.comment-link {margin-left:.6em;}

filling the void

Monday, May 14, 2007

Hacking ABN AMRO Card PINs

I don't know if this is common knowledge already, but if it isn't, it should be.
Here in Holland, I chose the ABN AMRO for my banking needs. I didn't really shop around for banks, the school just suggested one and I went for it.
Along with my debit card, I also got something called an "e.dentifier". This is a device that accepts my card and helps me log on to my internet bank (which you will be able to log on to as well with this method).
When you log on to the internet banking service, you stick your card in the thing, punch in your pin, and then it's ready for use. It generates (what I can only assume is) time based one-time pad tokens. The internet site gives you a number, you punch that into the device, and out comes a reply that you fill in in the form, and presto, you're logged in.

I always thought that entering the wrong pin would still let me use the device, but the code that I got out would be unusable. This turns out not to be the case.
When I enter the wrong pin into the device, it tells me that it's wrong, and I can re-insert the card and try again. I'll let that sink in a bit.
If you still don't know why this is a problem, let me explain.

When you go to an ATM, you have three tries at entering the pin, after which, if you failed them all, the machine eats your card. This is to protect your money so that people who find your card can't empty your account.
If you use this device (which is not unique, anybody with an ABM AMRO account can get one), then you have unlimited tries at getting the pin correct.
As soon as you enter a pin and it doesn't say error, you can write that pin down and go to any ATM and empty out that persons account, and the bank will be none the wiser.
Also, if you get the pin right (which you will, after at most 10000 tries, due to the 4 digits) you will have instant access to the person's internet banking, where you could wreak all sorts of havoc.

Granted, keying in a 4 digit sequence 10000 times is pretty boring, but the potential rewards are pretty big. Also, statistics tells us that you will only have to enter half of the codes before finding the right combination.

I haven't tried going past three bad tries on my device, as I do not want to risk anything going wrong, but it would seem improbably that either the device or the card would break. If someone does try, please let me know.

You would, of course, need the victim's card, but that could be gotten in several ways (we're not teaching the art of thievery here, folks. You figure it out).

Labels: , , , ,


  • Next time you post such a message, why not try it yourself?

    A few years ago I assumed the same thing: 3 times invalid pin... And my card was blocked.

    Appearantly the card stored a hash of your pincode and can be blocked by the edentifyer.

    This does not mean the card cannot be hacked. It does mean that you blogpost is nonsense, thought :)

    By Blogger Martijn Kaag (VECOZO BV), at Tuesday, May 6, 2008 at 3:01:00 PM GMT+2  

  • I agree with Martijn Kaag, you better think twice before you post something!

    By Anonymous Tantan, at Sunday, January 31, 2010 at 1:46:00 AM GMT+1  

  • If you could reverse engineer the gizmo you would be able set unlimited tries. Also you could get rid of the time delay and get a computer to try all combinations.

    fyi, This thing also works on my ING card and my VISA card..(!!)


    By Blogger Phaelin, at Monday, February 15, 2010 at 10:39:00 PM GMT+1  

Post a Comment

<< Home