==Phrack Classic== Volume Three, Issue 32, File #6 of 12 +----------------------------------+ ] Exploration of: ] ] Automatic Teller Machine Cards ] ] ] +----+-------------------------+---+ ] Written by: ] ] Jester Sluggo ] ] ] ] Released: May 13, 1989 ] ](to Black-Ice:For Review)] ] Released: Jan 12, 1990 ] ] (to Phrack Inc.) ] ] Released: Nov, 10, 1990 ] ] (to Phrack Classic) ] +-------------------------+ With the North American continent the being the worlds biggest consumer of goods and services liquidity of the banking system has become an important factor in our everyday lives. Savings accounts were used by people to keep money safe and used by the banks to provide money for loans. However, due to 'Bankers Hours' (10 AM to 3 PM) it was often difficult for people to get access to thier money when they needed it. The banking system then created the Checking Account system. This system allowed people to have much easier access to thier money. Unfortunately the biggest drawback of this system is that people can not manage thier own money and accounting procedures. Millions of times each day throughout the North American continent people are writing checks for more money than they have in thier savings accounts. This drawback also causes the already-backed up judicial system to become backed up further. The banking system soon reacted to this problem by producing 'check verification' methods to prevent people from forgery, and overdrawing from thier accounts. "Money makes the world go 'round" and there are many different ways to make this world spin. Today we have checking accounts, credit cards, travelers checks, and the most 'liquid' form of money: cash. Cash transactions are untrackable and widely accepted, so I feel the "Paperless Society" will never happen. Automated Teller Machines provide consumers with 24-hour access to cash-sources. By simply inserting a plastic card into the machine and keypadding-in the owners' "account password", you can access the owners bank account and receive cash in-hand. This file will explain some details of the automated tellers and the plastic card used by the Teller-system. The automated teller is connected by wires and cables to a "Main Computer". During each transaction the teller sends signals to the main computer. The main computer records each transaction (a deposit or withdrawl) and updates the card-holders account. It also sends 'approval' or 'denial' signals to the ATM in regard to the transaction requested. If a card-holder attempts to withdraw $150.00 from his account and he has only $100.00 in it, the main computer will tell the ATM to deny the transaction. The ATM has 2 compartments to store cash in. The first is the "deposits" compartment. This is a small area that receives the daily deposits. It is located in the upper-part of the machine, near all the mechanical devices. However, because most ATM transactions are withdrawls the complete bottom-half is filled with cash where the withdrawls are extracted from. The plastic card inserted into the machine is the same size as a credit card. The front of the card is embossed with information about the card-holder. The back-side of the card has a thin strip of magnetic tape which also holds some important information. +--------------------------+ +--------------------------+ ] CIRRUS ] ]--------------------------] ] INSTANT CASH CARD ] ]/////(magnetic strip)/////] ] ] ]--------------------------] ] Acct: 12345675 Exp. ] ] ] ] Joe Schmoe 01/91 ] ] "card-holders signature" ] ] ] ] ] +--------------------------+ +--------------------------+ Front-side Back-side When a cardholder inserts his card into the machine and requests a transaction, the machine reads the embossed information from the front-side and compares it with the data stored on the magnetic strip; looking for a 'match' of the information on both sides. The information on the front-side is easily readable with your eyes. However, you can not read the data on the magnetic-strip so easily. You may ask , "What is stored on the magnetic strip ?". The answer is; the same information as the embossing plus some 'confidential' information regarding the cardholders' financial status is stored there. The magnetic strip has 3 "tracks" on it. The first track can store 210 BPI (Bytes per inch), and the second stores 75 BPI, and the third stores 210 BPI. So, we have: +---------------------------+ Track 1: (210 BPI density) +---------------------------+ Track 2: ( 75 BPI density) +---------------------------+ Track 3: (210 BPI density) +---------------------------+ THE MAGNETIC STRIP Now, here's the information stored on each track of the strip in my example: Track 1: " ;B 12345675 ^ Schmoe/Joe ^ ; LRC " Track 2: " ;12345675 01/91 ^ 1234 ^ (discriminate data) ; LRC " Track 3: " ;12345675 ^ 01/91 ^ 5 (discriminate data) ; LRC " Here's the decoding of the above information: Track 1: ";" = Beginning of the data character "B" = Field-Control Character: I believe this character tells the ATM what type of account (or status) the user has. "12345675" = This is the account number of the cardholder. "^" = Data-field seperator. "Schmoe/Joe" = Last/First name of cardholder. "^" = Data-field seperator. ";" = End of data character. "LRC" = Longitude Redundancy Check (end of track character). Track 2: ";" = Beginning of data character "12345675" = Account number of the cardholder. "01/91" = Month/Year the card expires. "^" = Data-field seperator. "1234" = Process Identification Number (The cardholders 'password', I think... or it could be a number to verify the the transaction between the ATM and the Main Computer). "^" = Data-field seperator "(dscrmn. data)" = Discriminate Data. Not much is known exactly what is stored here. Perhaps Bank Identification data or bank account type (savings, checking?) ? ";" = End of data character. "LRC" = Longitude Redundancy Check. Track 3: ";" = Beginning of data character. "12345675" = Account number of the cardholder. "^" = Data-field seperator. "01/91" = Month/Year the card expires. "^" = Data-field seperator. "5" = The crypting-digit. When the transaction request is sent to the main computer, it is encrypted. This digit tells which encryption-key is used. "(dscrmn. data)" = A duplicate of the discriminate data stored on Track 2. ";" = End of data character. "LRC" = Longitude Redundancy Check. When the card is being processed the ATM tries to match the account number, expiration date and name stored on each track. The reason they duplicate data is for verification purposes. But, notice that the duplicate data is stored on different tracks, each having different recording densities. Once the information on the tracks are confirmed to match, the ATM compares them to the embossed information on the front-side. If all of the information matches then the transaction will proceed. If it doesn't match, then the card is considered to be damaged and the ATM will keep the card. It will give the cardholder a piece of paper instructing the user to notify the bank who issued his ATM-card so he can receive a replacement card in the mail (this process takes about 3 weeks). Now that you know how the ATM-system is designed and what information is kept where on the card, what "security defects" does this system contain ? I will outline 4 methods of attacking this system that have been tried (not by me!). 