the result of practical experience gained during the
implementation of these systems, and so can be particularly
useful.

4.2.2  Accuracy 

     The accuracy of an authentication system refers to the
ability of that system to correctly identify authorized system
users while rejecting unauthorized users.  Since this is the  
primary function of an authentication system, accuracy is
directly related to the level of security provided by the
system.  Vendors may not be objective about producing an
interpreting the results of tests which quantify the accuracy
of the authentication process with regard to the vendor's  
particular products.  For these reasons, an organization may wish
to run independent tests to determine the accuracy of an
authentication system in terms which are relevant to the
environment in which the system will be used.

4.2.3  Reliability 

     An authentication system should be capable of operating in
its intended environment for a reasonable period of time.  During
this time, the system is expected to perform at or above a level
which ensures an appropriate amount of protection for the host
system.  If the authentication system fails, the chances for
unauthorized access during the failure should be minimized.  

4.2.4  Maintainability 

     All hardware and software systems require some form of
maintenance.  The components of an authentication system should
be evaluated to determine the level of maintenance which the
system will require.  One goal in the design of an authentication
system should be to minimize the maintenance requirements within
the constraints of system cost, performance, and available
technology.

4.2.5  Commercial availability 

     Large-scale networking of computer systems and distributed
computing are relatively recent developments, and are the driving
forces behind the need for more effective methods for
authenticating system users.  Unfortunately, the market for
advanced authentication technology is not fully developed and
is somewhat unstable.  Many commercially available authentication
systems have not yet been sold in quantity.  An organization that
is considering the use of this technology should evaluate the
vendor's ability to produce systems that meet specific quality
control standards and in sufficient quantity to meet the user's
requirements.  Contracts written to procure authentication
systems should provide some form of protection for the customer
in the event that the vendor is unable to produce systems in the
quantities required.   

4.2.6  Upgradeability 

     Because the technology of advanced authentication systems is
continually developing, any authentication system should be able
to accommodate the replacement of outdated components with new
ones.  A modular approach to the design of an authentication
system, with clearly defined interfaces between the system
components, facilitates the process of upgrading to new
technology.

4.2.7  System Integration 

     The integration of an authentication system into an existing
computer environment can be very difficult.  Most operating
systems do not contain well-defined entry points for replacing
the default authentication mechanism supplied with the operating
system.  This is partly because there is no widely accepted
standard for the interface between an operating system and an
authentication device.  Until such a standard becomes available,
there are three general options: 

In some cases, the vendor who provides the authentication system
may have already integrated it into certain operating systems. 
If the authentication system meets the requirements of the
customer and the customer is using the specified operating
system, then the system integration has already been
accomplished.  

Operating system vendors may select certain security
architectures for incorporation into their systems.  If these
architectures include an authentication technology which the
customer finds acceptable, then the operating system may be
purchased with the appropriate authentication mechanism as part
of the package.

It may be necessary to customize the authentication system and
perhaps modify the host operating system so that the two can
communicate.  This will involve cooperation between the operating
system vendor, the authentication system vendor, and the
customer, unless the customer has sufficient expertise to perform
the integration in-house.  A prototyping approach is strongly
recommended, due to the complexity of this type of project. 
Implementing such a system on a small scale first can be very
helpful in determining what problems will be encountered in a
full-scale implementation. 

5    Cost

     As in other aspects of IT security, the specific cost of
enforcing Identification and Authentication should be balanced
against the value of the information processed on an IT system
and the vulnerability of that information to attack.  In general,
devices with a higher performance level will cost more, but
individual cases should be evaluated carefully. The
authentication systems described in this chapter provide a range
of cost from password-only systems at the low end to biometrics
at the high end.  Token systems, such as memory cards and smart
cards, fall inside the range.

     In assessing the cost of an authentication system there are
several issues to consider.  The first is the actual cost to
purchase and install the required equipment and software.  In
general there is no additional cost to purchase a password system
because they are included with most IT systems.  Programs that
check for good passwords, an important part of using a password
system, do cost additional money.  The use of memory cards is
quite extensive and the use of smart cards is increasing
significantly so the costs associated with these technologies
will decrease over time.  The application of biometrics is not
that extensive so costs are comparatively higher.  Managers
should keep in mind that similar products from different vendors
may vary widely in cost, depending on the vendor's manufacturing
and development techniques and marketing philosophies.    

     In addition to the cost of procuring authentication
technology, there is the cost to the organization involved in
using that technology.  This includes on-going training of staff
in the correct use of the technology as well as the training and
time of personnel to administer the authentication system.

     While the relationship between cost and performance can
appear complex for authentication technology, the general
approach should be to procure the authentication system which  
provides the required level of security and other performance
factors at a minimum cost.

6    Interdependencies

6.1  Security Management & Administration

     The incorporation of a new or improved user authentication
system will have a noticeable effect throughout an organization. 
To ensure the acceptance and success of such a program, careful
management of the change should take place throughout the
organization.

6.2  Cryptography

     Cryptography plays a role in identification and
authentication in two ways. The first is a supporting role for
each of the other forms of authentication.  Cryptography can
provide for the security of authentication data both while it is
stored in a computer as well as while it is being transmitted
between.  In addition, cryptography can be used itself as an
authentication method.

6.3  Risk Management

     A thorough analysis can be done to determine what parts of
an organization's IT system are vulnerable to a login attack, and
to prioritize these vulnerabilities in terms of severity and
likelihood.  The types of authentication technology used should
be appropriate for the risk at hand.  Not all systems may require
identification and authentication, e.g., public access systems.

6.4  Personnel

     The types of identification and authentication methods used
by an organization should be chosen in a context that includes
personnel considerations.  This will help determine what measures
will work best for an organization's employees.  It is important
to note that the cooperation of an organization's staff is very
bit as important as the technology to provide identification and
authentication.

6.5  Audit

     Identification and authentication provide the basis for
auditing in an IT system.  By tying actions of a user to a unique
identification, individuals may be held accountable for their
actions.

7   References

CSC-STD-002-85, Department of Defense Password Management
Guideline, April 12, 1985.

FIPS PUB 48, Guidelines on Evaluation of Techniques for Automated
Personal Identification, U.S. Department of Commerce, National
Bureau of Standards, Washington, D.C., April 1, 1977.

FIPS PUB 83, Guideline on User Authentication Techniques for
Computer Network Access Control, U.S. Department of Commerce,
National Bureau of Standards, Washington, D.C., September 29,
1980.

FIPS PUB 113, Computer Data Authentication, U.S. Department of
Commerce, National Bureau of Standards, Washington, D.C., May 30,
1985.

Feldmeier, David C. and Philip R. Karn, UNIX Password Security -
Ten Years Later, Crypto '89 Abstracts, Santa Barbara, CA, August
20-24, 1989.

FIPS PUB 112, Password Usage, U.S. Department of Commerce,
National Bureau of Standards, Washington, D.C., May 30, 1985.

Haykin, Martha E., and Robert B. J. Warnar, Smart Card
Technology: New Methods for Computer Access Control, NIST Special
Publication 500-157, U.S. Department of Commerce, National
Institute of Standards and Technology, Washington, D.C.,
September 1988.

