On Thu, 2003-01-30 at 15:39, Krzysztof Adamski wrote:
> Based on this you can see that re-encoding is needed when you change the
> PIN number, most ATM will do that re-encoding. So unless things have
> changed in the last 4 years since I worked with this, you can not change
> your PIN over the ph
> Before you jump to the conclusion that you could just steal the black
> box from the ATM and have access, but if you till it, it forgets all the
> keys. Also during normal operation two separate people have to enter
> two parts of the key. This way no single bank employee has access to
> both
sage-
> > From: Krzysztof Adamski [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, January 30, 2003 3:39 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: OT: Banc of America Article
> >
> >
> >
> > Since nobody has given the correct information abou
tof Adamski [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 30, 2003 3:39 PM
> To: [EMAIL PROTECTED]
> Subject: Re: OT: Banc of America Article
>
>
>
> Since nobody has given the correct information about the PIN
> on the card I will give a very brief descripti
Since nobody has given the correct information about the PIN on the card I
will give a very brief description.
There are two types of PIN, natural and customer selected.
The natural PIN is computed from the number on the card. The computation
involves one way crypto keys. I don't remember the alg
at Wednesday, January 29, 2003 6:35 PM, Al Rowland
<[EMAIL PROTECTED]> was seen to say:
> The PIN is on your card, likely encrypted
IIRC, the actual answer is a bit simpler - an initial pin is
*calculated* from your account number (which *is* stored on the card)
and an offset (also on the card) is
Halleluljah. A voice of knowledge as opposed to conjecture. Different
bank ATMs operate differently. There are online and offline modes.
The PIN may or may not be recorded on the card. Some of these
differences are due to the fact that not all financial institutions
were connected to interbank ne
Al Rowland wrote:
The PIN is on your card ...
Not for any card I've ever owned. I've changed my PIN several times
over the years, and the bank has never re-encoded my card or sent me a
new card as a result of doing so.
Maybe some banks do store the PIN on the card, but I'm certain that it'
dnesday, January 29, 2003 9:47 AM
> To: Al Rowland
> Cc: [EMAIL PROTECTED]
> Subject: RE: Banc of America Article
>
>
>
> > IIRC, the ATM system is similar to CC transactions. A best
> effort is
> > made to authorize against your account (Credit Card or
> Ba
On Wed, Jan 29, 2003 at 01:19:08PM -0500, Charles Sprickman wrote:
>
> On Wed, 29 Jan 2003, Al Rowland wrote:
>
> > Or,
> >
> > IIRC, the ATM system is similar to CC transactions. A best effort is
> > made to authorize against your account (Credit Card or Banking) but if
> > it fails and the tran
On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote:
>
> The PIN is on your card, likely encrypted,
We're off-topic now, so I won't go into detail, but the PIN is
sometimes on the card and sometimes not. There are different ways of
doing it. (If the sampling of cards in my wallet is re
Message-
> From: Charles Sprickman [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 29, 2003 10:19 AM
> To: Al Rowland
> Cc: [EMAIL PROTECTED]
> Subject: RE: Banc of America Article
>
>
> On Wed, 29 Jan 2003, Al Rowland wrote:
>
> > Or,
> >
> >
TECTED]]
> Sent: Wednesday, January 29, 2003 9:47 AM
> To: Al Rowland
> Cc: [EMAIL PROTECTED]
> Subject: RE: Banc of America Article
>
>
> > IIRC, the ATM system is similar to CC transactions. A best
> effort is
> > made to authorize against your account (Credit C
it know my daily card limit?
Charles
> Best regards,
> __
> Al Rowland
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
> > Behalf Of Leo Bicknell
> > Sent: Tuesday, January 28, 2003 8:03 PM
&g
At 12:46 PM 1/29/2003, [EMAIL PROTECTED] wrote:
> IIRC, the ATM system is similar to CC transactions. A best effort is
> made to authorize against your account (Credit Card or Banking) but if
> it fails and the transaction is within a normal range (your daily card
> limit) the CC/ATM completes t
> IIRC, the ATM system is similar to CC transactions. A best effort is
> made to authorize against your account (Credit Card or Banking) but if
> it fails and the transaction is within a normal range (your daily card
> limit) the CC/ATM completes the transaction.
