[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: accutrade

To: [email protected] (Mixmaster)
Subject: Re: accutrade
From: "Nicolas J. Hammond" <[email protected]>
Date: Tue, 19 Nov 1996 09:51:28 -0500 (EST)
Cc: [email protected]
In-Reply-To: <[email protected]> from Mixmaster at "Nov 18, 96 01:20:37 pm"
Sender: [email protected]

Mixmaster wrote ...
> Hacking the 9 digit account number and 4 digit PIN will be easier than attacking the OS directly.
> Either method though would certainly ring loud bells at Accutrade unless they are infected with 
> headinbutt disease.

No.

If, and this is a big if, the account numbers are issued sequentially,
and I know a starting account number (A), then I try account A+1
with the PIN "1234". If it fails then 1 minutes later I try A+2
also with the PIN "1234" and so on. I'm trying 60 accounts/hour, 1440/day.
It shouldn't trip up errors because most programmers only put error 
counters on each account and we only try each account once.

By laws of probability 1 account in 10000 should have the PIN "1234"
(reality will be different, people choose easy to remember PINs).

Within 4 days I've tried over 5000 accounts and statistically have
a greater than 50% chance that I've got an account number and PIN.

-- 
Nicolas Hammond                                 NJH Security Consulting, Inc.
[email protected]                                     211 East Wesley Road
404 262 1633                                    Atlanta
404 812 1984 (Fax)                              GA 30305-3774

References:
- re: accutrade
  - From: [email protected] (Mixmaster)

Prev by Date: Reputation distortions?
Next by Date: Re: REQUESTING INFORMATION :-)
Prev by thread: re: accutrade
Next by thread: CDT Policy Post 2.38 - President Takes First Steps TowardsClipper 3.1.1
Index(es):
- Date
- Thread