Cryptography Reference
In-Depth Information
Perhaps several programmers and engineers inside the bank can get hold of the
DES keys. Perhaps they have the keys read out from offline ATMs (e.g., in
Italy). Finally, a small explosive charge will remove finger prints and scratches
(at least that's what the criminals hope).
We could continue spinning the thread. There are just too many possibilities
to get hold of the DES keys. Though every ATM card is fitted with a tam-
perproof 'modulated machine-readable characteristic' (readable by infrared to
my knowledge), it can currently be read by only about a third of all ATMs out
there. So this data is not included in the PIN calculation; it only requires more
care in handling forged cards. Mind you, magnetic strip cards and card readers
are cheap and available at the computer store round the corner
...
There is no reason to panic just yet. But we should handle our ATM cards and
credit cards as if they were a thick bundle of cash. And we now know a good
reason why we shouldn't tell anyone that our accounts are nicely filled up.
Things are worse with credit card numbers, by the way. I came across detailed
instructions on the Internet how to evaluate these numbers and what tricks to
use to make a handsome profit. It didn't come close to instructions on 'how to
build bombs'; they simply wanted to remind everybody to be careful. I think we
all have a hunch about how much criminal energy people sniffing the network
put into their job. This is a good reason to transmit credit card numbers over
the Net only in encrypted form to have more security against attacks, at least
statistically.
Migration of PINs in 1997/1998
At the beginning of 1998, all European ATM cards migrated to a new system,
and their owners received new PINs. As it happened, 0 is now admissible as
the first digit. All of this raises hopes. Furthermore, it was said that 128-bit
keys would be used from then onwards. Had they migrated to using IDEA?
People jumped for joy too early: they had merely replaced DES by Triple-DES.
The good news is that this frustrates brute-force attacks, at least based on cur-
rent knowledge. The somewhat strange arithmetic '2
∗
56
=
128' used to specify
the key length might be due to the fact that they included the parity bits.
Unfortunately, further details were not officially revealed. I know only that
every bank now has its own PIN key, and that this key never leaves their
computer center. In other words, all ATMs have to be connected online to the
bank; the PIN is verified only there, never in the ATM itself. This is why one
