funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows-based cash machines 'easily hacked'

From: "Dennis Henderson" <hendomatic () gmail com>
Date: Mon, 17 Mar 2008 15:36:30 -0500
On 3/17/08, Andy Sutton <newslists () pessimists net> wrote:


On Mon, 2008-03-17 at 08:37 -0500, Dennis Henderson wrote:

Thats why the PIN is encrypted. The translation to the real account is
made at the clearing house. So its really not that big of a deal.
Unless you can decrypt the PIN and have access to the translation
table, the account number is not particularly valuable.


Encrypting the entire communication stream is important because if I can
spoof the "approved" message back from the processor you'll get one
empty ATM.



The only saving grace is that you would have had to sniffed the actual
request and properly format a response that the ATM is expecting within its
timeout. The ATM just doesnt accept a "do it". It will be expecting a
certain formatted message complete with specific information that it
included in its request.

Not perfect, but once again, designed and accepted years ago when private
networks were considered "private".

Some smart banks are looking to use TLS as a bridge to secure the data until
the vendors come up with a endpoint solution.









--

- Andy

Thoughts of doubt and fear never accomplish anything, and never can.
They always lead to failure. Purpose, energy, power to do, and all
strong thoughts cease when doubt and fear creep in.
-- James Allen

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: