From: Chris Blunt 
Newsgroups: uk.finance
Subject: Re: ATM limits.
Date: Sun, 30 May 2004 12:35:17 +0100

On Sat, 29 May 2004 19:59:54 +0100, John Laird
 wrote:

>On Sat, 29 May 2004 18:26:18 +0100, john boyle 
>wrote:
>
>>In message , Chris Blunt 
>> writes
>>>Surely if a fraudster had access to the encryption algorithm, it
>>>wouldn't take much to encrypt all possible combinations of a 4-digit
>>>PIN and compare the results with what was stored on the card. Once he
>>>had a match he's know the PIN.
>>>
>>So why isn't such fraud prevalent then?
>
>There are only two possible answers:
>a) The card by itself is not enough and an online connection is part of the
>process of validation.
>b) The banks have managed to keep the encryption details secret.  (This
>would be no mean feat, and there is still a vulnerability in the ATMs
>themselves if someone was prepared to ship one away and attempt to
>reverse-engineer the software inside.  One would hope the machines are set
>up to "lose" key details on power fail, perhaps.)

I would think the chances of (b), keeping it secret, would be almost
zero, especially as the same algorithm must be used globally to allow
international use of cards. It wouldn't take much to persuade a
low-paid ATM technician in a small bank somewhere to reveal all.