Cracking Your PIN Code: Easy as 1-2-3-4


Recommended Posts

Pupik

on the topic of safety at the ATM am I the only one who looks for a bank that has them inside before using an ATM?

Looks like it. I always check the ATMs outside and inside to see where the line is shorter to get things done quickly. And most of the times, the lines are shorter inside. Sometimes you only have people standing in line at the ATM outside and no one inside, as people are too lazy to get inside the bank to use the ATM there.

Link to post
Share on other sites
Richteralan

So easy. Remember your PIN as patterns on the keypad, instead of numbers.

You are welcome. It's called think outside the box.

Link to post
Share on other sites
Arachno 1D

Two tricks they use alongside a skimmer is for a man to stand behind you with a mobile in his hand as you enter the pin and just note it onto the device,hence the introduction in the UK of the [useless] yellow box near the ATM.The other more subtle is the placing of a downward facing camera on the housing above the keypad which films your keystrokes as you make them.

Which is why you should cover your hand as you enter your pin.

Link to post
Share on other sites
+LogicalApex

This guy obviously doesn't have a clue how smart cards (bank cards) work then, they're pretty similiar to SIM cards in that you have 3 attempts to input the correct pin, the bank machine transmits the PIN to the card, if it is wrong, it is not the bank machine that logs it but the smart card, after 3 wrong attempts, the smart card refuses to accept any more pin numbers and locks itself out (there is no PUK code for bank cards as there are SIM cards) and so the machine keeps it. Older cards would just refuse to accept any more PIN attempts but keep all the data in the smart card, newer cards destroy all data on the card when 3 attempts have been failed, because you can in theory reset the count or read off the data using a very powerful microscope though you'd have to know exactly where to look.

Depends on the country. In the US ATM cards don't use smart cards and as such don't have this layer of "protection".

I wrapped protection in quotes because the smart card may be duplicated rendering this security moot.

Link to post
Share on other sites
Arachno 1D

You could probably also launder payments through foriegn payment services that are not as clean as those in the US/UK

Link to post
Share on other sites
mattmatik

Only old ATMS eat the cards, the new ones are swipe only. However most block the card after 3 attempts.

You sure about that? My bank just upgraded their machines within the past year and they are not swipe only. The only places I've seen that are swipe only are ATM machines in shopping centers and such. Usually these are 3rd party ATMs.

Link to post
Share on other sites
Draconian Guppy

You sure about that? My bank just upgraded their machines within the past year and they are not swipe only. The only places I've seen that are swipe only are ATM machines in shopping centers and such. Usually these are 3rd party ATMs.

Read my previous posts! that was my first post.

Link to post
Share on other sites
+warwagon

Most people if they get their cookies cleared can't remember their passwords to log back into sites. Most people first chance they get use a dictionary word as their password. When ever i'm helping someone set something up I ask them for a password they would want to use. First thing they said a word out of the dictionary. I tell them...uh no ..lets add something to that. People are HORRIBLE at security.

This one highschool kid got his facebook account hacked into. I walked them through resetting his password. I asked him ... "So what was your password"... he said "Football"

Link to post
Share on other sites
+Dick Montage

Most of the places I see the "swipe" machines rather than the "swallow" machines are in malls, supermarkets, public places. Meaning where the likelihood of the engineer being available is low. Places you don't want your card swallowed.

Link to post
Share on other sites
Raa

A mate of mine managed to eat TWO cards in minutes because he forgot his pin. :no:

Link to post
Share on other sites
Ambroos

Hah, so weird, swipe cards?

I haven't seen a card being swept for at least 10 years now. Over here in Belgium everything is done with the chip and a PIN. I don't even think transactions with the magnetic strip are still possible, at least not national.

Link to post
Share on other sites
Noir Angel

Although I have always used the same pin, it has absolutely no significance to anything in my life, and would be pretty hard for anyone to guess, even if they knew me. Like everything else it's a simple matter of common sense.

Link to post
Share on other sites
Brian Miller

Just ask John Connor, he can do it in a second...

  • Like 1
Link to post
Share on other sites
Darrian

Amazing! That's the same combination I have on my luggage!

Link to post
Share on other sites
LaP

Berry says a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). "It's amazing how predictable people are," he says.

Not at all.

What is really amazing is that multi billionaire banking companies use a 4 numerical digits system as security.

Link to post
Share on other sites
dead.cell

Well, my bank doesn't allow double digits for one. Meaning pins like 0112 or 3699 wouldn't work. I guess it's all a matter of what each bank enforces?

Link to post
Share on other sites
LaP

Well, my bank doesn't allow double digits for one. Meaning pins like 0112 or 3699 wouldn't work. I guess it's all a matter of what each bank enforces?

People will just create password using the 4 corners or things like that.

Why not an alphanumerical keyboard and variable length passwords including caps and symbols ? Then even if someone has 123456789 as password you still have to guess how many digits were used. And you have 3 tries to guess it or the account is frozen and the owner of the card has to show in his bank to unfreeze it.

Probably makes just too much sense ... and is probably too much expensive for multi billionaire companies.

Dont blame the users. Blame the security ... or lack of.

