don’t get me wrong, I’m NOT a conspiracy theorist. and I’m not saying ATM cards aren’t REASONABLY secure. heck, i wasn’t even saying that they all in reality share the same numbers, it was intentionally ridiculous, but i used it to make my point: If the public wont buy the concept, no matter how good or bad, the concept fails. public confidence is all that keeps most monetary systems running. period.

essentially, as long as we all have some form of random ID (ATMs use a user defined “PIN”), it’s reasonably hard to “break into” an account. if your that desperate for cash, spam off some key loggers in a retirement community and just log everyone’s activities. I’ve done that to catch old room mates farting around on my comps.

Ill give you another scare:

every cash register system I/ we built had a master key code programed into it; a backdoor if you will. our standard codes were 6-12 characters long. the master code was 42 characters. in order to enter it, you had to have a card or key with the full code in it, as manual entry only allowed for the required 6-12 before erroring. the scary part is the fact that with the master code, we could change anything in the system, even the sales data AFTER a sale had been authorized! we could funnel funds, skim pennies, re-route whole transactions, all behind the “administrators” view. like changing bios info in a computer: the OS admin wont see it, but it’ll sure change how stuff works…. ever see the superman movie from the 80s with richard pryer? yah, like that.

we did it once by accident. it took almost a month to track down and fix, AND WE WERE THE ONES THAT DID IT! lol turns out a used system we resold hadn’t been wiped as well as it should of been, and the flash card still had the previous owners account info in it, basically a routing table. so it would dump the left over fractions and balances after a closeout into what we originally thought was a holding file, and later that night, mysteriously send them off to a completely un-affiliated account. we got it all worked out in the end, but in one month it siphoned off almost 30 thousand US dollars.

what fun that week was. good thing i had nothing to do with that particular install…

think about it…. even if EVERY card out there was IDENTICLE, the banks would HAVE TO tell us they were “uncloneable” or the public would never use them.

if you asked me if i locked my house, id say yes. if you check the door, you’d find I’d lied. you’d also find my 150 lb. dog. of course, the banks call their dogs “lawyers”, but the effect is the same…

makes me wish i had a reader/writer now so i could play with my ATM card… I wonder if it’s re-writable?

You’ve literally answered everything I’ve wanted to know, and even stuff that I’d thought about but forgotten to mention in the last comment!!

Thanks a million mate!!

I can only take a few educated guesses at what goes into ATM cards “security” as I only built systems that (I would hope) would not require the level of security that an ATM machine type system uses. My experience wasn’t in BUILDING the cards, so much as USING them.

What I DO know, is that we use the same readers (both hardware and software) to read the ATM/Credit cards AND Employee ID cards, Parking Passes/ Meter cards, Door Key cards, etc. and that the numbers NEVER change. Like blank CDs, only certain media types will support a re-write. I’ve never run across a reprogrammable ATM/Credit card, but i have seen much more expensive media cards that claimed to be re-writable. Also, the numeric strings are indistinguishable from each other. The reason for the similarity in strings, is because most software is only written to handle a very narrow band of variables. In point of fact, if you have a business that wants to run Discover (it may have been American Express; its been about 4-5 years) cards, you HAVE TO TELL US AHEAD OF TIME because discover uses 3 extra digits at the end of their number sets and we have to tell the program (or reprogram the program in some cheaper/older systems) to allow for the extra, or lack of extra numbers. Otherwise the system errors out as a mis-read.

As far as flashable cards, those cheap paper cards you get at say parking garages are essentially the same as ATM/Credit cards, but in a lot of cases are blanks that get flashed with anything from a time/day number setup to a serial number. in the time/day flash, the reader just reads the number, compares it to the current values, and calculates the amount. in the serial system, everything is networked, and the serial number corresponds to an entry in a data base type system. anything can be tied to it. simple time/date values all the way to a video footage file to a passing weight value. it all depends on what the client wants, and what they are willing to spend.

It occurs to me as i reread your question that a system that constantly rotates a cards ID would be great for security. a new pre-determined ID would make it almost impossible for the same card number to be used more than once in a given time period. If a system assigned a new number to a card at the end of every transaction, reusing an old number would be pointless. and the system could track the number, and its changes across the system. besides a lot of new encoding though, a change like that would use up a lot of bandwidth, and require up to date posting, which if you follow the money trail, the industry likes the delay in purchase time vs posting time. its good for over-draft fees among other things.

I hope that helped a little. I’m trying to answer your question between jobs at work, so my train of thought is really broken up, sorry.

@ Zupakumputer

Yah, I used BASIC, and It certainly was!

Magnetic cards are very easy to read, and clone. Meaning scanners and writers can be bought - so you would nowadays also mostly need the 4-digit pin, and that’s all to be able to use it in an ATM or a shop. There is a lot of credit card fraud that’s possible simply because checks aren’t made though - you give the details on the card over the phone, and that’s enough for some places, they’ll ship to whatever address even if it doesn’t match with the cards records. In those kinds of cases you wouldn’t even need to have the card or a copy - just the details. Other times people steal the details, then use them to make duped cards - if they know what banks or wherever issued the card then there’s standard ways the cards have been encoded / written to.

However, tis also a fact that the economy has virtually nothing real backing it up anymore (especially here in the UK as all the gold reserves were sold off), and most of it’s a sham fueled by mass acceptance of HP (not the computer co., ‘hire purchase’). They don’t really own it, they never really got paid to make it or ship it, and the profits and loss are all on paper only.

Live in debt, die in debt. There’s about 5 small countries in the world that don’t owe all their assets to a bunch of other countries.

btw there was / is a similar flaw with the chequing system. First you are meant to present a cheque guarantee card alongside a cheque - hardly anyone ever used that verification. Next whoever received the cheque is meant to hole-punch the back of your cheque book (to verify what day what amount was paid). Nobody did that much either. So in practice that meant that a fake book/bunch of cheques could be used multiple times a day quite easily.

thanks for those. it’ll give me something to do at work, lol.

as far as languages, I don’t know any, so I can’t weigh in on any. the last time I wrote code, it was on a commador 64. some how I doubt that that is relevant anymore…

you’re welcome

some other links…

http://www.elitehackers.info/ (really good articles)
http://www.darkmindz.com/
http://www.hellboundhackers.org/

as for learning…
any good scripting language to start with?
Javascript and HTTP I guess…

suggestions?