Facebook
Linkedin
Twitter
FriendFeed
Last.fm
Google Reader
Reddit
Digg
YouTube
TechnoratiOn Saturday, I received a call at around 8PM; Coach’s Corner had just wrapped up. When the voice on the other end explained that she was calling on behalf of TD Canada Trust and wanted to verify my account information, I thought it seemed out of the ordinary - especially on a Saturday night. I thought it sounded fishy so I explained to her that I wasn’t home 
My curiosity was piqued, so I logged into TD’s online banking website and sure enough, $800 had disappeared from my chequing account via a Green Machine withdrawl a few hours earlier. It was a withdrawl that I know that I didn’t do, so I promptly called TD’s 24-hour hotline. Apparently I was the victim of P.I.N. theft.
Somebody, somewhere, in a place where I had been had finagled a magnetic strip reader onto an Interac terminal. I’m pretty sure it was at an Interac terminal and not an ABM as I rarely use them. But I do use Interac at many places like grocery stores, gas stations, restaurants and so on. I do have my suspicions of where this might’ve happened as I do recall a certain Interac terminal at a certain gas station that I frequent as being a little out of the ordinary. I thought it was weird but quickly dismissed it. Lesson learned = listen more carefully to instinct in the future. But was my faith in technology shattered?
USB magnetic strip readers are fairly easy to come by. I’m not 100% certain but I’m pretty sure that the actual P.I.N. is not encoded on the strip. At least, I hope it’s not. Perhaps a hash of some type would be fine but I really do hope the P.I.N. itself isn’t on there. Either way, determining a P.I.N. number wouldn’t take too long to calculate with a fairly new computer. P.I.Ns are always 4 digits, so any debit card has 104 or 10000 possible permutations.
There is a happy ending to all of this. Yesterday, TD credited my chequing account for $800 and I got a new debit card (with a new P.I.N.). I would be interested in know how TD knew within a couple of hours of the scam; they alerted me within a couple of hours following the withdrawl. They must have some wicked stored database procedures and queries that can easily determine that something is amiss. I was reassured that technology is still continuing to be used in good ways for our benefit, so it’s safe to say those I won’t change careers paths and become an investment banker or heavy equipment operator any time soon 
PS: The scammer was pretty dumb. He/she withdrew the money from a TD Green Machine. Most Green Machines have surveilance cameras and obviously all transactions have a time stamp. I guess that’s what ski masks are for. How’s that for a non-technical hack? 
3 responses so far ↓
1 Jason // Nov 30, 2005 at 11:44 pm
What was odd about the terminal you used? Maybe I should watch out for that here :(, Wally-World and all my hax my account :O.
2 Chris // Dec 1, 2005 at 1:01 pm
The part that you swipe was kind of loose; it rattled as my card went through it.
Wal-Mart probably does worse things
3 Chris // Dec 1, 2005 at 1:01 pm
For those interested, I whiped up a quick Python function that prints out all permutations of a sequence. This can demonstrate how simple it is to get all permutations of a debit card P.I.N. number. Here’s my function:
# Purpose: Print all possible permutations, with repetition, # of a sequence. # I: list containing a sequence of characters. # I: number of positions to arrange the sequence. # O: (none) def Permutations(arrList, iPositions): arrPerms = [[],] # all possible permutations for iCurPos in range(iPositions): arrOldPerms, arrPerms = arrPerms, [] for comb in arrOldPerms: for item in arrList: arrPerms.append(comb + [item]) arrPerms = [''.join(x) for x in arrPerms] print '\\n\\n', len(arrPerms), "permutations: " for y in arrPerms: print yTo use the function to print out all of the possible P.I.N. permutations of a debit card, you could do something like this:
On my Pentium IV 2.4GHz with 1GB RAM, my script takes barely more than 1 second to execute. Scary, eh?
Leave a Comment