Link to post
Share on other sites
pes2013

Sorry but I use a common one; Make it a lot easier to remember :)

Link to post
Share on other sites
2xSilverKnight

Not at all.

What is really amazing is that multi billionaire banking companies use a 4 numerical digits system as security.

Yes ... my father still has a 4 digit pin with CIBC.

I'm with Desjardins for over 10 years, always had a 5 digit pin.

If you give out 8 digit pin, too many people will forget.

Link to post
Share on other sites
n_K

Yes ... my father still has a 4 digit pin with CIBC.

I'm with Desjardins for over 10 years, always had a 5 digit pin.

If you give out 8 digit pin, too many people will forget.

Problem with more digits on a pin is you need compatibility.

For example in the UK, you'd need ALL banks and building societies to switch to using longer pins which would require new bank machines or at least a firmware upgrade, plus all the database infastructure would need upgrading.

That would cost BILLIONS. As they say, 'if it ain`t broke, don`t fix it'.

Link to post
Share on other sites
Growled

Seriously, how hard is it to randomly press 4 numbers and remember it?

I know. I probably could guess it, given time.

Link to post
Share on other sites
Rohdekill

Not really anything to be worried about unless the PIN actually is 1234, 1111, or 0000. You only get a couple tries before the ATM eats the card, so chances are the code won't be cracked in any timely manner.

Not all ATM's consume the card until the transaction is completed. Several models are swipe style.

Link to post
Share on other sites
ViperAFK

Is this USA based only, or are there crazy banks in other countries that don't have a security feature on the ATMs that just "eats" the card if you input the wrong pin three times and the only way to get the card back is to go to the bank?

My bank does this. It doesn't physically take your card but it does disable the card if the wrong pin is entered too many times. Happened to me once when I forgot my pin :/

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By zikalify
      Try out freeCodeCamp if you want to get into programming
      by Paul Hill



      Whether you’ve seen some of the latest robot or AI Sci-Fi films or you’re simply thinking about a change of career and want to learn to code, freeCodeCamp is an excellent resource to begin your journey into the world of programming, it's available to everyone around the world and at no cost.

      freeCodeCamp, which is a little over six years old, boasts more than 40,000 graduates who have gone on to get jobs at big tech firms including Microsoft, Apple, Google, Amazon, and Spotify. It offers a variety of courses which you work through where you'll learn all the relevant information before completing several projects which demonstrate you’ve learned the content - upon completion of the projects, you get a certificate for the course which appears on your public profile.

      This approach to teaching programming is great because you end up with five projects per course which can be shown off to prospective employers, who will most likely want to know what you’ve worked on. The courses that are available at the time of writing include:

      Responsive Web Design JavaScript Algorithms and Data Structures Front End Development Libraries Data Visualization APIs and Microservices Quality Assurance Scientific Computing with Python Data Analysis with Python Information Security Machine Learning with Python It’s recommended that you work through the material in order but nobody is stopping you from jumping to other sections first. In addition to the courses, there’s also a section called Coding Interview Prep which contains hundreds of coding challenges that “test your knowledge of algorithms, data structures, and mathematics” as well as additional projects which you can add to your portfolio.

      To help you along your coding journey, freeCodeCamp features a very active forum where you can ask questions if you get stuck on any of the tasks or just want to ask about any coding concepts. Once you are thinking about searching for jobs that utilise your new skills, the Career Advice section of the forums can provide you with invaluable information about landing a job.

      A few other niceties about the service include that content is available in English, Spanish, and Chinese, there are regular blog posts related to programming from contributors and they’ve created a radio player that loops music “designed for coding” 24/7.

      To begin learning, you do not need to create an account but making one is highly recommended so that you can save your progress, earn certificates, and have a public profile page to show off. To learn more about the service, reading the FAQs section is highly recommended.

    • By Usama Jawad96
      Runtime inspection of XLM macros is now available in Microsoft Excel
      by Usama Jawad

      Excel 4.0 (XLM) is an old macro language which Microsoft released for Excel back in 1992. Although it is a legacy language and most organizations have since migrated to Visual Basic for Applications (VBA), some continue to use XLM because of its functionalities and interoperability with the OS. Microsoft has noticed that due to its continued use, malicious actors have started to abuse XLM macros more frequently, which is why the company is now enabling runtime inspection of XLM code in Microsoft Excel.



      Microsoft's Antimalware Scan Interface (AMSI) was already integrated with VBA back in 2018 and has been very successful in exposing and stopping malware attacks dependent upon the particular technology. Naturally, malicious actors have recently shifted focus to relatively less secure technologies such as XLM to call Win32 APIs and run shell commands for their activities. As such, Microsoft is now enabling runtime inspection of XLM code in Office 365 applications such as Excel.

      Multiple tools and antivirus solutions can utilize AMSI to request scans of data to detect potential threats. The Redmond tech giant uses it heavily with Microsoft Defender for Endpoint for threat detection in various applications such as Office VBA macros, JScript, VBScript, PowerShell, WMI, dynamically loaded .NET assemblies, and MSHTA/Jscript9.

