From: “Nicolas J. Hammond” <njhm@ns.njh.com>
To: mixmaster@remail.obscura.com (Mixmaster)
Message Hash: ce64dd99a8cebdd4a8c14956716da90b7c961c0713f4587cb7fb7c25c0b5fcc6
Message ID: <199611191451.JAA26479@ns.njh.com>
Reply To: <199611182120.NAA10915@sirius.infonex.com>
UTC Datetime: 1996-11-19 14:47:28 UTC
Raw Date: Tue, 19 Nov 1996 06:47:28 -0800 (PST)
From: "Nicolas J. Hammond" <njhm@ns.njh.com>
Date: Tue, 19 Nov 1996 06:47:28 -0800 (PST)
To: mixmaster@remail.obscura.com (Mixmaster)
Subject: Re: accutrade
In-Reply-To: <199611182120.NAA10915@sirius.infonex.com>
Message-ID: <199611191451.JAA26479@ns.njh.com>
MIME-Version: 1.0
Content-Type: text/plain
Mixmaster wrote ...
> Hacking the 9 digit account number and 4 digit PIN will be easier than attacking the OS directly.
> Either method though would certainly ring loud bells at Accutrade unless they are infected with
> headinbutt disease.
No.
If, and this is a big if, the account numbers are issued sequentially,
and I know a starting account number (A), then I try account A+1
with the PIN "1234". If it fails then 1 minutes later I try A+2
also with the PIN "1234" and so on. I'm trying 60 accounts/hour, 1440/day.
It shouldn't trip up errors because most programmers only put error
counters on each account and we only try each account once.
By laws of probability 1 account in 10000 should have the PIN "1234"
(reality will be different, people choose easy to remember PINs).
Within 4 days I've tried over 5000 accounts and statistically have
a greater than 50% chance that I've got an account number and PIN.
--
Nicolas Hammond NJH Security Consulting, Inc.
njh@njh.com 211 East Wesley Road
404 262 1633 Atlanta
404 812 1984 (Fax) GA 30305-3774
Return to November 1996
Return to ““Nicolas J. Hammond” <njhm@ns.njh.com>”