3

ATMs get occasionally stolen. How easy would be for the thiefs to retieve the PINs and other information of the users that have previously used the ATM? Is there a periodic wipe of all records/logs/traces on the machine within the ATM enclosure?

Drew Lex
  • 2,013
  • 2
  • 19
  • 24
  • There is no reason for storing any user data on ATM, and all security guidelines clearly recommend against doing so. Do you have reliable information that ATMs actually **do** store such information? – Agent_L Jul 07 '14 at 10:37

4 Answers4

5

There is no way to no for sure what happens inside the ATM, but most ATMs handle transactions by connecting to a server. There is no reason that it should have to keep any record of transactions internally.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

My sense is that ATM transactions processing is done mostly on the server side:

An ATM is basically a safe with a PC, an LCD monitor and some additional devices. ATMs are not on the Internet...

To clarify, they are not internet-accessible in the sense that installing cracking software on an ATM would require physical access to internals of the ATM, in advance of harvesting users' data.

Typically only an encrypted version of the PIN is stored and transmitted. There are few, if any, reported incidents of customers' personal information being retrieved from stolen ATMs. Instead, card skimming (copying data from ATM cards' magnetic strip) is the primary method used for ATM fraud.

The ATM is often severely traumatized by being pulled from its concrete foundation by a truck, with a chain wrapped around it. Even if it were not irreparably damaged, the modus operandi of ATM thieves is to open the ATM with a blow torch, which would likely impair function of anything that remained. Harvesting customer PINs, after stealing the ATM, would be unlikely. Thieves empty the cash, and abandon the ATM. ATMs are typically recovered by authorities after being incinerated, buried, submerged in lakes etc.

Ellie Kesselman
  • 488
  • 4
  • 20
1

PINS are not stored within the ATM machines. When you type in your PIN in the keypad an offset is calculated (essentially a hash) and that is what is sent to the back end host. The hashes are not stored in the ATM either.

k1DBLITZ
  • 3,933
  • 14
  • 20
  • "When you type in your PIN in the keypad an offset is calculated" -- can you provide any source for this? – Dmitry Janushkevich Jul 07 '14 at 09:10
  • It's called an "Encrypted Pin Pad", or EPP for short. Source: http://www.diebold.com/Diebold%20Asset%20Library/dbd_eppremotekey_whitepaper.pdf – k1DBLITZ Jul 07 '14 at 19:40
1

There is no way to retrieve the PIN and other information of the user through ATM.

At max EJ (Log journal inside ATMs) logs transaction details which contain information like account number/PAN (masked)/ amount. But PIN is not logged anywhere.

Moreover, PIN is never transferred anywhere unencrypted neither it is saved anywhere in that way. As soon as you enter the PIN over the ATM keypad, the entered value gets encrypted and then passed on for transmission.

Even the Server doesn't keep PIN records. Original PINs are stored in HSMs which is a hardware device kept with Bank's server.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
SajjadHashmi
  • 111
  • 2