Are We All Criminals?

[Axel]

I use my Amex card almost exclusively online

Was your card issued in Thailand? First 4 digits 3763...

[Bob Chittie]

True, you can trap the message between the ATM and the data centre. Your problem is that the PIN is encrypted under the COMMs key, which is exchanged with the ATM daily encrypted under the ATM master key. As of this year most ATMs use the 3DES algorithm which, the lastest estimates for cracking this using the 'test any key' approach is 27 years....

Get the feeling I also know a lot about this?

This is getting interesting. I'm waiting for the reply.

[Yohan]

True, you can trap the message between the ATM and the data centre. Your problem is that the PIN is encrypted under the COMMs key, which is exchanged with the ATM daily encrypted under the ATM master key. As of this year most ATMs use the 3DES algorithm which, the lastest estimates for cracking this using the 'test any key' approach is 27 years....

Get the feeling I also know a lot about this?

1-

3DES if you crack it for searching keys...it might take you 70 years or longer

- but techno-gangsters are not doing it in that way, and we have such people here in Japan, more than you might think.

2-

Police investigations found out that the usual decoding time is somewhat within 48 - 72 hours to see a result in most cases. (which means an empty bank-account for this victim)

3-

However, sometimes the ATM is wireless connected....

the decoding time in this case is often much much shorter -

money was gone within 6 hours...

4-

And the ATM card for itself, it is copied out of your pocket of your trousers or your handbag - no need to steal it, no need even to touch it. No need to enter into your jacket or to open your handbag.

So there is plenty of time to check it out, as the victim does not even know, that the data on the card are already in a decoder-center of profi-gangsters.

-----

Here in Japan, it is not a joke, many people are thinking, it is safer to carry the money in cash in the wallet.

Violent attacks, robbery are rare here.... hightech criminality is totally in...

and believe me, a professional techno-gangster cracks everything.....nothing is secure in the computer world...

Johann

[simey]

1 - The ONLY way to decrypt a triple DES encrypted key is either by knowing the key used or by the 'brute force' method of trying every possible key combination. I've coded the system that controls ATMs for 16 years, I have all the information, and it's still hard for me to get the PINs validated properly. The only time the previous method (single DES) was cracked was two years ago, using a CRAY array, and toow 3 days.

2 - If the keys could be decrypted within 72 hours the banks would not be paying me so much to install 3DES encrpytion. This is my whole vocation and there has not been a decryption of 3DES yet. But feel free to post the web site of your information.

3 - Whether an ATM is connected via leased line, X25, dial up, tcpip or wireless the encryption is exactly the same. The only affect the protocol has is speed.

4 - Copying cards is easy - a lot of ATMs have code to read and write cards (they all are just PCs running a windows or OS/2 software package). Without the PIN you have nothing.

To get money from an ATM you must enter the correct PIN - failure to do this means no cash. Even the system I work on is not aware of the PIN - it is verified by a secure box that is protected and wipes itself out as a precaution. Don't beleive the hype that the mag stripe can give your PIN.

If you know someone that claims to decrypt PINs it's easy to prove - I'll use one of my test ATMs here and provide you with the PIN block, you tell me the PIN I entered.

[OxfordWill]

1 - The ONLY way to decrypt a triple DES encrypted key is either by knowing the key used or by the 'brute force' method of trying every possible key combination. I've coded the system that controls ATMs for 16 years, I have all the information, and it's still hard for me to get the PINs validated properly. The only time the previous method (single DES) was cracked was two years ago, using a CRAY array, and toow 3 days.

2 - If the keys could be decrypted within 72 hours the banks would not be paying me so much to install 3DES encrpytion. This is my whole vocation and there has not been a decryption of 3DES yet. But feel free to post the web site of your information.

3 - Whether an ATM is connected via leased line, X25, dial up, tcpip or wireless the encryption is exactly the same. The only affect the protocol has is speed.

4 - Copying cards is easy - a lot of ATMs have code to read and write cards (they all are just PCs running a windows or OS/2 software package). Without the PIN you have nothing.

To get money from an ATM you must enter the correct PIN - failure to do this means no cash. Even the system I work on is not aware of the PIN - it is verified by a secure box that is protected and wipes itself out as a precaution. Don't beleive the hype that the mag stripe can give your PIN.

If you know someone that claims to decrypt PINs it's easy to prove - I'll use one of my test ATMs here and provide you with the PIN block, you tell me the PIN I entered.

I am undertaking a network security and computer systems degree currently and know the following to be true:

1) You can only 'crack' a IIIDES key in two ways, knowing the key of encryption of brute-forcing the issue which can take more time than it is worth the criminal waiting for unless that criminal has the resources to match the wealth of someone who really has no need to be hacking numbers.

2) The main EFFECT (but not the main function) of the protocol in this case is speed of transmission.

As for the rest, no idea, but simey uses the correct terminology and sounds too much like my net.sec. lecturer.