R. Morris and K. Thompson, Password Security: A Case History,
Communications of the ACM, Vol. 22, No. 11, November 1979, pp.
594-597.

R. M. Needham and M. D. Schroeder, Using Encryption for
Authentication in Large Networks of Computers, Communications of
the ACM, Vol. 21, No. 12, December 1978, pp. 993-999.

Smid, Miles, James Dray and Robert B. J. Warnar, A Token Based
Access Control System for Computer Networks, Proceedings 12th
National Computer Security Conference, October 1989.

Steiner, J.G., Neuman, C., and Schiller, J.I., Kerberos: An
Authentication Service for Open Network Systems, Proceedings
Winter USENIX, Dallas, Texas, February 1988, pp. 191-202.

Troy, Eugene F., Security for Dial-Up Lines, NBS Special
Publication 500-137, U.S. Department of Commerce, National Bureau
of Standards, Washington, D.C., May 1986.

CCITT Recommendation X.509, The Directory - Authentication
Framework, November 1988, (Developed in collaboration, and
technically aligned, with ISO 9594-8).

ANSI X9.26-1990, American National Standard for Financial
Institution Sign-On Authentication for Wholesale Financial
Transactions, American Bankers Association, Washington, D.C.,
Approved February 28, 1990.

Sidebar Notes

(1)  Sec. 1, para 1:  The process of verifying the identity of an
IT system user is referred to as identification and
authentication.

(2)  Sec. 1, para 2:  Many new technologies offer significant
increases to the protection afforded by password-only systems.

(3)  Sec. 3.1.1, para 3:  Passwords will be more difficult to
guess or obtain illicitly when combined or misspelled words are
used and when a minimum length requirements for passwords is met.

(4)  Sec. 3.1.1, para 2:  The use of passwords as a means of
access control to IT systems can result in a proliferation of
passwords that reduces overall IT system security.

(5)  Sec 3.2, para 1:  A memory card authenticates a user's
identity based on a unique card used in conjunction with
something known to the user, such as a PIN.

(6)  Sec. 3.2, para 3:  Common types of memory cards are
telephone calling cards, credit cards, and ATM cards.

(7)  Sec. 3.3, para 1:  Smart cards, which contain one or more
integrated chips, can provide increased functionality and
increased security over memory cards. 

(8)  Sec 3.4, para 1:  A hand-held password generator is a state-
of-the-art device about the size of a shirt-pocket calculator
that is used to access an IT system in place of the traditional
user name and password.

(9)  Sec. 3.5, para 1:  Biometric authentication systems operate
based on unique physical attributes of users, such as voice
patterns, fingerprints, and hand geometry; however, the
technology is less mature than that for memory and smart cards.

(10) Sec. 3.6, para 1:  Cryptography can be the basis for an
authentication system; or it can be used in conjunction with
other system discussed. 

(11) Sec. 4.2.1:  In choosing an authentication system, managers
should explore information provided by vendors, at IT security
conferences and presentations, and in special publications.

(12)  Sec. 4.2.7:  Important considerations in choosing an
authentication system include accuracy, reliability,
maintainability, commercial availability, upgradeability, and
system integration.



The 15-Minute CompuServe Hack (or, Leeching Made Incredibly Easy) by MacGuyver June 22, 1991

*=============================================================================*

			  The 15-Minute CompuServe Hack
		       (or, Leeching Made Incredibly Easy)

				   by MacGyver
				     6-22-91

 -----------------------------------------------------------------------------

				  OUR GUARANTEE:

		If, after fifteen minutes, you don't have a fresh
		 CI$ password for use, you are obviously stupid!

 -----------------------------------------------------------------------------

			   Courtesy of: The Shire BBS
			    (516) Private  19.2k HST
			  Tripple H World Headquarters

*=============================================================================*

Introduction: Why EFT?

	Everyone knows the safest way to hack out a CI$ account is to get one
of those IntroPak thingies, get a credit card, and go have a ball, right?
Wrong. Ever since the phone company switched to digital networking and the
long-revered 2600 Hz tone all but disappeared, phreaking has gone the way of
the dinosaur as well as good old carding. Ever go to a department store, buy
something with your credit cards, and see those little computers? All they are
is little modems that call up Mr. Big Kredit Kard Kompany and make sure you're
not over you limit. When you call up CI$ and log on with a not-so-fresh credit
card number, all it takes is one little phone call and BANG the account's dead.
Especially if the number is on the "Hot" list. If the card is virgin, it will
last a little while, but since the verification is so fast, it will die too.
Credit cards are a bit dangerous to use nowadays, and not easy to come by. Not
to mention the fairly stiff penalty for credit card fraud. I mean, who wants
to spend a Friday night trashing behind Caldor when you could be out doing
something constructive like drinking beer?
	The solution: use the Electronic Funds Transfer. This is CI$'s way of
getting people who don't even have credit cards. You give them your check
number, and they automatically take the cash out of your account every month.
Everyone know it takes a couple of days for a check to clear, right? Well,
this is because every two-bit piece-of-shit bank doesn't have an 800 line like
Mr. Big to verify all the checks their unloyal customers put out. And, lucky
for us, takes a *LOT* longer to detect. I have even had a few last for ten
days, which is when they switch to the second password, effectively cancelling
your account.

*=============================================================================*

   BE SMART... HACK SAFELY!  THIS IS THEFT OF SERVICE AND IT'S VERY ILLEGAL.
	  DO NOT ATTEMPT THIS IF YOU DON'T KNOW THE BASICS OF HACKING!

*=============================================================================*

What You Need:

	1) A REAL, LEGAL checking account and ATM card from the bank you will
	   be hacking. The ATM card must be for the checking account. (Don't
	   worry - you'll just be using this as a template. We'll be sending
	   the bill to someone else, of course!)

	2) Knowledge of where the bank and specific branch is. The smaller
	   the bank the better.

	3) A CI$ IntroPak. (If you don't have one, read on.)

	4) A bogus name, address, phone, social security number, and valid
	   zip code from the phone book. Make up the SSN.

	5) A car, unless you want get a lot of exercise.

	6) Rudimentary hacking knowledge. I am not going to explain many of
	   the terms and obvious safety guidelines in order to prevent rodents
	   from screwing up my system.

*=============================================================================*

Getting Started:

	First of all, you need a local CI$ dialup. If you know yours, skip
this section.

	1) Dial 1-800-346-3247 via modem.

	2) When you connect, press <Return>.

	3) After "Host Name:" prompt, type PHONES.

	4) Follow the menus and select a phone number close to you. The ideal
	   number is NOT in your local exchange.

*=============================================================================*

Researching the Account:

	Okay, what you are basically doing is "figuring" out the numbers on 
someone else's check: the routing transit number, and the account number. This
is all you need to sign up with.

	1) Drive to your local bank. Inside, there should be an ATM. And under
	   the ATM should be a whole shitload of transaction receipts that no
	   one ever cares about. SUCKS FOR THEM! Grab a handful. Now you don't
	   know if the slip was made with the bank's own card, so go to an
	   out-of-the-way bank that people don't use for quick withdrawals.
	   An ATM in the mall or next to a bar is no good. Keep in mind that
	   the best kind is a DEPOSIT slip because it assures you that the
	   person is a customer of the bank!

