propeller girl

This working thing is seriously hampering my knitting thing. Gah.

When I’m not knitting (or drinking, travelling, reading your blog, or procrastinating) I work with money. It’s what I do. I rarely see it physically – in my world, it’s all virtual. I watch the little hex values in messages stream out across networks and between nodes, banking systems to switches to retailers and ATMs and back again. I watch thousands of transactions every day streaming at top speed along a spider-web of connectivity, then I work to mimic it and try to break in on parallel test systems. It’s just my thing, my gig. I’ve been doing it since I was discovered to have a knack for breaking things – natural clutziness has become the key to my paycheque because I’m the gal who stumbles across holes in logic, code, and encryption and I seem to be able to make it all do “bad things” in a way that make the poor managers’ eyeballs pop. Sometimes I’m not well received because, if anyone can break it (on purpose or accidentally), I can. Ah, when I present my results on a project, the chorus of “F*CK!” is music to my ears because I’ve found something for the good guys to fix so the bad guys can’t break in.

I do take great pleasure in breaking things (at work). I’m a bull in a china shop – sadly this also goes for non-work things like poking myself in the eye with a spoon while eating, tripping over carpet lint into the table, instigating a falling waterfall of spices and cookbooks by moving one item in the cupboard, and generally trying to trigger an ER visit. It’s nice that at least my mad clutz skillz are useful in some area. I try to focus on this fact when holding yet another burned piece of my flesh under the running kitchen tap. Silver linings, people, silver linings.

I’ve been doing this monetary-clutziness for so long that I often forget that other people aren’t exposed to security and encryption, magnetic stripe and chip formatting and ripping, low tech scamming, high tech skimming, data mapping… I’m a lonely princess on my own stack of encrypted hexidecimal values.

All this is leading up to tell you that it’s become my “hobby” to track ATM and POS scams and hack tools. When someone has figured out a way around the safeguards designed to protect transactions and bank accounts, I sit up and take note. When “they’ve” built a better mousetrap, it means I’m currently or going to be testing their methods and working to set up more roadblocks to keep information protected. “Information longs to be free” does not apply to my bank account, thank you very much. I can’t count the amount of times I’ll read the news and groan because the “unknown” hole we’re patching next week has just been discovered by some basement dwelling, caffeine-sucking, 14-year old from Russia.

The following pissed me off because, well, I’ll explain in a minute. On the news:


If you should ever be forced by a robber to withdraw money from an ATM machine, you can notify the police by entering your Pin # in reverse.

For example if your pin number is 1234 then you would put in 4321. The ATM recognizes that your pin number is backwards from the ATM card you placed in the machine.

The machine will still give you the money you requested, but unknown to the robber, the police will be immediately dispatched to help you.

This information was recently broadcasted on TV and it states that it is seldom used because people don’t know it exists.”

People don’t know it exists because it DOESN’T exist and this just gives mugging victims false hopes that the help is on the way when in reality, they’re just really screwed. Secondly, it’s not an ATM machine. It’s an Automated Teller Machine – ATM, not an Automated Teller Machine Machine. Jerkass acronymn screwuppers.

Anywho, if you haven’t nodded off by now (and you probably should just stop and go nap because I start to get ranty and illiterate at this point), here’s my clarification (ha!) on what really happens with that old pin thing:

Step Oneish – enter card into ATM & enter PIN

You enter your card and choose the tidbits of your transaction (deposit, withdrawal, balance, what have you). The ATM keypad you’re using to enter your PIN is supposed to be encrypting what you’re entering as you’re entering it but some countries haven’t upgraded their ATMs to meet this standard yet. Using an algorithm generated code known to the ATM & the keypad, your PIN is encrypted before it even hits the ATM core.

Step Twoish – ATM encrypts and sends PIN’d transaction to master switch

At this stage, that keypad-encrypted PIN is combined with other information from your transaction, such as every second number in your bank card number or what have you,then multiplied by a 64 digit (or longer) number to generates a final encrypted PIN value. Now, your whole transaction, with this new unique encrypted PIN value, is sent to the master switch it’s connected to. That master switch then automagically sends the transaction to your bank’s system that holds your personal account and pin information. We often describe the sequence as sending as a letter – the transaction, such as requesting $20 from your chequing account, with your encrypted PIN, is the “letter” composed at the ATM. That letter is then “enveloped” by being encrypted using a second code known to the ATM and the master switch (and recalculated frequently), and the whole envelope is assigned a secret handshake string of digits using yet a third code.

Step Threeish – Decryption & verification

When the whole envelope hits the master switch, the secret handshake is verified as correct and then the message is “de-enveloped” and decrypted using the matching codes and then the encrypted PIN is sent to a secondary device whose sole purpose is to decrypt and verify pin values. If the resulting pin value math adds up, the PIN is declared correct and the ATM is advised that the transaction can be processed. If it’s wrong, well, it’s wrong and a note is sent to the ATM indicating that the transaction is declined.

The only thing that final PIN verify step can do is verify that the math on the known PIN and transaction values should be. There’s no way for anyone to ever know what your real PIN is or if it’s backwards. Even if they did, these switches and banks aren’t connected in real time directly to law enforcement so no flag rises and no heroes are dispatched to the scene. I mean, it takes hours for a crew to get to an ATM that’s risen a flag that it’s out of cash, much less if one of the millions of transactions had a bad pin sequence.

Just don’t go to a dark ATM, a dark alley, or follow a stranger to an ATM. If you do get mugged, call the cops and your financial institution.

The moral of the story is that if you’re mugged, you can’t enter a secret code to call for help because the secret code doesn’t exist. The secondary moral is that low tech PIN and card stealing is the most successful method of fraud, which is why it’s so important to keep your card and PIN secret. Never let your card out of your sight (EVER), shield your pin as if cameras are recording your every move, and if you suspect anything off color, call the number on the ATM, the cops, and your own bank.

In 2005 in Canada, there were 293 million ATM transactions & 3.1 billion POS transactions (pay at cashier direct payment)

3 thoughts on “propeller girl

  1. Fascinating! I’d heard that Canadians are the queens and kings of POS, with more transactions per capita than any other nation in the world. Are you able to confirm or deny this claim?

  2. For POS, Canadians are King & Queens. The 2005 stats should be out shortly to see if we remain so, however European nations have caught up in the popularity since the release of the Euro. Now that a person knows the exact conversion value (ie. none) when going from one European country to another, more people are using ATMs & POS networks. The Euro has monetary payment networks holding hands and singing kumbahya. Those nifty Europeans!

    The BIS (Bank for International Settlements) yearly statistics are the place I go – the 2005 preliminary were just released from BIS but I can’t tell if they’re using non-bank only stats (if they’re using all stats, France & the US are now leaders with Canada in a #3 position and the rest of the Europeans are at our heels). Anywho, here’s how it was at last count in transactions per capita:

    Canada 88.2
    Sweden 86.5
    Netherlands 76.0
    US transactions 67
    UK 61.7
    Belgium 57.3

  3. Hee hee… you’re funny.

    I didn’t know the details behind it all, but I do loves me some for that sort of email forward. I cannot tell you the number of dear friends and loved ones I have pissed off by replying, “Thanks so much for your concern about me, but this forward is actually a hoax. See”

    Ah, well. Whatever.

    Welcome to the board, at least! šŸ˜‰

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s