1) Vandalization: If you want, you can break-in to the ATM. However, most ATM's contain 'sensor' devices which sound an alarm when this is tried. Therefore, if you're going to try this method I do not suggest using a hammer and chisel on the ATM because it will take 1/2 an hour to get the machine open and by that time the police will be there. You could try a much faster way, dynamite; but that might scatter the money all-over, making it hard to collect. Also, the bottom-half is where most of the money is stored (unless you happen to choose a machine that has issued all of its withdrawl-cash) so you'll want to break into the bottom-half of the ATM. In relation to this, you could wait outside the ATM for a valid-user to complete his withdrawl-transaction and mug him. As far as I know, the bank holds no responsibilty for placing the ATM in a 'secure' enviroment. However, usually they will have lights nearby and placed in 'reasonable' places where people need money (example: Grocery store) and where the chance of mugging is slim. 2) Physical Penetration: There are several ways of doing this. If you have a stolen card, you could randomly try guessing his account-password. But, I feel this is a primitive method. If you try too many attempts at guessing the 'password', the ATM will return the card to you. But, your attempts *might* be recorded in the central computer; allowing the bank to decide whether to cancel that card... However, this has not been verified by me. If you do get a cash-card, you can make counterfeit-cards. A) Counterfiet ATM-cards: The same method for producing counterfiet credit cards applies to ATM-cards. If you have a valid ATM-card you can 'clone' it simply by embossing a blank-card with the same information. Copying the mag- netic strip is also easy. To do this, you place a blank strip of the magnetic tape on top of the valid magnetic strip. Then, using an iron on low-heat, gently rub the iron across the two strips for a few seconds. Lastly, peel the new strip apart from the valid one and you've got a copy of all the data from the valid ATM-card. B) Also, I've heard a case where some guys had a machine that could read and write to the magnetic strips (probably they were employees of a company that produces the ATM-cards). Using this machine, they were able to create and change existing data on ATM-cards (such as the expiration date so they could keep using the same card over a long period of time). In relation to this there are other devices available that can read and write to magnetic strips. Using your own microcomputer, you can buy a device that allows you to read and write to these magnetic strips. It looks similar to a disk drive. If you're interested in exploring this method, I'll suggest that you contact the following company: American Magnetics Corporation 740 Watsoncenter Road Carson, California 90745 USA 213/775-8651 213/834-0685 FAX 910-345-6258 TWX C) WARNING: During each transaction attempted on an ATM a photo of the person requesting the transaction is taken. How long this film is stored is unknown, but it probably is different for each bank (unless there is a federal regulation regarding this). Also, it is possible that this is not done at all ATMs. 3) "Insider" Theft: The above case also crosses over into this section. The biggest 'security leaks' in any company are its employees. This is also the easiest way to steal money from ATMs. The man who collects the deposits from the machine and inserts cash for withdrawls has the easiest and most open access to these machines. I was told that this person can easily steal money from ATMs and not be detected. Another person with access to these machines is the technician. The technician who fixes ATMs is the most-knowledgeable person about ATMs within the bank, therefore he should be a trust- worthy guy and receive a 'comfortable' salary.. otherwise he'll begin to collect 'retirement benefits' from the ATM and this may go undetected. However, I have heard of some embezzlement-cases involving ATMs, so I think it's not as easy as it seems. It's only common sense that a bank would account for every dollar of every transaction. Whether the accounting is done inside the ATM or the main computer doesn't make a difference... some form of accounting is *probably* done. 4) Data-link Intercept: This method has been very successful. What you do is 'tap' into the wires that connect the ATM to the Main computer. By doing this you can intercept and send signals to the ATM. However, some 'inside information' is needed because the transmission is encrypted (refer to the Cryptography Digit stored on the magnetic strip). But, I think you don't need to know *everything* being transferred. You should need to know when to send the 'approval' signal to the ATM telling it to dispense its' cash. I read a case (it may be in Phrack World News; 1985?) where some guys netted $600,000 from various ATMs using this method. This seems to be one of the better, and more ingenious methods of stealing from these machines. The information in this file should be 'adequate' to introduce you to how ATMs work. How did I get this information? I went into a bank and inquired about the computer-technology of ATMs. The man who was responsible for the ATMs was a bureaucrat and actually knew very little about the 'guts' of ATMs. Luckily the ATM-technician was there that day and I agreed to buy him dinner later that evening. (Please refer to: "Insider" Theft and the principle of Company-Loyalty). During the dinner at "Toppers" (a neat 1950's Burgers/Milkshake/Beer restaurant) he provided me with Operation and Repair manuals for the ATMs. I feel this information is well-worth the $3.82 dinner and will be of some value to its' readers. Some good information was screened-out due to its 'delicate nature', but the information I've provided has been confirmed. +---------+ ] CREDITS ] +---------+ The Mentor (Phrack #8, File #7; "Fun with Automatic Tellers") Deserted Surfer Hyudori Lex Luthor Please distribute this file in its complete form.