Haven't seen it posted here before.
The astonishing thing AIUI is that the data was not encrypted at all when it was sent from the cash machine down the telephone line.It was just a series of DTMF tones which could easily be converted back to the numbers representing card nos, pins etc.
So anyone could pick it up at any convenient point in the bt system, such as a joint box or culvert in the pavement? If so then there must be gangs all over the country getting ex BT vans and jackets at this very moment.
Reading the report I have assumed the same - that the guy connected the MP3 into the "handset" socket at the back of the ATM, recorded a whole series of transactions, played them back (getting account numbers and PIN's etc.).
Presumably account balance data when requested etc. I would never have believed such a system would even have been implemented.
much easier to grab it at the point of origination, but essentially yes. There was a watchdog I think about 'phantom' premium rate phone calls made from peoples phones where it seemed almost certain they were made from junction boxes.
There was a report in one of the papers which stated that he had a program that turned the tones back into numbers, and that was it. Not even any need for some basic unencryption. IMHO the people who set this system up should be prosecuted for negligence.
At 01:47:37 on 19/11/2006, Tumbleweed delighted uk.finance by announcing:
Transactions have been sent unencrypted over the public telephone network for years. It's the encrypted Message Authentication Code that prevents any 'playback' fraud. Similarly, ATMs may send the card details unencrypted but the PIN will be encrypted. You'll note that the story states that the data "could then be used to 'clone' cards and use them for bogus purchases," not that he could use them to withdraw cash at ATMs.
"Alex" wrote
Is that meant to make it OK? 'Playback' fraud might be stopped, but never mind about the gaping hole in 'cloning' fraud?!!
"Alex" wrote
At 12:11:14 on 21/11/2006, Tim delighted uk.finance by announcing:
What gaping hole? It's exactly the same hole that you have with conventional skimming - the hole that's plugged by EMV.
well said
he means the hole that could have been easily prevented by our banks that make multi-billion profits and who harass anyone who claims they didnt make specific ATM withdrawls
thats what hole !
you plonker !
just have the balls to admit they should have covered this gap
At 11:06:24 on 23/11/2006, bored delighted uk.finance by announcing:
You haven't explained what the hole is. And I'd remind you that the fraud in this case wasn't against ATMs but in regular purchases.
What about the 'security code' that is printed on the signaure strip on the back of the card. i thought that was not encoded anywhere on the magnetic strip. Robert
At 16:47:55 on 23/11/2006, Robert delighted uk.finance by announcing:
That's correct. However, it's only used in card not present transactions.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.