Payment Systems Blog » ATM

PIN Block Formats – The Basics

db — Wed, 03 Mar 2010 16:02:19 +0000

I had a call yesterday about approved TG-3 (Which is now called TR-39 ) ANSI PIN Block Formats.

The TR-39 Audit Procedures state that ISO 9564–1 Format 0 (ISO-0) and Format 3 (ISO-3) are the only approved formats:

4.1.3 X9 Approved PIN Block Formats

Documented procedures exist and are followed that ensure any cleartext PIN-block format combined with a PIN encryption process has the characteristic that, for different accounts, encryption of the same PIN value under a given encryption key does not predictably produce the same encrypted result. (Note: any cleartext PIN block, formats 0 and 3 meet this requirement, as specified in X9.8-1).

Reference X9.8-1 – Sec. 4(c), Sec. 6.2, Sec. 8.3.1, Sec.8.3.2, and Sec. 8.3.5

In case you are curious here are Visa’s PIN Security Requirements

Requirement 3:

For online interchange transactions, PINs are only encrypted using ISO 9564–1 PIN block formats 0, 1 or 3. Format 2 must be used for PINs that are submitted from the IC card reader to the IC card. Other ISO approved formats may be used.

This requirement further states:

PINs enciphered using ISO format 0 or ISO format 3 must not be translated into any other PIN block format other than ISO format 0 or ISO format 3. PINs enciphered using ISO format 1 may be translated into ISO format 0 or ISO format 3, but must not be translated back into ISO format 1.

(This last paragraph addresses an attack on Pin Blocks that can be translated in to format 1 on a HSM which would expose the clear PIN)

Let’s take a look at a few Pin Block formats:

For our examples:

P – PIN Number

F – Hex 0xF

A- Last 12 digits of PAN not including check digit

R – Random Hex Character (0-9, A-F)

Let us use the account number 4111111111111111 and PIN Number 1234 (examples use a PIN Length of 4 but could be 4-12 digits)

“Pin Pad” format or IBM 3624

PPPP FFFF FFFF FFFF

our Pin Block

1234 FFFF FFFF FFFF

Notes: Not allowed and is an old legacy method – not approved to be used.

ISO-0

04PP PPFF FFFF FFFF (0 = ISO-0 Format, 4 = length of PIN)

XOR with

0000 AAAA AAAA AAAA (Formatted PAN)

our Pin Block:

0412 34FF FFFF FFFF

XOR

0000 1111 1111 1111

0412 25EE EEEE EEEE

Notes: Introduces variability in the PIN block by XOR’ing with a Formatted PAN – Best practice is to use ISO-3 instead of ISO-0 as there are attacks against ISO-0

ISO-1

1412 34RR RRRR RRRR (1 = ISO-0 Format, 4 = length of PIN)

our Pin Block:

1412 348D 665A C5A3

Notes: Introduces variability in the PIN block by using Random padding chars – Best practice is not to allow HSM’s to accept or use this PIN Block format. Not allowed by TR-39 but is VISA.

ISO-3

34PP PPRR RRRR RRRR (3 = ISO-3 Format, 4 = length of PIN)

XOR with

0000 AAAA AAAA AAAA (Formatted PAN)

our Pin Block:

3412 34C8 CBA4 285C

XOR

0000 1111 1111 1111

3412 25D9 dAB5 394D

Notes: Introduces variability in the PIN block by using Random padding chars and by XOR’ing with a Formatted PAN – Best practice is to use this format.

Consolidated links for 1-20 (Inauguration day)

db — Tue, 20 Jan 2009 15:36:18 +0000

I don’t have time this morning to write any detailed blog posts: So let me share a few links that caught my interest for blogging topics:

Coinstar Machines Turn Change into iTunes Credit – TibBits – get gift cards from coin counting machines
Beware: Circuit City Gift Cards – Payment News – Use it or lose it, Retail Gift Cards for struggling retailers are best not to hold on to.
Discover To Participate in TARP, Becomes Bank Holding Company – Payment News – DiscoverBank
Discover PCI Levels Defined: See: Here (Treasury Institute), and here (GreenSheet). The Short of it is that Discover has aligned their PCI Merchant Levels to that of MC and Visa.
ATM Skimmers are getting sneakier – Network Security Blog – Video of an wireless ATM Card Skimmer
MasterCard dispels myths, highlights benefits of payment networks – (GreenSheet) – MC has released a paper "Benefits of Open Payment Systems and the Role of Interchange" with some links to audio and video – some good basic stuff here on a payment transaction.

ATM reprogramming arrests.

db — Wed, 24 Sep 2008 14:40:33 +0000

I guess it has been almost two years now, that a news story and security researcher blog post, pointed out a vulnerability in certain types of ATM Machines. The vulnerability relates to "PCI requirement #2 – Do not use vendor-supplied defaults for system passwords and other security parameters" with a few brands of ATM machines ( generally the smaller standalone ATM’s you see in convenience stores and sold by ATM ISO’s and their agents ) whose service manuals were accessible online, and ATM operators failing to setup the ATM’s in a secure manner. I remember googling and finding the default passwords and instructions for these. With the service manual and passwords, a person was able to reprogram the value of the ATM cassettes. telling the ATM Machine that the $5 cassettes had $20’s and doing a withdrawal

Today – Wired notes that the first bust for ATM Reprogramming Scan netted its first two arrests.

It took a high-speed chase and some gunplay, but two men in Lincoln, Nebraska, are the first to face felony charges for using default passcodes to reprogram retail cash machines to dispense free money.

Jordan Eske and Nicolas Foster, both 21, are in Lancaster County Jail pending an October 1st arraignment. They’re each charged with four counts of theft by deception, and one count of computer fraud, for allegedly pulling cash from privately owned ATMs at four stores in the area. The pair allegedly reprogrammed the machines to believe they were loaded with one-dollar bills instead of tens and twenties. A withdrawal of $20 would thus net $380.