      Microsoft has noted that this new integration with XLM is essential, saying that:

      Multiple malicious groups have been named which are using XLM macros as an attack surface for their activities including Trickbot, Zloader, and Ursnif.

      Runtime inspection of XLM in Microsoft is now available in AMSI, which means that it can be performed by any antivirus solution that is registered as an AMSI provider for a machine. Under default configurations, files that are from trusted locations or are trusted documents will not be scanned at runtime. The same also applies for files that are opened when the security settings are configured to enable all macros. The feature is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.

    • By Usama Jawad96
      On-premises Exchange servers are under attack from a state-sponsored group
      by Usama Jawad



      Microsoft has announced that on-premises Exchange servers are under attack likely from a state-sponsored group operating from China. The group is named "HAFNIUM" and is using multiple 0-day exploits to access on-premises Exchange Server instances, which essentially gives access to the email account of victims as well. The malicious actors install additional malware which acts as a backdoor for future attacks as well.

      Microsoft has patched all the vulnerabilities with CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, and has recommended that customers update their on-premises systems on an urgent basis. It has noted that Exchange Online is not affected by these attacks.

      The Redmond tech giant says that the attack methodology is extremely similar to previous attacks by the HAFNIUM group, which have usually targeted multiple government and private entities in the United States. The details of the vulnerabilities that this group exploited in its latest attack can be seen below:

      Microsoft claims that after exploiting the aforementioned vulnerabilities, the malicious actors were able to install web shells on the server, which allowed them to steal data such as offline address books for Exchange which contain information about a business and its users. They also performed certain activities to allow further malicious actions in the future.

      In its "Can I determine if I have been compromised by this activity?" section, Microsoft has also outlined several indicators of compromise (IOCs) available in the logs, and hashes, paths, and names of web shells used in the attack. For remediation, it has recommended the use of Azure Sentinel and Microsoft Defender for Endpoint to detect malicious activities. All on-premises Exchange Server instances and systems need to be updated with the latest patches immediately, as per Microsoft.

    • By News Staff
      Mobile Security: How to Secure, Privatize, and Recover Your Devices - free excerpt
      by Steven Parker

      Claim your complimentary eBook excerpt for free, before the offer expires. Chapter 3 - Privacy - Small Word, Big Consequences.



      Learn how to keep yourself safe online with easy- to- follow examples and real- life scenarios. Written by developers at IBM, this guide is the only resource you need to keep your info private.



      In this guide you will discover just how vulnerable unsecured devices can be, and explore effective methods of mobile device management and identity protection to ensure your data's security. There will be special sections detailing extra precautions to ensure the safety of family members and how to secure your device for use at work.

      What you will learn from this book:

      Learn how mobile devices are monitored and the impact of cloud computing Understand the attacks hackers use and how to prevent them Keep yourself and your loved ones safe online How to get it
      Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last!

      Mobile Security: How to Secure, Privatize, and Recover Your Devices - free guide
      Offered by Packt Enterprises, view their other free resources.

      Not for you?
      That's OK, there are other deals on offer you can check out here.



      Home Gym Giveaway | Bitcoin (BTC) Investment Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2 year subscription at up to 68% off Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Neowin Store for our preferred partners. Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By Usama Jawad96
      Microsoft open sources CodeQL queries used in Solorigate investigation
      by Usama Jawad

      Last week, Microsoft finally completed its Solorigate investigation, concluding that while some code files for Azure, Intune, and Exchange were accessed, no customer data was compromised. The cyberattack had caused major concern around the globe because it targeted the United States' federal departments, the UK, the European Parliament, and thousands of other organizations. Supply chain attacks were executed on SolarWinds, Microsoft, and VMware, with Microsoft President Brad Smith calling it "a moment of reckoning".

      Now, Microsoft has open sourced the CodeQL queries that it utilized in the Solorigate investigation.

      Image via Kevin Ku from Pexels For those unaware, CodeQL is code analysis engine which depends upon code semantics and syntax. It develops a database built around the model of the compiling code, which can then be queried just like a regular database. It can be used both for static analysis and retroactive inspection of code.

      CodeQL queries were used by Microsoft in its Solorigate investigation in order to analyze its code in a scalable manner and pinpoint indicators of compromise (IoCs) and other coding patterns used by Solorigate attackers directly on a code-level.

      Microsoft essentially built multiple CodeQL databases from various build pipelines, and then aggregated them in a single infrastructure to enable system-wide querying capabilities. This enabled the firm to detect malicious activity in code within hours of a coding pattern being described.

      Given that this is more of a syntactic and semantic technique that depends upon identifying similarities in coding patterns such as the variable names used, Microsoft has emphasized that if you find the same patterns in your own code base, that does not necessarily mean that it's compromised. Multiple programmers can of course have the same coding style.

      At the same time, it is also important to remember that a malicious actor is not constrained to a single coding style. Essentially, if the attacker deviates significantly from their usual implant pattern, they would be able to circumvent Microsoft's CodeQL queries. Regarding the syntactic and semantic code pattern identification capabilities of the CodeQL engine, the Redmond tech giant notes that:

      More information about using Microsoft's CodeQL queries is available here. You can find out more about how to deploy queries here.