Monday, August 4, 2008

Irish Bank Accounts Hacked by Random Number Generator

In what I can only believe is an incomplete account of what is actually going on, this article on speaks of Irish banks being pilfered using a "sophisticated" attack, a random number generator.

UNDERWORLD fraudsters are using random number generators to tap into the bank accounts of Irish customers.

For the first time ever account holders have been left almost powerless to protect their bank accounts from conmen.

The Irish Sunday Mirror has spoken to a number of people whose accounts have been hacked by the criminals using the sophisticated scam.

The gangs generate the numbers of accounts using random trawling techniques and then attempt to buy goods online without having to use the cardholder's name or address.

Interesting... A few of the words in this story seem a little bit contradictory to me. "random number generator" and "sophisticated scam" just don't seem to belong together in a sentence, but it's the last phrase there that really makes me wonder. What sort of insanely poor security practice would allow an attacker to break into an account without knowing an account holder's name or address but only generating random numbers. This almost reminds me of the applications that were being circulated in the late 90's to generate fake credit card numbers. This was an insecurity in the processing systems (as these numbers were not validated in real-time) rather than the card number but it still was a simple "hack".

I simply can't seem to make myself understand how I could break into an Irish bank customer's account (or buy something on his/her behalf) just by using a random number generator.

Without much more to go on I investigated the Bank of Ireland's security model and found this nugget.
The bank is protected by a firewall, which forms a barrier between the outside Internet and the internal bank network
A firewall? Well hamburgers, that solves all my security problems!

Now, to be fair, the rest of the FAQ does tell a slightly more intelligent story, as the bank requires a login name, a provided 6-digit PIN (which you are asked to provide random digits from), and some piece of personal information (seemingly at semi-random). That's not too bad... but of course there's always some hapless clod who'll complain about any upgrade to new security measures. Read this person's complaint, and then ask yourself if you think this is really "less" secure... First off, drop-downs keep keystroke loggers at bay (although not good JavaScript hacks) and asking for the random pin bits on multiple pages keeps you that much more safe (one could argue)...

So - if anyone from Ireland has any idea how generating random numbers equates to bank fraud... please shed some light?


sil said...

Man I never knew it was that easy... Time to patent ;)

ruby -e "puts (1..500).map {rand(10 ** 16).to_s.rjust(16,'0')}" |\
grep -vi "^[0-2]"|\
while read kiddiotmagic

do printf "wget -qO -$kiddiotmagic&&amount=jillions\n"|sh


Anonymous said...

You might want to fix your blog's subheading: catastrophe doesn't end in 'y'.