[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: accutrade



Mixmaster wrote ...
> Hacking the 9 digit account number and 4 digit PIN will be easier than attacking the OS directly.
> Either method though would certainly ring loud bells at Accutrade unless they are infected with 
> headinbutt disease.

No.

If, and this is a big if, the account numbers are issued sequentially,
and I know a starting account number (A), then I try account A+1
with the PIN "1234". If it fails then 1 minutes later I try A+2
also with the PIN "1234" and so on. I'm trying 60 accounts/hour, 1440/day.
It shouldn't trip up errors because most programmers only put error 
counters on each account and we only try each account once.

By laws of probability 1 account in 10000 should have the PIN "1234"
(reality will be different, people choose easy to remember PINs).

Within 4 days I've tried over 5000 accounts and statistically have
a greater than 50% chance that I've got an account number and PIN.

-- 
Nicolas Hammond                                 NJH Security Consulting, Inc.
[email protected]                                     211 East Wesley Road
404 262 1633                                    Atlanta
404 812 1984 (Fax)                              GA 30305-3774