[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: Automatic Teller Machine Cards ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #32 | Release date : 1990-11-17 | Editor : Crimson Death
Phrack Classic XXXII IndexCrimson Death
Phrack Classic Spotlight featuring Knight LightningCrimson Death & Knight Lightning
Concerning Hackers Who Break Into Computer SystemsDorthy Denning
The Art of InvestigationThe Butler
Unix 'Nasties'Sir Hackalot
Automatic Teller Machine CardsJester Sluggo
A Trip to the NCSCKnight Lightning
Inside the SYSUAF.DAT FilePain Hertz
RSTSCrimson Death
Knight Line I Part 1Doc Holiday
Knight Line I Part 2Doc Holiday
Knight Line I Part 3Doc Holiday
Title : Automatic Teller Machine Cards
Author : Jester Sluggo
                              ==Phrack Classic==

                     Volume Three, Issue 32, File #6 of 12

                     ]          Exploration of:         ]
                     ]  Automatic Teller Machine Cards  ]
                     ]                                  ]
                          ]       Written by:       ]
                          ]      Jester Sluggo      ]
                          ]                         ]
                          ] Released: May 13, 1989  ]
                          ](to Black-Ice:For Review)]
                          ] Released: Jan 12, 1990  ]
                          ]    (to Phrack Inc.)     ]
                          ] Released: Nov, 10, 1990 ]
                          ]   (to Phrack Classic)   ]

With the North American continent the being the worlds biggest
consumer of goods and services liquidity of the banking system  has
become an important factor in our everyday lives.  Savings accounts
were used by people to keep money safe and used by the banks to
provide money for loans.  However, due to 'Bankers Hours' (10 AM to
3 PM) it was often difficult for people to get access to thier
money when they needed it.

The banking system then created the Checking Account system.  This
system allowed people to have much easier access to thier money.
Unfortunately the biggest drawback of this system is that people can
not manage thier own money and accounting procedures.  Millions of
times each day throughout the North American continent people are
writing checks for more money than they have in thier savings accounts.
This drawback also causes the already-backed up judicial system to
become backed up further. The banking system soon reacted to this
problem by producing 'check verification' methods to prevent people
from forgery, and overdrawing from thier accounts.

"Money makes the world go 'round" and there are many different ways
to make this world spin.  Today we have checking accounts, credit
cards, travelers checks, and the most 'liquid' form of money: cash.
Cash transactions are untrackable and widely accepted, so I feel
the "Paperless Society" will never happen.  Automated Teller Machines
provide consumers with 24-hour access to cash-sources.  By simply
inserting a plastic card into the machine and keypadding-in the
owners' "account password", you can access the owners bank account
and receive cash in-hand.  This file will explain some details of
the automated tellers and the plastic card used by the Teller-system.

The automated teller is connected by wires and cables to a "Main
Computer".  During each transaction the teller sends signals to
the main computer.  The main computer records each transaction
(a deposit or withdrawl) and updates the card-holders account.
It also sends 'approval' or 'denial' signals to the ATM in regard
to the transaction requested.  If a card-holder attempts to withdraw
$150.00 from his account and he has only $100.00 in it, the main
computer will tell the ATM to deny the transaction.

The ATM has 2 compartments to store cash in.  The first is the "deposits"
compartment.  This is a small area that receives the daily deposits.
It is located in the upper-part of the machine, near all the mechanical
devices.  However, because most ATM transactions are withdrawls the
complete bottom-half is filled with cash where the withdrawls are
extracted from.

The plastic card inserted into the machine is the same size as a
credit card.  The front of the card is embossed with information
about the card-holder.  The back-side of the card has a thin strip
of magnetic tape which also holds some important information.

   +--------------------------+     +--------------------------+
   ] CIRRUS                   ]     ]--------------------------]
   ]  INSTANT CASH CARD       ]     ]/////(magnetic strip)/////]
   ]                          ]     ]--------------------------]
   ] Acct: 12345675      Exp. ]     ]                          ]
   ] Joe Schmoe         01/91 ]     ] "card-holders signature" ]
   ]                          ]     ]                          ]
   +--------------------------+     +--------------------------+
          Front-side                          Back-side

When a cardholder inserts his card into the machine and requests a
transaction, the machine reads the embossed information from the
front-side and compares it with the data stored on the magnetic
strip; looking for a 'match' of the information on both sides.

