Cash machines - Contractor UK Bulletin Board

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Paddy replied

30 August 2008, 09:11
Originally posted by AtW View Post

Pins are just 4 digits - encrypting just them is crazy because it is easy to check less than 10k combinations using plain text attack.

The banks had a choice of 4 or 6 digits, they opted for 4

Your pin number is here... http://www.positiveatheism.org/crt/pin.htm

Last edited by Paddy; 30 August 2008, 09:15.
Leave a comment:
Paddy replied

30 August 2008, 09:08
Originally posted by Incognito View Post

Surely the transaction is encrypted though or could someone just tap in and sniff their traffic?

No, it's not encrypted. Nor is the Visa and Mastercard interbank system.
Leave a comment:
bored replied

29 August 2008, 22:09
Originally posted by Bob Dalek View Post

How would that work? 3 incorrect attempts and strike-out, surely?

AtW's idea is to try and encrypt each of 4 digit numbers until the encrypted text matches the intercept. However, if the ATM adds some random data before encrypting the PIN (it should), then such attack won't work.

/geek_mode off
Leave a comment:
Peoplesoft bloke replied

29 August 2008, 21:44
Originally posted by Incognito View Post

Same to you. I hope your next poo's a hedgehog.

Charmed I'm sure
Leave a comment:
Bob Dalek replied

29 August 2008, 18:21
Originally posted by AtW View Post

Pins are just 4 digits - encrypting just them is crazy because it is easy to check less than 10k combinations using plain text attack.

How would that work? 3 incorrect attempts and strike-out, surely?
Leave a comment:
Incognito replied

29 August 2008, 16:44
Originally posted by Peoplesoft bloke View Post

No - have a nice weekend.

Same to you. I hope your next poo's a hedgehog.
Leave a comment:
Peoplesoft bloke replied

29 August 2008, 15:32
Originally posted by Incognito View Post

Are you not dead yet?

No - have a nice weekend.
Leave a comment:
Incognito replied

29 August 2008, 15:18
Originally posted by Peoplesoft bloke View Post

Only people with no brain think they are the answer to anything

Are you not dead yet?
Leave a comment:
Peoplesoft bloke replied

29 August 2008, 14:10
Originally posted by Incognito View Post

For that they're not.

Only people with no brain think they are the answer to anything
Leave a comment:
Incognito replied

29 August 2008, 13:49
Originally posted by AtW View Post

Pins are just 4 digits - encrypting just them is crazy because it is easy to check less than 10k combinations using plain text attack.

What are you on about? The article is on about the Server back in the datacentre where you'd think they'd encrypt the PINs so that nosy admin type doesn't have a quick browse through them.
Leave a comment:
ratewhore replied

29 August 2008, 13:48
Remember this?

I never use the non-bank owned ATM's. Not for security mind you, because I'm too tight to pay £1.99 to withdraw £20...
Leave a comment:
AtW replied

29 August 2008, 13:27
Pins are just 4 digits - encrypting just them is crazy because it is easy to check less than 10k combinations using plain text attack.
Leave a comment:
Incognito replied

29 August 2008, 13:20
Even better

http://www.theinquirer.net/gb/inquir...eves-broke-pin

What's most troubling is that, apparently, no one knows how the thieves managed to crack Citibank's ATM network, break into a server at a third-party transactions processor, and steal not only account numbers but also the unencrypted PIN codes that enabled them to successfully withdraw funds. If anyone knows how they did it, they're not saying publicly.

I wonder if they all use their username as their password?
Leave a comment:
Incognito replied

29 August 2008, 13:14
Flucking bell
Leave a comment:
ratewhore replied

29 August 2008, 13:11
An IP-ATM is connected to the payment processor using a TCP/IP connection. However, while the PIN number is triple-DES encrypted, the messages themselves are not. In January 2008, an analysis of ATM network traffic by Network Box found that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable. Therefore, a hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to be privy to the aforementioned details.

linky
Leave a comment: