« you've got to learn to live with what you can't rise above | Main | new car, caviar, four star daydream, think i'll buy me a football team »
when the question is posed I'll have this meager defense
by mg at 08:49 PM on January 10, 2002
So, the whole reason behind that whole OCD post was because my friend had something stolen from him. I was planning on just writing a short introduction to his account. Of course, being the narcissistic, ego maniacal blabber mouth that I am, I ended up off on a tangent of my own creation, and writing 600 words about me me me.
So, anyway, without further ado, here is the story, as originally planned.
---
This was a good holiday. Really, it was. This was my first Christmas/New Year's holiday away from home in 25 years. And I enjoyed it. I spent my time in Ohio, reading, sleeping, eating, cooking, and shooting. But I also spent a lot of time worrying.
Nervous about the apartment, that there wouldn't be anyone around for a whole 12 days. Someone could break in and carry away all of my worldly possessions. So I got someone to housesit and I got to relax. The holiday went by, and I returned home. I went to the bank to deposit my Christmas money. The deposit went through just fine. And then I saw my balance.
Holy ****. Where's my money? It’s all gone! Where's all my hard earned, supposedly safely stored away in the checking account money? Where's my rent? What am I going to do? Panic ensues.
It turns out I seem to be the victim of some type of electronic fraud. Some joker managed to get my account number and PIN off of a third party ATM that they hacked. You know, the grocery store/bodega/deli convenience ATMs. All this time I was worried about someone swiping the stuff from my apartment. I should have been worried about someone swiping my identity over the Internet. The card was a direct copy of my own, and I am sure I had never lost mine.
I'm calmer now. Cooler heads do prevail. I’ll, hopefully, be credited the full amount stolen. They will pursue the crafty individual who managed to disrupt my life. If he is caught, I will express no remorse or empathy when they prosecute him on federal charges for felony grand larceny. I hope he burns. He walked off to a happy holiday with about $6000 of my earnings.
To anyone reading this: Please do not subject yourself to the same circumstances. Avoid using third-party ATMs, which seem to be unsecure. Adapt to the circumstances surrounding you, and you will survive. I was the 68th complaint registered at the Police Precinct this year. They are diligently working on my case, and my hat goes off to them. I am not the first victim of this, and most likely not the loudest. But I am saying something. I hope someone listens.
comments (2)
Fuck! Never heard about that. Of course, the bank's aren't bloody likely to advertise it, are they? Amazing. What did he/she do? Set up a capture at the actual point of transfer? The PIN is supposed to be encrypted there, but it wouldn;t surprise me if some of these cheapo terminals don't do it. Still, the person must have had physical access to the ATM panel. Or...did they actually intrecept ATM transmissions? That is supposedly technically impossible due to check digits and the asynchronous encyption layer. But it's possible if the bank isn't monitoring service interuptions carefully - highly likely for some third party fly-by-night outfit operating in a very high traffic pool like NYC. Lines that go out of service are automatically replaced by dial-ups as needed, so that tapping could be done without much chance of detection, but the cost of attacking a 4.8Kbit DES line is probably not worth the cost (but since atm's send pins and account numbers directly over the line, you would completely compromise those accounts). I've often thought it may be possible to snag the PIN if it's encrypted with a network key. The network key is sent in encrypted form from the network to the ATM controller. However, the key
to decrypt the network key is often sent almost in the clear as part of the
start-of-day sequence. Any infiltrator monitoring the line would be able to get all key information by monitoring the start-of-day sequence, doing the trivial decryption of the communication key, and proceed to gather card image and PIN pairs. The infiltrator could then generate cards and attack the system at his leisure. Be sure and let us know how it was h@xd if you find out.
by Charles at January 11, 2002 12:35 AM
And they were probably using Nortel switches!
by Charles at January 11, 2002 12:37 AM