On Tue, Jul 8, 2008 at 5:30 AM, Fabrice A. Marie <[EMAIL PROTECTED]> wrote: >> Weird wth! Don't they encrypt PINs? No, shouldn't they? >> Is this article saying the sysadmin of that system >> has *legitimate* access to my PIN? (_oh i want that job!!_) >> Cheers > > There is basically two ways to rob people or the bank > using an ATM. Either you hack into the ATM itself > (quite often a Windows machine), or you hack into > the ATM Processor (the back-end server on which all > the ATMs of the bank connect to). > > If you hack the ATM you can grab customer's > card information _before_ they get encrypted. > There are a lot of funny attacks you can do too.
This can't be helped, once hacked, you're done with. > > If you hack the ATM Processor, you can pretend > to be an ATM, and attempt to perform all sorts > of transactions. This one is ridiculous. It shouldn't be easy to pretend to be an ATM. You could easily add signature and timestamp. It's just (as you said) 'laziness' from the part of the banks to do anything to further secure ATM infrastructure. > > In Singapore, one of the local banks at least will > _not_ be vulnerable to that (can't mention which one sorry), > they have a very strict security armada protecting their > ATMs/ATM Processors. The, rest? Who knows! > What I can tell you is that most of the banks do not > get third party hacking services to test their ATMs, > so it had to be expected that one day somebody > would abuse such trivial flaws. Serve them right > if you ask me, it's not like they've never heard > of security. Sadly, the reasons they have usually made some sense to the managers there (not to security people). Most of the banking software is made in-house, so there is quite a bit of worries with letting third-party performs a legitimate attack on the system. With the negative media around hacking, not many managers have good education about white hackers. It's not that unreasonable for them to think that way. This simply reinforces the notion that engineers should just be left alone and not being bothered all the time by those managers (not many companies do that though). Well, that doesn't mean we can live without those banks anyway. Plus sooner and later, they'll improve their systems, especially if they got hacked all the time, creating financial incentives to do something about it. (: Cheers, -- Chris [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Slugnet mailing list [email protected] http://wiki.lugs.org.sg/LugsMailingListFaq http://www.lugs.org.sg/mailman/listinfo/slugnet