	2) Make a balance inquiry on YOUR card, or someone else's. Keep the
	   receipt. You must have a matching check for the account.

	3) Compare YOUR receipt with the account number on your check. The
	   account number on your check is the second group of numbers. You
	   see, the ATM prints an incomplete version of the account number on
	   the receipt to prevent just this. Find where your numbers match;
	   note the placement of dashes. Ignore any other funky symbols you
	   might see. For example, if your check looks like 12-3456789-0 and is
	   printed on the receipt as 5815961234567890, you know to lop off the
	   first six digits, place a dash between the the second and third
	   digit and a dash before the last. Thus, if the victim's receipt
	   looked like 1324359876543210 and your check looks like above, the
	   checking account number AS IT APPEARS ON HIS CHECK is 98-7654321-0.

	4) Find the routing transit number on your check. This is the leftmost
	   number on the check. This number is the bank's number.

	+--------------------------------------------------------------+
        | Dick Hymen					       No. 432 |
	| 1234 Cherry Road			_______ 19__           |
	| Intercourse, Virginia 12345                                  |
	| 						     ________  |
	| Pay To.. ____________________________________|  $ |________| |
	| 							       |
	| ___________________________________________________  Dollars |
	|							       |
	|   Ass Chesse Bank of Virginia, etc.			       |
	|				      _______________________  |
	| :123466689:   98=7654321=0:   0432                           |
	+--------------------------------------------------------------+
	    ^			   ^       ^
      Routing Transit No.   Account No.  Check No.

	Congratulations! You have now figured out EXACLY what the victim's
	check number looks like. Since he is (hopefully) a member of the same
	bank, the routing transit number is correct. And since you decoded the
	info on the receipt by using your check as a template, you're all set!

*=============================================================================*

Locating an IntroPak:

	You get an IntroPak whenever you buy a modem. It comes with a temporary
password and a $15.00 credit. The credit is designed to sucker new modemers
into spending a lot of money, because most new users say "$15.00! Wow!" and
don't actually know that it's only 75 minutes of connect time. I usually have
four or five laying around because my modems have the unfortunate tendency to
attract lightning. If you don't have one, there are two ways to get them:

	1) Buy a modem with your credit card from a BIG DEPARTMENT STORE. Then
	   simply remove the IntroPak and return the modem. It is a small
	   pamphlet and will go unnoticed when returned. Use a credit card to
	   expedite the return.

	2) Go to any computer store and buy an IntroPak. These usually run from
	   $20 to $30, but think of the money you'll save when you run up a
	   $500 bill...

*=============================================================================*

Signing Up:

	1) Call your local dialup and follow the instructions in your
	   IntroPak.

	2) Enter the bogus name and address. A good one is local to the bank
	   but a few towns away from you. Remeber, the name will never match
	   the checking account number, so make it look good!

	3) Use an always-busy or always-ringing number for the day phone. If
	   you don't have one, use the bogus name's actual phone. Do NOT leave
	   a night phone number. This way, if CI$ calls, the victim will
	   probably be at work. Make sure the prefix matches the area you 
	   claim you're from.

	4) Enter the checking information as you have deduced. Make up a check
	   number, a good one is in the range of 500 or so.

	5) Do NOT select the executive service option. It makes the account
	   last longer if you don't.

	There - that's all there is to it! Now go the file areas and LEECH!

*============================================================================*

Tips and Hints:

	Here's how to make the most out of your "limited stay" on CI$ and make
it last longer.

	1) Sign up for the password on Friday, after 6:00 pm.

	2) Make sure only one person uses it at a time. Ignoring this will
	   get your account suspended in four or five days.

	3) Join all the forums you attend, use the bogus name. It looks fishy
	   if you leech from the forums without joining, since joining doesn't
	   cost anything.

	4) Use password only at night, from 6:00 pm to 6:00 am.

	5) Change the password every once in a while.

	6) Don't be profane in any messages or on the CB Simulator.
	   Being an asshole on the CB is the quickest way to get cut.

	7) Keep it to yourself for a few days before you give it to your
	   friends (if at all).

	8) For downloading, always use the Quick B protocol in the IBM
	   Communications Forum. I believe it is called OZBEXT.ARC.
	   Apparently they're too cheap to get Zmodem.

	9) CI$ doesn't have batch download. However, by spending a few
	   minutes with the script commands of your terminal, you can make it
	   do the same thing. I highly recommend BOYAN version 5 for this.
	   See appendix A.

       10) If you see "% Checking your account information..." you will most
	   likely see a "Your account has been temporarily suspended." This
	   means you used too much, too fast. Then again, you may not care,
	   because the next password is only 15 minutes away.

*============================================================================*

Appendix A: Simple Batch Downloading

	Here is a BOYAN version 5 script that will batch download for you. All
you have to do is use a simple editor to copy the first section to how many
files you wish to download. (Bear with me, I spent about 5 minutes writing
this script.) This should easily translate to any other script language: SV1
set var V1 to the file name, BL goes to the leech block, WF waits for the
specified string, %V1 sends the filename to CI$, and DLB is the command to
invoke the Quick B download.
	This script will only download out of one category at a time, and uses
the B protocol. You will have to modify the script if you want more...
	After you have placed all of the filenames into the file, go to the
forum's library menu. Select the category you want to d/l from, and then
use Alt-R to run the script.

------------------------------------------------------------------------------

\SV1[file1.ext]
\BL[leech]

\SV1[file2.ext]
\BL[leech]

\SV1[file3.ext]
\BL[leech]

\HU

|leech
\TO[20]
\WF[Enter choice !]4{
\WF[File name: ]%V1{
\WF[` name for your computer: ]%V1{
\DLB-[]
{

*============================================================================*

Appendix B: Hip Places to Check Out

CB simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . GO CB
FAX mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GO FAX
AP sports wire . . . . . . . . . . . . . . . . . . . . . . . . . . GO SPORTS
Atari forums . . . . . . . . . . . . . . . . . . . . . . . . . . . GO ATARI
IBM forums . . . . . . . . . . . . . . . . . . . . . . . . . . . . GO IBM
Human Sexuality forum  . . . . . . . . . . . . . . . . . . . . . . GO HUMAN
GIF pictures . . . . . . . . . . . . . . . . . . . . . . . . . . . GO CORNER

*============================================================================*

Acknowledgements

	- To CI$, for falling for this trick every single time;
	- To Radio Shack ("Yesterday's Technology at Tomorrow's Prices"), for
	     all those free IntroPaks;
	- To everyone whose checking account I "borrowed";
	- To my friendly bank, for being so small that verification takes 
	     way more than a week;
	- To whoever uploaded the GIF of the babe in the red teddy on the
	     beach to CI$. 'Nuff said;
	- To "Tom Righteous", for always encouraging me to do illegal things;
	- To "Al My Pal", who knows every legality & technicality about
	     everything in said universe;
	- To Lord Rheinhold, for being the hip dude you are, here's the BBS
	     plug;
	- To Dark Knight, for locating those great GIF files and the tacos.
	     May every GIF be an ANNHONG, a-zhe?