The information on the front-side is easily readable with your
eyes.  However, you can not read the data on the magnetic-strip
so easily.  You may ask , "What is stored on the magnetic strip ?".
The answer is; the same information as the embossing plus some
'confidential' information regarding the cardholders' financial
status is stored there.  The magnetic strip has 3 "tracks" on it.
The first track can store 210 BPI (Bytes per inch), and the second
stores 75 BPI, and the third stores 210 BPI.  So, we have:

   Track 1:         (210 BPI density)
   Track 2:         ( 75 BPI density)
   Track 3:         (210 BPI density)

                     THE MAGNETIC STRIP

Now, here's the information stored on each track of the strip in
my example:

   Track 1: " ;B 12345675 ^ Schmoe/Joe ^ ; LRC "
   Track 2: " ;12345675 01/91 ^ 1234 ^ (discriminate data) ; LRC "
   Track 3: " ;12345675 ^ 01/91 ^ 5 (discriminate data) ; LRC "

Here's the decoding of the above information:
Track 1:      ";" = Beginning of the data character
              "B" = Field-Control Character: I believe this character
                     tells the ATM what type of account (or status)
                     the user has.
       "12345675" = This is the account number of the cardholder.
              "^" = Data-field seperator.
     "Schmoe/Joe" = Last/First name of cardholder.
              "^" = Data-field seperator.
              ";" = End of data character.
            "LRC" = Longitude Redundancy Check (end of track character).

Track 2:      ";" = Beginning of data character
       "12345675" = Account number of the cardholder.
          "01/91" = Month/Year the card expires.
              "^" = Data-field seperator.
           "1234" = Process Identification Number (The cardholders 'password',
                     I think... or it could be a number to verify the
                     the transaction between the ATM and the Main Computer).
              "^" = Data-field seperator
 "(dscrmn. data)" = Discriminate Data. Not much is known exactly what is
                     stored here. Perhaps Bank Identification data or
                     bank account type (savings, checking?) ?
              ";" = End of data character.
            "LRC" = Longitude Redundancy Check.

Track 3:      ";" = Beginning of data character.
       "12345675" = Account number of the cardholder.
              "^" = Data-field seperator.
          "01/91" = Month/Year the card expires.
              "^" = Data-field seperator.
              "5" = The crypting-digit. When the transaction request
                     is sent to the main computer, it is encrypted.
                     This digit tells which encryption-key is used.
 "(dscrmn. data)" = A duplicate of the discriminate data stored on
                     Track 2.
              ";" = End of data character.
            "LRC" = Longitude Redundancy Check.

When the card is being processed the ATM tries to match the
account number, expiration date and name stored on each track.
The reason they duplicate data is for verification purposes. But,
notice that the duplicate data is stored on different tracks, each
having different recording densities.  Once the information on the
tracks are confirmed to match, the ATM compares them to the embossed
information on the front-side.  If all of the information matches
then the transaction will proceed.  If it doesn't match, then the card
is considered to be damaged and the ATM will keep the card.  It will
give the cardholder a piece of paper instructing the user to notify
the bank who issued his ATM-card so he can receive a replacement
card in the mail (this process takes about 3 weeks).

Now that you know how the ATM-system is designed and what information
is kept where on the card, what "security defects" does this system
contain ?  I will outline 4 methods of attacking this system that
have been tried (not by me!).

  1) Vandalization:  If you want, you can break-in to the ATM.
     However, most ATM's contain 'sensor' devices which sound an
     alarm when this is tried.  Therefore, if you're going to try
     this method I do not suggest using a hammer and chisel on the
     ATM because it will take 1/2 an hour to get the machine open
     and by that time the police will be there.  You could try a
     much faster way, dynamite; but that might scatter the money
     all-over, making it hard to collect.  Also, the bottom-half
     is where most of the money is stored (unless you happen to
     choose a machine that has issued all of its withdrawl-cash)
     so you'll want to break into the bottom-half of the ATM.

     In relation to this, you could wait outside the ATM for a
     valid-user to complete his withdrawl-transaction and mug him.
     As far as I know, the bank holds no responsibilty for placing
     the ATM in a 'secure' enviroment.  However, usually they will
     have lights nearby and placed in 'reasonable' places where
     people need money (example: Grocery store) and where the chance
     of mugging is slim.

