Monday, October 4, 2010

Guessing ATM PIN's using publically available information via social media

I was looking at the information a lot of us have publicly available and began to think about ATM PIN security.

The ATM's I am familiar with have a 4 digit (all numerals) pin code, this suggests that your pin is probably going to be a year. If you look at facebook, linkedin, myspace, flickr and any number of other sources you can build a profile of a person which can greatly help to reduce the number of possible ATM pin combinations they are likely to be using. Once you have a profile of your target, asking the right questions can reduce the ATM pin possibilities to a substantially more manageable number.

As an example:

If you are looking at a single guy, building a profile can determine the questions you need to answer for this person:

If this is a young unmarried single guy, you should find out:

Year of his birth
Does he have a new job?
Did he get a promotion recently?
Does he have his own car?
What year model is his car?
What year did he buy his car?
Does he have his own place?
What year did he buy his own place?
Does he have a dog?
What year did he get his dog?
Does he have any hobbies he is extremely passionate about?
Do any of them have specific years tied to them?
For instance maybe he likes guitars; maybe he has a favorite guitar. Is that a vintage 1965 Fender Strat?

This means you are looking at 6-9 likely possibilities for his ATM pin, given that you usually get about 3 attempts before being locked out the odds of getting the right combination are fairly high.

If the individual is married and has kids, you may need to add a few more questions

What year did he have his first kid?
What year did he get married?
The Date of Birth of his wife or significant other?

The more complex the profile, the more you need to fine tune your questions. While we might recommend that people create a number only they know and that sort of thing, a lot of us are more likely to go with something that we are familiar with and likely to easily remember. I am just scratching the surface here, the better you build the profile the better you get to know the person and this improves the likelihood of you getting back improved information.

Tuesday, July 27, 2010

Blackberries being viewed as a Security threat by various Middle Eastern governments

The Toronto Star had an interesting article on how Blackberries are seen as a potential security threat by various countries in the Middle East and Asia.

From the article:
The UAE’s Telecommunications Regulatory Authority said Sunday that as a result of how BlackBerry data is managed and stored that “certain Blackberry applications allow people to misuse the service, causing serious social, judicial and national security repercussions.”

This is certainly interesting information and raises the question of what specific applications are of concern to the government. I can imagine Blackberry messenger being one of the applications that causes some concerns from a privacy perspective but I am curious as to what some of the other applications of concern might be.

Just thinking of some possibilities:
Worldmate Live
Cellcrypt - possibly determining who is using this
various news portal applications
Wi-Fi Proxy FTP HTTP Servers (app)
SSH apps (PaderSyncSSH and Rove Mobile SSH) - possibly determining which non corporate individuals are using apps of this nature?

Wednesday, June 30, 2010

Russian Spies and infosec some thoughts

As most people are aware, several individuals were recently arrested and accused of being deep cover agents spying on the USA on behalf of Russia. There are some interesting details emerging on how these individuals were tracked, with some news papers/ sites stating that these individuals had been under surveillance for quite some time.

One thing I found really fascinating about this whole event is why the individuals under surveillance did not change their MAC addresses; perhaps they simply did not see it as a major risk in being used to identify them given all the other layers of security they had in place, ie some level of stenography (there are mixed reports as to whether cryptography was involved as well), and the fact that they were using ad-hoc wireless networks. I think there is also a possibility that given that they were using ad-hoc networks the mac addresses may have been what the agents used to identify each other and determine whether they were in the appropriate network.

Reports, postings and other Media on this story:
The SANS storm centre has a diary entry which looks at some of the technical issues raised in this case