*============================================================================*

Fun With Automatic Tellers

                          Fun with Automatic Tellers

  Preface:  This is not a particularly easy scam to pull off, as it requires
either advanced hacking techniques (TRW or banks) or serious balls (trashing a
private residence or outright breaking & entering), but it can be well worth
your while to the tune of $500 (five hundred) a day.

  Laws that will be broken:  Credit Fraud, Wire Fraud, Bank Fraud, Mail Fraud,
Theft Over $200, Forgery, and possibly a few others in the course of setting
the scheme up.

  The first step is to target your victim.  The type person you are looking
for is rich.  Very rich.

  Now, don't go trying to hit on J.P. Getty or Johnny Carson or someone who
carries a high name recognition.  This will just get you into trouble as
everyone notices a famous person's name floating across their desk.

  Instead look for someone who owns a chain of hog feed stores or something
discreet like that.  We targeted a gentleman who is quite active in the silver
market, owning several mines in South Africa and not wanting this to be widely
known (he had no desire to be picketed.)

  Next step, take out a p.o. box in this person's name.

  Now comes the fun part, requiring some recon on your part.  You need
to know some fairly serious details about this person's bank dealings.

        1)  Find out what bank he deals with mainly.  This isn't too difficult
            as a quick run through his office trash will usually let you find
            deposit carbons, withdrawal receipts, or *anything* that has the
            bank name on it.

        2)  Find out the account number(s) that he has at the bank.  This can
            usually be found on the above-mentioned receipts.  If not, you can
            get them in TRW (easier said than done) or you can con them out of
            a hassled bank teller over the phone (Use your imagination.  Talk
            slowly and understandingly and give plausible excuses ["I work for
            his car dealership, we need to do a transfer into his account"].)

        2a) [optional]  If you can, find out if he has an ATM (Automatic
            Teller) card.  You don't need to know numbers or anything, just
            if a card exists.  This can also be ascertained over the phone
            if you cajole properly.

        3)  Armed with this information, go into action.

                a) Obtain some nice (ivory quality) stationary.  It doesn't
                   have to be engraved or anything, but a $5 or $10 investment
                   to put a letterhead with his initials or something on it
                   couldn't hurt.  But the most important thing is that it
                   look good.

                b) Type a nice letter to the bank notifying them of your
                   address change.  Some banks have forms you have to fill out
                   for that sort of thing, so you need to check with the bank
                   first (anonymously, of course).  You will have to have a
                   good copy of his signature on hand to sign all forms and
                   letters (again, trash his office).

                c) Call the bank to verify the new address.

                d) IMMEDIATELY upon verifying the change of address, send a
                   second letter.  If he already has an ATM card, request a
                   second card with the business name engraved in it be sent
                   for company use.  If he doesn't have an ATM card, the
                   letter should request one for account number xxxxxx.  Ask
                   for two cards, one with the wife's name, to add
                   authenticity.

                e) Go to the bank and ask for a list of all ATM's on the
                   bank's network.  Often the state has laws requiring *all*
                   machines take *all* cards, so you'll probably be in good
                   shape.

                f) Await the arrival of your new card.  The PIN (personal
                   identification number) is included when they send out a
                   card.  After picking up the card, forget that you ever
                   even *knew* where the p.o. box was, and make sure you
                   didn't leave fingerprints.

                g) Begin making the maximum daily withdrawal on the card
                   (in most cases $500/day), using a different machine each
                   time.  Since many of these machines have cameras on them,
                   wear a hat & jacket, or a ski mask to be really paranoid.
                   To cut the number of trips you have to make in half, be at
                   an ATM a few minutes before midnight.  Make one $500
                   withdrawal right before midnight, and another one right
                   after.  This cuts down on the number of trips, but police
                   or bank officials may spot the pattern and start watching
                   machines around midnight.  Use your own judgement.

  Conclusion: Before using the card, make sure that all fingerprints are wiped
from it.  Usually the first hint you will have that they have caught on to
your scam is that the machine will keep the card.  Also, avoid using machines
in your own town unless it is a big city (Chicago, Milwaukee, Dallas,
etc...).

Fun with Automatic Tellers

                          Fun with Automatic Tellers

  Preface:  This is not a particularly easy scam to pull off, as it requires
either advanced hacking techniques (TRW or banks) or serious balls (trashing a
private residence or outright breaking & entering), but it can be well worth
your while to the tune of $500 (five hundred) a day.

  Laws that will be broken:  Credit Fraud, Wire Fraud, Bank Fraud, Mail Fraud,
Theft Over $200, Forgery, and possibly a few others in the course of setting
the scheme up.

  The first step is to target your victim.  The type person you are looking
for is rich.  Very rich.

  Now, don't go trying to hit on J.P. Getty or Johnny Carson or someone who
carries a high name recognition.  This will just get you into trouble as
everyone notices a famous person's name floating across their desk.

  Instead look for someone who owns a chain of hog feed stores or something
discreet like that.  We targeted a gentleman who is quite active in the silver
market, owning several mines in South Africa and not wanting this to be widely
known (he had no desire to be picketed.)

  Next step, take out a p.o. box in this person's name.

  Now comes the fun part, requiring some recon on your part.  You need
to know some fairly serious details about this person's bank dealings.

        1)  Find out what bank he deals with mainly.  This isn't too difficult
            as a quick run through his office trash will usually let you find
            deposit carbons, withdrawal receipts, or *anything* that has the
            bank name on it.

        2)  Find out the account number(s) that he has at the bank.  This can
            usually be found on the above-mentioned receipts.  If not, you can
            get them in TRW (easier said than done) or you can con them out of
            a hassled bank teller over the phone (Use your imagination.  Talk
            slowly and understandingly and give plausible excuses ["I work for
            his car dealership, we need to do a transfer into his account"].)

        2a) [optional]  If you can, find out if he has an ATM (Automatic
            Teller) card.  You don't need to know numbers or anything, just
            if a card exists.  This can also be ascertained over the phone
            if you cajole properly.

        3)  Armed with this information, go into action.

                a) Obtain some nice (ivory quality) stationary.  It doesn't
                   have to be engraved or anything, but a $5 or $10 investment
                   to put a letterhead with his initials or something on it
                   couldn't hurt.  But the most important thing is that it
                   look good.

                b) Type a nice letter to the bank notifying them of your
                   address change.  Some banks have forms you have to fill out
                   for that sort of thing, so you need to check with the bank
                   first (anonymously, of course).  You will have to have a
                   good copy of his signature on hand to sign all forms and
                   letters (again, trash his office).

                c) Call the bank to verify the new address.

                d) IMMEDIATELY upon verifying the change of address, send a
                   second letter.  If he already has an ATM card, request a
                   second card with the business name engraved in it be sent
                   for company use.  If he doesn't have an ATM card, the
                   letter should request one for account number xxxxxx.  Ask
                   for two cards, one with the wife's name, to add
                   authenticity.

                e) Go to the bank and ask for a list of all ATM's on the
                   bank's network.  Often the state has laws requiring *all*
                   machines take *all* cards, so you'll probably be in good
                   shape.

                f) Await the arrival of your new card.  The PIN (personal
                   identification number) is included when they send out a
                   card.  After picking up the card, forget that you ever
                   even *knew* where the p.o. box was, and make sure you
                   didn't leave fingerprints.

                g) Begin making the maximum daily withdrawal on the card
                   (in most cases $500/day), using a different machine each
                   time.  Since many of these machines have cameras on them,
                   wear a hat & jacket, or a ski mask to be really paranoid.
                   To cut the number of trips you have to make in half, be at
                   an ATM a few minutes before midnight.  Make one $500
                   withdrawal right before midnight, and another one right
                   after.  This cuts down on the number of trips, but police
                   or bank officials may spot the pattern and start watching
                   machines around midnight.  Use your own judgement.

