Hello,
Chris Henry wrote:
Weird wth! Don't they encrypt PINs? No, shouldn't they? Is this article saying the sysadmin of that system has *legitimate* access to my PIN? (_oh i want that job!!_) Cheers
There is basically two ways to rob people or the bank using an ATM. Either you hack into the ATM itself (quite often a Windows machine), or you hack into the ATM Processor (the back-end server on which all the ATMs of the bank connect to). If you hack the ATM you can grab customer's card information _before_ they get encrypted. There are a lot of funny attacks you can do too. If you hack the ATM Processor, you can pretend to be an ATM, and attempt to perform all sorts of transactions. In Singapore, one of the local banks at least will _not_ be vulnerable to that (can't mention which one sorry), they have a very strict security armada protecting their ATMs/ATM Processors. The, rest? Who knows! What I can tell you is that most of the banks do not get third party hacking services to test their ATMs, so it had to be expected that one day somebody would abuse such trivial flaws. Serve them right if you ask me, it's not like they've never heard of security. Shameless plug: I wrote a small presentation for Hack In The Box Dubai, 2007, where I explain in more details the attacks one can perform on ATM networks (among other attacks): tinyURL: http://tinyurl.com/5juyxb or long one: http://materials.hitbsecconf.org/hitbsecconf2007dubai/D1%20-%20Fabrice%20Marie%20-%20Robbing%20Banks%20-%20Easier%20Done%20Than%20Said.pdf Have a nice day, Fabrice. -- Fabrice A. Marie FMA Risk Management Solutions http://www.fma-rms.com/ _______________________________________________ Slugnet mailing list [email protected] http://wiki.lugs.org.sg/LugsMailingListFaq http://www.lugs.org.sg/mailman/listinfo/slugnet
