Date: 3 Jan 91 16:38:00 +1600
From: MCKAY_MICHAEL@atalla.com   [tandem.com?]
Subject: RE: "Little pitchers have big ears": ATM Risk

I am currently the sustaining software engineer for the product mentioned by
zowie in his posting (11-25-90), and I wanted to clarify some things.  He was
disturbed by hearing modem tones during an ATM card activation at a Wells Fargo
Bank branch.  In fact, recording the 300 BAUD transaction (or tapping the phone
line) would not reveal his friend's PIN.  The PIN is encrypted by the terminal,
using DES and a "Unique Key Per Transaction (UKPT)" algorithm (our newer
terminals conform to ANSI 9-24, Wells Fargo still uses some older terminals
that predate 9-24 with a psuedo UKPT).

Once the transaction is reported to the host, a hardware security box
translates the PIN from the terminal's key to some irrreversible internal
format.  Once the PIN is entered into the terminal, it never appears in the
clear (that is to say unencrypted) in any computer.  This is much better than
the usual situation, where you would either be assigned a PIN, or have to write
down your PIN and have somebody enter it for you.  If anybody would like more
details on the process, feel free to contact me.

Michael McKay   (MCKAY_MICHAEL @ tandem.com)  (408) 435-8850

US MAIL: Atalla, A Tandem Company, 2304 Zanker Road, San Jose, CA 95131