  Conclusion: Before using the card, make sure that all fingerprints are wiped
from it.  Usually the first hint you will have that they have caught on to
your scam is that the machine will keep the card.  Also, avoid using machines
in your own town unless it is a big city (Chicago, Milwaukee, Dallas,
etc...).


Track Layouts on ATM Cards

***************  Track Layouts ************************
This is off the top of my head, but is 99% there.  Also I'll ignore
some obsolete stuff.

The physical layout of the cards are standard.  The LOGICAL makeup
varies from institution to institution.  There are some generally
followed layouts, but not mandatory.

There are actually up to three tracks on a card.

Track 1 was designed for airline use.  It contains your name and
usually your account number.  This is the track that is used when
the ATM greets you by name.  There are some glitches in how things
are ordered so occasionally you do get "Greetings Bill Smith Dr."
but such is life.  This track is also used with the new airline
auto check in (PSA, American, etc)

Track 3 is the "OFF-LINE" ATM track.  It contains such nifty
information as your daily limit, limit left, last access, account
number, and expiration date.  (And usually anything I describe in track
2).  The ATM itself could have the ability to rewrite this track to
update information.

Track 2 is the main operational track for online use.  The first thing
on track to is the PRIMARY ACCOUNT NUMBER (PAN).  This is pretty
standard for all cards, though no guarantee.  Some additional info
might be on the card such as expiration date.  One interesting item
is the PIN offset.   When an ATM verifies a PIN locally, it usually
uses an encryption scheme involving the PAN and a secret KEY.
This gives you a "NATURAL PIN" (i.e. when they mail you your pin, this
is how it got generated.)  If you want to select your own PIN, they
would put the PIN OFFSET in the clear on the card.  Just do modulo 10
arithmetic on the Natural PIN plus the offset, and you have the
selected PIN.  YOUR PIN IS NEVER IN THE CLEAR ON YOUR CARD.  Knowing
the PIN OFFSET will not give you the PIN.  This will required the
SECRET KEY.

Hope that answers your question

************ Deposits at ATMs ************************

Deposits on ATM:

Various banks have various systems.  As an example, at CITIbank
a deposit was made to a specific account.  Your account was updated
with a MEMO update, i.e. it would show up on your balance.  However
it did not become AVAILABLE funds until it was verified by a teller.
On the envelope was Customer ID number, the envelope number and
the Entered dollar amount, the branch # and the Machine #.

There was also a selection for OTHER PAYMENTS.  This allowed you to
dump any deposit into the ATM.

What are you assured then when you deposit to an ATM ?

1) You have a banking RECORD (not a reciept at Citibank).  If you
   have this record, there is a VERY high percentage that you
   deposited something at that ATM.

2) Some banks have ways of crediting your deposit RIGHT NOW.
   This could be done by a balance in another account (i.e. a long
   term C.D. or a line of credit.)  That way they can get you if
   you lied.

**************  ATM Splitting a Card in half ***************

   I've worked with about 75% of the types of machines on the market
and NONE of them split a card in half upon swallow.  However, some
NETWORKS have a policy of  slicing a card to avoid security
problems.

Trusting an ATM.
Intresting you should bring this up, I'm just brusing up a paper
describing a REAL situation where your card and PIN are in the clear.
This involves a customer using a bank that is part of a network.
All the information was available to folks in DP, if they put in some
efforts to get it.

          Mis-Implementation of an ATM PIN security system

1.  Synopsis
In an EFT (Electronic Funds Transfer) network, a single node which  does
not  implement  the  proper  security  can  have  effects throughout the
network.  In this paper, the author describes an example of how security
features  were  ignored, never-implemented, and/or incorrectly designed.
The human factors involved in the final implementation are  explored  by
showing  several major vulnerabilites caused by a Savings and Loan and a
regional EFT network's lack of vigilance in installing  an  EFT  network
node.   While  using  an  EFT  system as an example, the concepts can be
extrapolated into the implementation of other secured systems.

2.  Background
A small Savings and Loan  was  setting  up  a  small  (10  to  16  ATMs)
proprietary  Automatic  Teller  Machine (ATM) network.  This network was
then intended to link up to a regional network.  The manufacturer of the
institution's  online  banking  processor  sent an on-site programmer to
develop the required interfaces.

An ATM network consists of three main  parts.   The  first  is  the  ATM
itself.   An ATM can have a range of intelligence.  In this case the ATM
was able to decode a  PIN  (Personal  Identification  Number)  using  an
institution  supplied  DES  (Data Encryption Standard) key.  It was then
required to send a request for funds to the host where it would receive
authorization.

The second portion of the network is the ATM controller.  The controller
monitors the transaction, and routes the message  to  the  authorization
processor.   The  controller  would  also generally monitor the physical
devices and statuses of the ATM.

The third portion of the network is the authorization system.   In  this
case  customers  of  the  local  institution  would have the transaction
authorized on the same processor.  Customers  from  foreign  (i.e.   one
that  does not belong to the institution that runs the ATM) institutions
would be authorized by the regional  network.   Authorization  could  be
from  a  run-up  file which maintains establishes a limit on withdrawals
for a  given  account  during  a  given  period.   A  better  method  is
authorization direct from the institution which issued the card.

3.  Security
The system has a two component key system to allow access to the network
by the customer.  The first  is  the  physical  ATM  card  which  has  a
magnetic stripe.  The magnetic stripe contains account information.  The
second component is the Personal Identification Number (PIN).   The  PIN
is hand entered by the customer into the ATM at transaction time.  Given
these  two  parts,  the  network  will  assume  that  the  user  is  the
appropriate customer and allow the transaction to proceed.

The Magnetic stripe is in the clear and may be assume to be reproducible
using various methods, thus the PIN is crucial security.

 Security PIN security

3.1.  PIN security

3.1.1.  PIN key validation method

PINs can be linked up to a particular card in a  number  of  ways.   One
method  puts  the  PIN  into  a central data base in a one-way encrypted
format.  When a PIN is presented, it  would  be  encrypted  against  the
format  in  the  data base.  This method requires a method of encrypting
the PIN given at the ATM, until it can be verified at the central  site.
Problems  can  also  occur if the institution wants to move the PIN data
base to another processor, especially from a different computer vendor.

Another  method  is  to take information on the card, combine it with an
institution PIN encryption key (PIN key) and use that  to  generate  the
PIN.   The institution in question used the PIN key method.  This allows
the customer to be verified at the ATM itself and no transmission of the
PIN  is  required.   The  risk  of  the  system  is  the PIN key must be
maintained under the tightest of security.