  2) Physical Penetration: There are several ways of doing this.
     If you have a stolen card, you could randomly try guessing his
     account-password.  But, I feel this is a primitive method.
     If you try too many attempts at guessing the 'password',
     the ATM will return the card to you.  But, your attempts
     *might* be recorded in the central computer; allowing the
     bank to decide whether to cancel that card... However,
     this has not been verified by me.  If you do get a cash-card,
     you can make counterfeit-cards.

     A) Counterfiet ATM-cards:  The same method for producing
        counterfiet credit cards applies to ATM-cards.  If you
        have a valid ATM-card you can 'clone' it simply by embossing
        a blank-card with the same information.  Copying the mag-
        netic strip is also easy. To do this, you place a blank
        strip of the magnetic tape on top of the valid magnetic
        strip.  Then, using an iron on low-heat, gently rub the
        iron across the two strips for a few seconds.  Lastly,
        peel the new strip apart from the valid one and you've
        got a copy of all the data from the valid ATM-card.

     B) Also, I've heard a case where some guys had a machine
        that could read and write to the magnetic strips (probably
        they were employees of a company that produces the ATM-cards).
        Using this machine, they were able to create and change
        existing data on ATM-cards (such as the expiration date
        so they could keep using the same card over a long period
        of time).

        In relation to this there are other devices available that
        can read and write to magnetic strips.  Using your own
        microcomputer, you can buy a device that allows you to
        read and write to these magnetic strips. It looks
        similar to a disk drive.  If you're interested in
        exploring this method, I'll suggest that you contact
        the following company:

                 American Magnetics Corporation
                 740 Watsoncenter Road
                 Carson, California   90745

                 213/834-0685  FAX
                 910-345-6258  TWX

     C) WARNING: During each transaction attempted on an ATM a
        photo of the person requesting the transaction is taken.
        How long this film is stored is unknown, but it probably
        is different for each bank (unless there is a federal
        regulation regarding this).  Also, it is possible that
        this is not done at all ATMs.

  3) "Insider" Theft: The above case also crosses over into this
      section.  The biggest 'security leaks' in any company are
      its employees.  This is also the easiest way to steal money
      from ATMs.  The man who collects the deposits from the machine
      and inserts cash for withdrawls has the easiest and most
      open access to these machines.  I was told that this person
      can easily steal money from ATMs and not be detected.  Another
      person with access to these machines is the technician. The
      technician who fixes ATMs is the most-knowledgeable person
      about ATMs within the bank, therefore he should be a trust-
      worthy guy and receive a 'comfortable' salary.. otherwise
      he'll begin to collect 'retirement benefits' from the ATM
      and this may go undetected.

      However, I have heard of some embezzlement-cases involving ATMs,
      so I think it's not as easy as it seems.  It's only common sense
      that a bank would account for every dollar of every transaction.
      Whether the accounting is done inside the ATM or the main
      computer doesn't make a difference...  some form of accounting
      is *probably* done.

  4) Data-link Intercept:  This method has been very successful.  What
     you do is 'tap' into the wires that connect the ATM to the Main
     computer.  By doing this you can intercept and send signals to
     the ATM.  However, some 'inside information' is needed because
     the transmission is encrypted (refer to the Cryptography Digit
     stored on the magnetic strip).  But, I think you don't need to
     know *everything* being transferred.  You should need to know
     when to send the 'approval' signal to the ATM telling it to
     dispense its' cash.  I read a case (it may be in Phrack World
     News; 1985?) where some guys netted $600,000 from various ATMs
     using this method.  This seems to be one of the better, and
     more ingenious methods of stealing from these machines.

The information in this file should be 'adequate' to introduce you
to how ATMs work.  How did I get this information?  I went into a
bank and inquired about the computer-technology of ATMs.  The man
who was responsible for the ATMs was a bureaucrat and actually knew
very little about the 'guts' of ATMs.   Luckily the ATM-technician
was there that day and I agreed to buy him dinner later that evening.
(Please refer to: "Insider" Theft and the principle of Company-Loyalty).
During the dinner at "Toppers" (a neat 1950's Burgers/Milkshake/Beer
restaurant) he provided me with Operation and Repair manuals for the
ATMs.  I feel this information is well-worth the $3.82 dinner and
will be of some value to its' readers.  Some good information was
screened-out due to its 'delicate nature', but the information I've
provided has been confirmed.

The Mentor (Phrack #8, File #7;  "Fun with Automatic Tellers")
Deserted Surfer
Lex Luthor

Please distribute this file in its complete form.

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.