[taxexile]

As for the rest, no idea, but simey uses the correct terminology and sounds too much like my net.sec. lecturer.

he also sounds like he could have done the brinks mat heist at heathrow!

[simey]

I hit 36 at the weekend and Oxfordwill is not helping my mid-life crisis by comparing me to his lecturer!

[OxfordWill]

With age comes wisdom, and all that.

(sorry)

[roamer]

Fascinating. Things have come a long way since my days at college when we used to copy the strips on ATM cards and (more commonly) the ones on stored value bus cards and the like, using a piece of video tape and a flash gun....work that one out !

Anyway back to the business of Thai IP addresses and useing cards, Thai or otherwise,. online. The reason why so many people have different experiences is mainly due to the payment processor. Some of them simply will not accept a Thai IP address, period. Others may or may not depending on the goods or services ordered and whether or not the verification procedure is met. Its a pain in the arse, but so are chargebacks.

[jayrockwell]

For paying online I have a web shopping card from Kasikornbank (KB), it takes the funds directly from your KB savings account.

You don't actually get a card, only a visa credit card number, you need to have their internet banking to get/manage one.

I never keep more than a few hundred baht on the card account (to help prevent fraud), just before making a purchase I transfer funds onto the card from the internet banking, I get an email from KB after purchase.

The exchange rate is always excellent, I've never once been declined in more than 100 transactions around the world in 2 years using our Thai address.

With the KB internet banking you can also make online payments to Thai companies (i.e. fill up your internet, pay your electric/telephone) it's very useful.

J

[Yohan]

1 - The ONLY way to decrypt a triple DES encrypted key is either by knowing the key used or by the 'brute force' method of trying every possible key combination.

.....

2 - If the keys could be decrypted within 72 hours the banks

.....

3 - Whether an ATM is connected via leased line, X25, dial up, tcpip or wireless the encryption is exactly the same. The only affect the protocol has is speed.

4 - Copying cards is easy - a lot of ATMs have code to read and write cards (they all are just PCs running a windows or OS/2 software package). Without the PIN you have nothing.

To get money from an ATM you must enter the correct PIN - failure to do this means no cash.

Simey,

I respect your knowledge about ATM coding, the problem is not the code.

This is what I wrote in my last postings:

3DES if you crack it for searching keys...it might take you 70 years or longer

- but techno-gangsters are not doing it in that way.....

Here in Japan (I do not know if all is running on3DES here in Japan) ATM are manipulated by criminals using the data-connection, wireless preferred - a new problem which started some months ago.

I do not think, that anybody cracked the 3DES coding, as he need something more, like access to bankemployees, who have some access rights.. such a case involving 2 bankemployees happened some time ago, 6 million USD were gone -

However ATM hackers are operating by intercepting the traffic between the ATM and the datacenter, recording it, and copy the card of a user, who is using the ATM the same day...then using this already encrypted data from the ATM and the datacenter, and simulate with a computer and cardreader the datacenter and *playback* the same transaction ....it works not always, but sometimes the ATM pays...

The damages reported are near to 100 mill. yen, about 800000 USD...when I saw the last report on TV last week.

There are also other manipulations known, in one case like remote control of the ATM, for the reason to collect all PINs which are used on the ATM by manipulating the touch-screen. Also in this case the wireless connection of the ATM was used, and the touch of the numbers was displayed on a small monitor some meters away.

-----

Cards which are copied without any knowledge of the owner are a danger (is it really nothing, as you said?) to have 1000s of cards copied, and to then try them out every day, little by little at not so frequently used ATM will also produce results... such a case is also known here in Japan.

Here in Japan now, most ATMs are located in 7eleven stores or in office buildings and so on for security reasons, and many shut down totally 21h evening, open again 7.30 am. As some ATM disappeared overnight (and found emptybut otherwise undamaged elsewhere), they are now locked carefully after service time.

If I see again such an ATM attack in the news here or an TV, I will copy it or take it on the video and will let you know. But as I said, I think, these manipulations have nothing to do with the code-system itself.

And reading all these comments especially on this thread, I cannot say, creditcard or cashcard is such a total secure system...

Might be, that the coding system of the PIN helps a lot, but there is still any kind of unbelieveable misuse - including manipulating the data-lines.

Johann

[camerata]

I use my Amex card almost exclusively online

Was your card issued in Thailand? First 4 digits 3763...

Yes, 3763... issued in Thailand. The only real problem I've found with using Amex online is that some smaller companies don't accept it, presumably because of the higher commission Amex takes.

[ChiangMaiThai]

Here's another example. ccbill.com is the third party processor for thousands of websites. I tried to pay for something online with my US credit card and it was declined. The response from ccbill.com?:

Dear customer,

Yes. You will not be able to sign up in Thailand with your us ccard, you are

in a blocked country.

Regards,

Renee M.

A blocked country... Oh well.