The PIN key is used to generate the natural PIN.   This  is  derived  by
taking  the  account number and using DES upon it with the PIN key.  The
resulting number then is decimialized by doing a lookup on  a  16  digit
decimalization  table  to  convert  the  resulting hexadecimal digits to
decimal digits.  An ATM loaded with the appropriate  PIN  key  can  then
validate  a customer locally with no need to send PIN information to the
network, thereby reducing the risk of compromise.

The PIN key requires the utmost security.  Once the PIN  key  is  known,
any  customer's  ATM card, with corresponding PIN can be created given a
customer account number.  The ATM allows for the PIN to  be  entered  at
the  ATM  in  two parts, thus allowing each of two bank officers to know
only one half of the key.  If desired, a terminal  master  key  can  be
loaded and then the encrypted PIN key loaded from the network.

The  decimalization table usually consists of 0 to 9 and 0 to 5, ("0" to
"F" in hexadecimal where "F" = 15).  The decimalization table can be put
into any order, scrambling the digits and slowing down an attacker.  (As
a side note, it could be noted that using the "standard" table, the  PIN
digits  are  weighted  to 0 through 5, each having a 1/8 chance of being
the digit, while 6 through 9 has only a 1/16 chance.)

When handling a foreign card, (i.e.  one that does  not  belong  to  the
institution that runs the ATM), the PIN must be passed on to the network
in encrypted form.  First, however, it must be passed from  the  ATM  to
the  ATM controller.  This is accomplished by encrypting the PIN entered
at  the  ATM  using  a  communication  key  (communication   key),   The
communication  key  is  entered  at  the  ATM much like the PIN key.  In
addition, it can be downloaded from the network.  The PIN  is  decrypted
at  the controller and then reencrypted with the network's communication
key.

                                 - 2 -

Security
PIN security
PIN key validation method

Maintaining  the  the  security  of  the  foreign  PIN  is  of  critical
importance.   Given  the  foreign PIN along with the ATM card's magnetic
image, the perpetrator has access to an account  from  any  ATM  on  the
network.    This  would  make  tracking  of  potential  attackers  quite
difficult, since the ATM and the institution they extract funds from can
be  completely  different from the institution where the information was
gleaned.

Given  that  the  encrypted  PIN  goes  through   normal   communication
processes,  it  could  be  logged  on  the normal I/O logs.  Since it is
subject to such logging, the PIN in any form should be denied  from  the
logging function.

3.2.  Security Violations
While  the EFT network has potential to run in a secured mode given some
of the precautions outlined above, the potential for abuse  of  security
is  quite easy.  In the case of this system, security was compromised in
a number of ways, each leading to the potential loss of funds, and to  a
loss of confidence in the EFT system itself.

3.2.1.  Violations of the PIN key method
The  two  custodian  system simply wasn't practical when ATMs were being
installed all over the state.  Two examples show this:   When  asked  by
the  developer  for the PIN key to be entered into a test ATM, there was
first a massive search for the key, and then it was read to him over the
phone.   The  PIN  key  was  written  on  a scrap of paper which was not
secured.  This is the PIN key that all the customer PINs are  based  on,
and which compromise should require the reissue of all PINs.)

The  importance of a system to enter the PIN key by appropriate officers
of the bank should not be overlooked.  In  practice  the  ATM  installer
might  be the one asked to enter the keys into the machine.  This indeed
was demonstrated in this case where the ATM installer not only had  the
keys  for  the  Savings and Loan, but also for other institutions in the
area.  This was kept in the high security area of the  notebook  in  the
installer's front pocket.

Having  a  Master key entered into the ATM by officers of the bank might
add an additional layer of security to the system.  The actual  PIN  key
would then be loaded in encrypted form from the network.  In the example
above, if the installer was aware of the terminal master key,  he  would
have to monitor the line to derive the actual PIN key.

The  use  of  a downline encrypted key was never implemented, due to the
potential complications and added cost of such a  system.   Even  if  it
was,  once violated, security can only be regained by a complete reissue
of customer PINs with the resulting confusion ensuing.

                                 - 3 -

Security
Security Violations
Network validated PIN Security violations

3.2.2.  Network validated PIN Security violations
Given  the  potential  for untraced transactions, the maintenance of the
foreign PINs security was extremely important.  In the PIN  key  example
above,  any  violation  would  directly  affect  the  institution of the
violators.  This would limit the scope of an investigation, and  enhance
the  chance of detection and apprehension.  The violation of foreign PIN
information has a much wider sphere of attack,  with  the  corresponding
lower chance of apprehension.

The  communication  key  itself  was  never  secured.  In this case, the
developer  handed  the  key  to  the  bank  officers,  to   ensure   the
communication  key  didn't get misplaced as the PIN key did (This way he
could recall it in case it got lost).  Given the communication key,  the
security  violation  potential  is  simple enough.  The programmer could
simply  tap  the  line  between  the  ATM  and  the  controller.    This
information  could  then generate a set of PIN and card image pairs.  He
would even have account balances.

Tapping the line would have been an effort, and worse yet he  could  get
caught.   However,  having  the  I/O  logs could serve the same purpose.
While originally designed to obscure PIN information in  the  I/O  logs,
the  feature was disabled due to problems caused by the regional network
during testing.  The I/O logs would be sent to the developer  any  time
there was a problem with the ATM controller or the network interface.

The  generation of PIN and card image pairs has a potential for even the
most secured system on the network  to  be  attacked  by  the  lapse  in
security  of  a weaker node.  Neither the communication key, nor the PIN
should ever be available in the clear.  This requires  special  hardware
at  the  controller  to  store  this  information.   In  this  case, the
institution had no desire to install a  secured  box  for  storing  key
information.   The  communication key was available in software, and the
PIN was in the clear during the process of decrypting from the  ATM  and
re-encrypting  with  the network key.  Any programmer on the system with
access to the controller could put in a log file to tap off the PINs  at
that point.

The largest failure of the system, though, was not a result of the items
described above.  The largest failure in the system was in the method of
encrypting  the  PIN  before  going  to the network.  This is due to the
failure of the network to have a secured key between sites.  The PIN was
to  be  encrypted  with  a  network  key.   The  network key was sent in
encrypted form from the network to the ATM controller.  However, the key
to  decrypt  the network key was sent almost in the clear as part of the
start-of-day sequence.

Any infiltrator monitoring the  line  would  be  able  to  get  all  key
information  by  monitoring the start-of-day sequence, doing the trivial
decryption of the communication key, and proceeding to gather card image
and PIN pairs.  The infiltrator could then generate cards and attack the
system at his leisure.

                                 - 4 -

Security
Security Violations
Network validated PIN Security violations

The network-ATM controller security failure is the most critical feature
since it was defined by a regional network supporting many institutions.
The network was supposedly  in  a  better  position  to  understand  the
security requirements.

4.  The Human Factors in Security  Violation
It is important the users of a system be appraised of the procedures for
securing the system.  They should understand the risks,  and  know  what
they  are  protecting.   The  bank officers in charge of the program had
little experience with ATM systems.  They were never fully indoctrinated
in  the  consequences of a PIN key or communication key compromise.  The
officers showed great surprise when the developer was able  to  generate
PINs  for  supplied  test cards.  Given the potential risk, nothing more
was done to try to change the PIN key,  even  though,  they  were  quite
aware  that  the  PIN  key was in the developer's possession.  They once
even called the developer for the PIN key when they weren't able to find
it.