Too bad it is not the ca
AR> Date: Wed, 29 Jan 2003 07:20:35 -0800
AR> From: Al Rowland
AR> IIRC, the ATM system is similar to CC transactions. A best
AR> effort is made to authorize against your account (Credit Card
AR> or Banking) but if it fails and the transaction is within a
AR> normal range (your daily card limit)
ng, IMHO.
Best regards,
__
Al Rowland
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
> Behalf Of Leo Bicknell
> Sent: Tuesday, January 28, 2003 8:03 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Banc of America A
In message <[EMAIL PROTECTED]>, Leo Bicknell writes:
>
>
>
>FWIW:
>
>http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28.html
>
>"About 13,000 Bank of America cash machines had to be shut down. The
>bank's ATMs sent encrypted information through the Internet, and when
>the data slowed t
FWIW:
http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28.html
"About 13,000 Bank of America cash machines had to be shut down. The
bank's ATMs sent encrypted information through the Internet, and when
the data slowed to a crawl, it stymied transactions, according to a
source, who sai
> I'm familiar with some enforced financial institution requirements, no
> where did I find transaction data of ATMs on a dedicated network to be
> _required_. Is this a common industry practice, or a mandatory standard
> I have not discovered?
It is a common practice. Since the alarm line is pe
[EMAIL PROTECTED] wrote:
> > It could be that BoA's network wasn't flooded / servers infected, but that
> > the ATM's do not dial BoA directly, and dial somewhere else (ie, maybe some
> > kind of ATM Dial Provider, nationwide wholesale, etc), and then tunnel back
> > to BoA to get the data. Could
> < knowing absolutely nothing about how BoA ATM's work >
>
> It could be that BoA's network wasn't flooded / servers infected, but that
> the ATM's do not dial BoA directly, and dial somewhere else (ie, maybe some
> kind of ATM Dial Provider, nationwide wholesale, etc), and then tunnel back
> to
> I think you're leaving out a very viable possibility in your summary...
>
> What if BoA took a proactive approach and shut down their SQL environment
> (even though none of us known conclusively if they're a SQL or Oracle shop)
> to verify that it was in fact clean and not compromised. When yo
> While they may have VPN's at many of their branches which offer significant
> savings over leased lines everywhere, their web site access to personal
> banking information was also offline. It would be worth grepping logs to
> see if there was indeed a SQL server from the inside that was infec
> Actually, I think too many assumptions were made.
>
> Let's simplify.
>
> We know UUNet traffic capabilities were reduced significantly. Uunet
> has many big customers. Other big carriers had similar affects on their
> networks, probably particularly at peering points.
>
> We know many
> Patently incorrect? No. It is possible.
>
> Even if the confidentiality of your data is protected, you are still
> vulnerability to attacks on availability and integrity of the data.
>
> For example, you may fully encrypt all your data, use VPNs, etc. But you
> can still loose service due t
ein [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, January 26, 2003 10:59 AM
> To: Ray Burkholder
> Cc: [EMAIL PROTECTED]
> Subject: RE: Banc of America Article
>
>
>
> Let me summarize, then ask a question:
>
> a) BoA uses the public internet for ATM transactio
From: "Alex Rubenstein"
> On the other hand, I think it's more likely that BoA had unprotected SQL
> servers, and they got it. It took a long while for BoA IT people to make
> it out of bed saturday morning to fix the problem.
>
> I still clearly say that I don't know what happened, and I did mak
Just like the insider TCI theft ring at
http://zdnet.com.com/2100-1106-971196.html , the easy way out is to just to
skip all that and get access to a leased line from the inside - I'll bet
many financial transactions over a private line aren't even encrypted.
