Am I protecting or just fooling myself here
August 5, 2008 1:39 PM Subscribe
Am I giving myself any protection against ATM hacking by not having an ATM card for some specific account, or is the account in the network whether or I have a card?
heh. 10,000 values i suppose.
posted by not sure this is a good idea at 2:18 PM on August 5, 2008
posted by not sure this is a good idea at 2:18 PM on August 5, 2008
(these slides show how the atm network should operate - you'll see that the only pin data transmitted is that entered by the customer)
posted by not sure this is a good idea at 2:44 PM on August 5, 2008
posted by not sure this is a good idea at 2:44 PM on August 5, 2008
Best answer: "...is the account in the network whether or [not] I have a card?"
I can't speak for all banks, but at the large, well-known financial institution I used to work for if you weren't issued an ATM card, there was no ATM card number associated with your account. There were exceptions to this rule, however: customers with telephone and internet banking services would have a card number associated with their account due to a quirk of the way a person's accounts were grouped together.
Having said that, the attack described wouldn't work against a card number used only internally anyway.
"although they could perhaps try all 9999 values (i really hope the banks check for that...)"
Two points: One, any respectable bank is going to allow and possibly encourage PINs of greater than four digit length -- a brute force attack against a customer PIN at my former employer would have required as many as ten million attempts per account. Second, yes. Any bank worth its salt locks the card down after three PIN failures anyhow.
I can't speak for the institution mentioned in the article, but I do know that mine (A) would be architecturally immune to the attack -- injecting traffic into the transactional network just plain old wouldn't work without compromising encryption certificates much much more valuable than a few accounts' worth of cash -- and (B) ridiculously more paranoid about catching even one attempt.
If you're a customer of the institution mentioned in that article and the article's assertions about what happened are true, you might not want to be a customer any more. That breach sounds like incompetence of the highest order throughout the company.
posted by majick at 3:37 PM on August 5, 2008
I can't speak for all banks, but at the large, well-known financial institution I used to work for if you weren't issued an ATM card, there was no ATM card number associated with your account. There were exceptions to this rule, however: customers with telephone and internet banking services would have a card number associated with their account due to a quirk of the way a person's accounts were grouped together.
Having said that, the attack described wouldn't work against a card number used only internally anyway.
"although they could perhaps try all 9999 values (i really hope the banks check for that...)"
Two points: One, any respectable bank is going to allow and possibly encourage PINs of greater than four digit length -- a brute force attack against a customer PIN at my former employer would have required as many as ten million attempts per account. Second, yes. Any bank worth its salt locks the card down after three PIN failures anyhow.
I can't speak for the institution mentioned in the article, but I do know that mine (A) would be architecturally immune to the attack -- injecting traffic into the transactional network just plain old wouldn't work without compromising encryption certificates much much more valuable than a few accounts' worth of cash -- and (B) ridiculously more paranoid about catching even one attempt.
If you're a customer of the institution mentioned in that article and the article's assertions about what happened are true, you might not want to be a customer any more. That breach sounds like incompetence of the highest order throughout the company.
posted by majick at 3:37 PM on August 5, 2008
« Older How much worse is the carry-on baggage situation... | gps module circuit diagram needed Newer »
This thread is closed to new comments.
i understand that a lot of the hacking round here is done by copying info from the card when it is used (an extra scanner is stuck on the front of the machine), which you would also be protected from.
so not using a card protects you from both those attacks.
not having a card at all (rather than having one but not using it) may also give some extra protection (i think there are some scams that involve intercepting cards on delivery, but i can't remember how they get the pin - perhaps they also intercept that? (the attack in the link won't work since that requires someone to already know, and enter, the correct value, although they could perhaps try all 9999 values (i really hope the banks check for that...))).
posted by not sure this is a good idea at 2:17 PM on August 5, 2008