The  developer  had a desire to maintain a smooth running system and cut
down on the development time of an  already  over-budget  project.   Too
much security, for example modifying I/O logs, could delay the isolation
or repair of a problem.

The regional network was actually a marketing company who  subcontracted
out  the  data processing tasks.  They failed to recognized the security
problem of sending key information with extremely weak encryption.   The
keys  were  all but sent in the clear.  There seemed to be a belief that
the use of encryption in and of itself caused a network to  be  secured.
The  use  of DES with an unsecured communication key gave the appearance
of a secured link.

The lack of audits of the system, both in design and implementation  was
the  final security defect which allowed the system to be compromised in
so many ways.  An example of the Savings and Loan's  internal  auditors
failure  to  understand  the problems or technology is when the auditors
insisted that no contract developers would be  allowed  physically  into
the  computer room.  The fact was, access to the computer room was never
required to perform any of the described violations.

5.  Security Corrections
As in any system where security was required, the time to  implement  it
is  at  the  beginning.  This requires the review of both implementation
ormed  to
verify  that  the  procedures  are  followed  as  described in the plan.
Financing, scheduling and man power for such audits must be allocated so
security issues can be addressed.

For this institution, the first step would have been to indoctrinate the

                                 - 5 -

Security Corrections

banking  officers  of  the risks in the ATM network, the vulnerabilites,
and the security measures required.

Custodians  of  all  keys should be well aware of their responsibilities
for those keys.  A fall back system of key recovery must be in place  in
case an officer is not available for key entry.

The  cost  of installing hardware encryption units at the host should be
included in the cost of putting in the  system.   The  host  unit  could
generate  down-line  keys for both the PIN key and the communication key
thus making it more difficult to derive  these  keys  without  collusion
from at least three people.

A  secured  communications key should be established between the Network
and the institution.  This would  allow  for  the  exchange  of  working
communication  keys.   This  key  should  be  changed  with a reasonable
frequency.

All these areas should be audited in both the system  specification  and
implementation  to  make sure they are not being abridged in the name of
expediency.

6.  Summary
In this view of a single  institution,  a  number  of  failures  in  the
security  system  were  shown.   There  was  shown a definite failure to
appreciate what was required in the way of security for  PINs  and  keys
used  to  derive  PIN  information.   An avoidance of up front costs for
security lead to potentially higher cost in the future.   The  key  area
was the lack of audits of the EFT system by both the institution and the
network, causing potential loss to all institutions on the network.

                                 - 6 -

For those of you who would like a deeper view of thes of ATM
PIN stuff, I'm merging some previous postings along with a paper

Downloaded from Just Say Yes. 2 lines, More than 500 files online!
         Full access on first call. 415-922-2008 CASFA

An Overview of ATMs and Information on the Encoding System

With the North American continent the being the worlds biggest
consumer of goods and services liquidity of the banking system  has
become an important factor in our everyday lives.  Savings accounts
were used by people to keep money safe and used by the banks to
provide money for loans.  However, due to 'Bankers Hours' (10 AM to
3 PM) it was often difficult for people to get access to thier
money when they needed it.

The banking system then created the Checking Account system.  This
system allowed people to have much easier access to thier money.
Unfortunately the biggest drawback of this system is that people can
not manage thier own money and accounting procedures.  Millions of
times each day throughout the North American continent people are
writing checks for more money than they have in thier savings accounts.
This drawback also causes the already-backed up judicial system to
become backed up further. The banking system soon reacted to this
problem by producing 'check verification' methods to prevent people
from forgery, and overdrawing from thier accounts.

"Money makes the world go 'round" and there are many different ways
to make this world spin.  Today we have checking accounts, credit
cards, travelers checks, and the most 'liquid' form of money: cash.
Cash transactions are untrackable and widely accepted, so I feel
the "Paperless Society" will never happen.  Automated Teller Machines
provide consumers with 24-hour access to cash-sources.  By simply
inserting a plastic card into the machine and keypadding-in the
owners' "account password", you can access the owners bank account
and receive cash in-hand.  This file will explain some details of
the automated tellers and the plastic card used by the Teller-system.

The automated teller is connected by wires and cables to a "Main
Computer".  During each transaction the teller sends signals to
the main computer.  The main computer records each transaction
(a deposit or withdrawl) and updates the card-holders account.
It also sends 'approval' or 'denial' signals to the ATM in regard
to the transaction requested.  If a card-holder attempts to withdraw
$150.00 from his account and he has only $100.00 in it, the main
computer will tell the ATM to deny the transaction.

The ATM has 2 compartments to store cash in.  The first is the "deposits"
compartment.  This is a small area that receives the daily deposits.
It is located in the upper-part of the machine, near all the mechanical
devices.  However, because most ATM transactions are withdrawls the
complete bottom-half is filled with cash where the withdrawls are
extracted from.

The plastic card inserted into the machine is the same size as a
credit card.  The front of the card is embossed with information
about the card-holder.  The back-side of the card has a thin strip
of magnetic tape which also holds some important information.

   +--------------------------+     +--------------------------+
   ] CIRRUS                   ]     ]--------------------------]
   ]  INSTANT CASH CARD       ]     ]/////(magnetic strip)/////]
   ]                          ]     ]--------------------------]
   ] Acct: 12345675      Exp. ]     ]                          ]
   ] Joe Schmoe         01/91 ]     ] "card-holders signature" ]
   ]                          ]     ]                          ]
   +--------------------------+     +--------------------------+
          Front-side                          Back-side

When a cardholder inserts his card into the machine and requests a
transaction, the machine reads the embossed information from the
front-side and compares it with the data stored on the magnetic
strip; looking for a 'match' of the information on both sides.

The information on the front-side is easily readable with your
eyes.  However, you can not read the data on the magnetic-strip
so easily.  You may ask , "What is stored on the magnetic strip ?".
The answer is; the same information as the embossing plus some
'confidential' information regarding the cardholders' financial
status is stored there.  The magnetic strip has 3 "tracks" on it.
The first track can store 210 BPI (Bytes per inch), and the second
stores 75 BPI, and the third stores 210 BPI.  So, we have:

                +---------------------------+
   Track 1:         (210 BPI density)
                +---------------------------+
   Track 2:         ( 75 BPI density)
                +---------------------------+
   Track 3:         (210 BPI density)
                +---------------------------+

                     THE MAGNETIC STRIP

Now, here's the information stored on each track of the strip in
my example:

   Track 1: " ;B 12345675 ^ Schmoe/Joe ^ ; LRC "
   Track 2: " ;12345675 01/91 ^ 1234 ^ (discriminate data) ; LRC "
   Track 3: " ;12345675 ^ 01/91 ^ 5 (discriminate data) ; LRC "

Here's the decoding of the above information:

Track 1:      ";" = Beginning of the data character
              "B" = Field-Control Character: I believe this character
                     tells the ATM what type of account (or status)
                     the user has.

       "12345675" = This is the account number of the cardholder.
              "^" = Data-field seperator.
     "Schmoe/Joe" = Last/First name of cardholder.
              "^" = Data-field seperator.
              ";" = End of data character.
            "LRC" = Longitude Redundancy Check (end of track character).