- Original Message -
> Yes, wi
Let me summarize, then ask a question:
a) BoA uses the public internet for ATM transactions. The public internet
was so dead, that every one of thier ATM machines was dead for many hours,
even many hours longer than the public internet was dead.
b) BoA uses it's own network for it's on ATM tran
In message <[EMAIL PROTECTED]>, "E.B.
Dreger" writes:
>
>AR> Date: Sun, 26 Jan 2003 00:22:02 -0500 (Eastern Standard Time)
>AR> From: Alex Rubenstein
>
>
>AR> Agreed. And, even if it is super encrypted, who cares? Enough
>AR> CPU and time will take care of that.
>
>Articles about "1000 years to c
E.B. Dreger wrote:
>> Date: Sun, 26 Jan 2003 00:22:02 -0500 (Eastern Standard Time)
>> From: Alex Rubenstein
>
>
>> Agreed. And, even if it is super encrypted, who cares? Enough
>> CPU and time will take care of that.
>
> Articles about "1000 years to crack using brute force" are a bit
> disconcer
While they may have VPN's at many of their branches which offer significant
savings over leased lines everywhere, their web site access to personal
banking information was also offline. It would be worth grepping logs to
see if there was indeed a SQL server from the inside that was infected.
raffic not being able to get through between
ATM's and the central processing center.
Ray Burkholder
> -Original Message-
> From: Alex Rubenstein [mailto:[EMAIL PROTECTED]]
> Sent: January 25, 2003 18:45
> To: [EMAIL PROTECTED]
> Subject: Banc of America Article
>
&
AR> Date: Sun, 26 Jan 2003 00:22:02 -0500 (Eastern Standard Time)
AR> From: Alex Rubenstein
AR> Agreed. And, even if it is super encrypted, who cares? Enough
AR> CPU and time will take care of that.
Articles about "1000 years to crack using brute force" are a bit
disconcerting if someone has ac
> While it's possible that _none_ of the vulnerable servers have _any_
> 'personal information', I'd venture to guess otherwise.
Agreed. And, even if it is super encrypted, who cares? Enough CPU and time
will take care of that.
-- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al
I think a basic point is being overlooked here..
B of A.. A company that handles untold amounts of cash on a daily
basis. Sure, there are valid needs for people to reach both the
internet and the corporate secure net from inside the company. Might
be very hard to get things done, such as doenload
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
> http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
> Let's make the assumption that the outage of ATM's that BoA suffered was
> caused by last nights 'SQL Slammer' virus.
>
> The following things can then be assumed:
>
> a) BoA's network has Micros
> > Does anyone else, based upon the assumptions above, believe this
statement
> > to be patently incorrect (specifically, the part about 'personal
> > information had not been at risk.') ?
>
> Which not technically correct, they are not technically incorrect
> either.
Hm. One possible attack on
< knowing absolutely nothing about how BoA ATM's work >
It could be that BoA's network wasn't flooded / servers infected, but that
the ATM's do not dial BoA directly, and dial somewhere else (ie, maybe some
kind of ATM Dial Provider, nationwide wholesale, etc), and then tunnel back
to BoA to get
On Sat, Jan 25, 2003 at 05:45:16PM -0500, Alex Rubenstein wrote:
> Another article states, "Bank of America Corp., one of the nation's
> largest banks, said many customers could not withdraw money from its
> 13,000 ATM machines because of technical problems caused by the attack. A
> spokeswoman, L
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
> Does anyone else, based upon the assumptions above, believe this statement
> to be patently incorrect (specifically, the part about 'personal
> information had not been at risk.') ?
Patently incorrect? No. It is possible.
Even if the confidentialit
http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
b) BoA has not applied SP3 (
From: "Alex Rubenstein"
>
> Does anyone else, based upon the assumptions above, believe this statement
> to be patently incorrect (specifically, the part about 'personal
> information had not been at risk.') ?
>
Actually, the statements are correct. Remember, the worm wasn't programmed
to put the
http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
b) BoA has not applied SP3 (av
46 matches
Mail list logo
