The SecureBank system is a combination of a ticket-based (or capability) system and an access control list system. It is easiest to understand this combination by describing what the system would be like if it were instead only one or the other. In a pure ticket based system, the "guardian" of the system, (in this case, the ATM software), needs not have any access to any kind of global state. A valid ticket to the system is all that is needed for access. If the SecureBank ATM system were a pure ticket based system, then it would not require the use of PIN numbers before every transaction. Instead, the mere existence of an ATM card would be enough to prove to the machine that the customer is who he says he is. In other words, the theory behind such a system could be presented as follows: "As long as the person with the ATM card never loses it or has it stolen, and as long as the format of the magnetic strip is not revealed to the general public, then the card is always a unique identifier of that person." The problem with this argument is that those qualifying statements ("not losing the card", etc...) are just not realistic. It would not be fair to SecureBank's customers to tell them that they should never loose possession of their card. Nor is it realistic to expect that no one will be able to decode the format of the magnetic strip.
On the other hand, if ATMs were to only use access control lists, then using an ATM would be a lot like logging into a UNIX account. A customer could just walk up and type in his or her name and PIN. In this case, we use the term "access control list" to denote the fact that the "guardian" of the system must have access to some kind of global list of account numbers and PINs. However, this kind of system is now open to many more security holes, most notably the fact that it would now be much easier for someone to try to guess someone else's PIN. The important thing to consider is that while it *may* be possible to counterfeit an ATM card, it is certainly not a trivial task. In other words, with a combined system like the one SecureBank uses, an attacker has to produce some kind of stolen or counterfeit card, *and* produce the proper PIN for the account. This level of security is an order of magnitude better then the level of security for each system alone. In addition, the proper sharing of PIN numbers and cards allows customers to form "protection groups" to gain access to shared accounts. This could be done without the assistance of the bank by merely revealing the PIN to someone else and letting them borrow the card. If the bank were willing to help, then it could even print out more than one card for a particular account.
Once the ATM has authorized access to a particular account, then the account information acts as a "descriptor-based protection mechanism" for the account. For example, just because I can walk up to a Baybank machine and get access to my account does not mean that I can take out $100,000 from it. (Unless, of course, I just had a really good weekend in Vegas.) Likewise, I can't take out $100,000 from anyone else's account either, even if they actually have that much money. The account number serves as the descriptor to information about the account, possibly including the amount of money in the account, and whether or not the account is currently active. Thus, such a system could be used to revoke access to an account by changing the access information that the descriptor points to. An even better system would allow the bank to revoke access to a particular card. For example, if each card contained the customer's account number, *plus* a random number that was also saved in the account descriptor information, then a lost card would become invalid as soon as a new card was issued with a new random number.
However, there are some security problems with SecureBank's scheme. One possible problem is that if it is possible to obtain someone's account number, then it is a lot more likely that their account could be breached. For example, a thief could buy a camcorder with a huge zoom lens and videotape people as they punch in their PIN. If the receipts from the ATM were to list the full account number for each person, then the thief could collect the disposed-of receipts to match account numbers to PINs. Now all he has to do is counterfeit a card with the same account number. (A similar attack is described in "Why Cryptosystems Fail.") So in this case the account number should also be kept as secret as possible. Another problem with this scheme is that it does not allow for mutual authentication. A customer is able to prove to the machine that he really is who he says he is, but currently the machine does not have to prove to the customer that it really is an official ATM! An attacker could put up a fake ATM that would collect people's PINs, and then just pretend to be out of service and spit the card back. The thief would end up with a collection of account numbers and corresponding PINs. (This too has actually happened.)