Track 2:      ";" = Beginning of data character
       "12345675" = Account number of the cardholder.
          "01/91" = Month/Year the card expires.
              "^" = Data-field seperator.
           "1234" = Process Identification Number (The cardholders 'password',
                     I think... or it could be a number to verify the
                     the transaction between the ATM and the Main Computer).
              "^" = Data-field seperator
 "(dscrmn. data)" = Discriminate Data. Not much is known exactly what is
                     stored here. Perhaps Bank Identification data or
                     bank account type (savings, checking?) ?
              ";" = End of data character.
            "LRC" = Longitude Redundancy Check.

Track 3:      ";" = Beginning of data character.
       "12345675" = Account number of the cardholder.
              "^" = Data-field seperator.
          "01/91" = Month/Year the card expires.
              "^" = Data-field seperator.
              "5" = The crypting-digit. When the transaction request
                     is sent to the main computer, it is encrypted.
                     This digit tells which encryption-key is used.
 "(dscrmn. data)" = A duplicate of the discriminate data stored on
                     Track 2.
              ";" = End of data character.
            "LRC" = Longitude Redundancy Check.

When the card is being processed the ATM tries to match the
account number, expiration date and name stored on each track.
The reason they duplicate data is for verification purposes. But,
notice that the duplicate data is stored on different tracks, each
having different recording densities.  Once the information on the
tracks are confirmed to match, the ATM compares them to the embossed
information on the front-side.  If all of the information matches
then the transaction will proceed.  If it doesn't match, then the card
is considered to be damaged and the ATM will keep the card.  It will
give the cardholder a piece of paper instructing the user to notify
the bank who issued his ATM-card so he can receive a replacement
card in the mail (this process takes about 3 weeks).

Now that you know how the ATM-system is designed and what information
is kept where on the card, what "security defects" does this system
contain ?  I will outline 4 methods of attacking this system that
have been tried (not by me!).

  1) Vandalization:  If you want, you can break-in to the ATM.
     However, most ATM's contain 'sensor' devices which sound an
     alarm when this is tried.  Therefore, if you're going to try
     this method I do not suggest using a hammer and chisel on the
     ATM because it will take 1/2 an hour to get the machine open
     and by that time the police will be there.  You could try a
     much faster way, dynamite; but that might scatter the money
     all-over, making it hard to collect.  Also, the bottom-half
     is where most of the money is stored (unless you happen to
     choose a machine that has issued all of its withdrawl-cash)
     so you'll want to break into the bottom-half of the ATM.

     In relation to this, you could wait outside the ATM for a
     valid-user to complete his withdrawl-transaction and mug him.
     As far as I know, the bank holds no responsibilty for placing
     the ATM in a 'secure' enviroment.  However, usually they will
     have lights nearby and placed in 'reasonable' places where
     people need money (example: Grocery store) and where the chance
     of mugging is slim.

  2) Physical Penetration: There are several ways of doing this.
     If you have a stolen card, you could randomly try guessing his
     account-password.  But, I feel this is a primitive method.
     If you try too many attempts at guessing the 'password',
     the ATM will return the card to you.  But, your attempts
     *might* be recorded in the central computer; allowing the
     bank to decide whether to cancel that card... However,
     this has not been verified by me.  If you do get a cash-card,
     you can make counterfeit-cards.

     A) Counterfiet ATM-cards:  The same method for producing
        counterfiet credit cards applies to ATM-cards.  If you
        have a valid ATM-card you can 'clone' it simply by embossing
        a blank-card with the same information.  Copying the mag-
        netic strip is also easy. To do this, you place a blank
        strip of the magnetic tape on top of the valid magnetic
        strip.  Then, using an iron on low-heat, gently rub the
        iron across the two strips for a few seconds.  Lastly,
        peel the new strip apart from the valid one and you've
        got a copy of all the data from the valid ATM-card.

     B) Also, I've heard a case where some guys had a machine
        that could read and write to the magnetic strips (probably
        they were employees of a company that produces the ATM-cards).
        Using this machine, they were able to create and change
        existing data on ATM-cards (such as the expiration date
        so they could keep using the same card over a long period
        of time).

        In relation to this there are other devices available that
        can read and write to magnetic strips.  Using your own
        microcomputer, you can buy a device that allows you to
        read and write to these magnetic strips. It looks
        similar to a disk drive.  If you're interested in
        exploring this method, I'll suggest that you contact
        the following company:

                 American Magnetics Corporation
                 740 Watsoncenter Road
                 Carson, California   90745
                 USA

                 213/775-8651
                 213/834-0685  FAX
                 910-345-6258  TWX

     C) WARNING: During each transaction attempted on an ATM a
        photo of the person requesting the transaction is taken.
        How long this film is stored is unknown, but it probably
        is different for each bank (unless there is a federal
        regulation regarding this).  Also, it is possible that
        this is not done at all ATMs.

  3) "Insider" Theft: The above case also crosses over into this
      section.  The biggest 'security leaks' in any company are
      its employees.  This is also the easiest way to steal money
      from ATMs.  The man who collects the deposits from the machine
      and inserts cash for withdrawls has the easiest and most
      open access to these machines.  I was told that this person
      can easily steal money from ATMs and not be detected.  Another
      person with access to these machines is the technician. The
      technician who fixes ATMs is the most-knowledgeable person
      about ATMs within the bank, therefore he should be a trust-
      worthy guy and receive a 'comfortable' salary.. otherwise
      he'll begin to collect 'retirement benefits' from the ATM
      and this may go undetected.

      However, I have heard of some embezzlement-cases involving ATMs,
      so I think it's not as easy as it seems.  It's only common sense
      that a bank would account for every dollar of every transaction.
      Whether the accounting is done inside the ATM or the main
      computer doesn't make a difference...  some form of accounting
      is *probably* done.

  4) Data-link Intercept:  This method has been very successful.  What
     you do is 'tap' into the wires that connect the ATM to the Main
     computer.  By doing this you can intercept and send signals to
     the ATM.  However, some 'inside information' is needed because
     the transmission is encrypted (refer to the Cryptography Digit
     stored on the magnetic strip).  But, I think you don't need to
     know *everything* being transferred.  You should need to know
     when to send the 'approval' signal to the ATM telling it to
     dispense its' cash.  I read a case (it may be in Phrack World
     News; 1985?) where some guys netted $600,000 from various ATMs
     using this method.  This seems to be one of the better, and
     more ingenious methods of stealing from these machines.

The information in this file should be 'adequate' to introduce you
to how ATMs work.  How did I get this information?  I went into a
bank and inquired about the computer-technology of ATMs.  The man
who was responsible for the ATMs was a bureaucrat and actually knew
very little about the 'guts' of ATMs.   Luckily the ATM-technician
was there that day and I agreed to buy him dinner later that evening.
(Please refer to: "Insider" Theft and the principle of Company-Loyalty).
During the dinner at "Toppers" (a neat 1950's Burgers/Milkshake/Beer
restaurant) he provided me with Operation and Repair manuals for the
ATMs.  I feel this information is well-worth the $3.82 dinner and
will be of some value to its' readers.  Some good information was
screened-out due to its 'delicate nature', but the information I've
provided has been confirmed.