On 3/17/08, Andy Sutton <[EMAIL PROTECTED]> wrote: > > On Mon, 2008-03-17 at 08:37 -0500, Dennis Henderson wrote: > > Thats why the PIN is encrypted. The translation to the real account is > > made at the clearing house. So its really not that big of a deal. > > Unless you can decrypt the PIN and have access to the translation > > table, the account number is not particularly valuable. > > Encrypting the entire communication stream is important because if I can > spoof the "approved" message back from the processor you'll get one > empty ATM.
The only saving grace is that you would have had to sniffed the actual request and properly format a response that the ATM is expecting within its timeout. The ATM just doesnt accept a "do it". It will be expecting a certain formatted message complete with specific information that it included in its request. Not perfect, but once again, designed and accepted years ago when private networks were considered "private". Some smart banks are looking to use TLS as a bridge to secure the data until the vendors come up with a endpoint solution. -- > - Andy > > Thoughts of doubt and fear never accomplish anything, and never can. > They always lead to failure. Purpose, energy, power to do, and all > strong thoughts cease when doubt and fear creep in. > -- James Allen > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
