Text 29881, 143 rader
Skriven 2015-12-29 13:11:27 av David Drummond (3:640/305)
  Kommentar till text 29880 av mark lewis (1:3634/12.73)
Ärende: Rules of Echomail
=========================
On 29/12/2015 11:23 AM, mark lewis -> David Drummond wrote:

 DD>> Your proposition bears the same veracity as the idea of routed
 DD>> echomail. We do not live in your your little hypothetical world of
 DD>> proof of concept attacks.

 ml> whatever... when you get taken like this,

Not "if", but rather "when"?

 ml> i'm just going to sit back and laugh my ass off... no finger pointing or
"i told you so"... just a huge
 ml> long belly laugh...

Whatever hypthotical situation you see, I really have no option regarding the
RFID in my cards - that is how they come. It is not an option.

I feel if it is "safe enough" for them then it is safe enough for me. If they
guarantee the refund disputed payments, I have nothing to lose.

 DD>>>>>> Have you seen these USB connections?

 ml>>>>> yes...

 DD>>>> You are unique in the world.

 ml>>> no i'm not... they are easily seen in pictures as well as in the
 ml>>> rooms where the equipment is housed... i've seen both while
 ml> following
 ml>>> up on research...

 DD>> Must use different terminals in your area to what they do here.

 ml> terminals? they're regular computers! they used to run OS/2 but these
 ml> days they run winwhatever...

That computer is NOT visible to the public here - it is locked away inside a
box. Only the keyboard/screen/card slot/money slot is available to the public.


 ml> here's a few articles of interest...

 ml>
http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack/

Only can be possible if crooks have access to the interior workings of the ATM.
No such incidences reported in Australia.

 ml> http://www.theregister.co.uk/2015/01/07/atm_jackpotted_with_samsung_s4/

Requires crook to have access to the USB port - of which none are publically
available in AUstralian ATMs.

 ml> http://www.wired.com/2013/12/whos-robbing-atms-usb-stick/

Windows98 in an ATM??? You just told me that they all run OS/2... Still no USB
ports publically available here

 ml>
http://securityaffairs.co/wordpress/23421/cyber-crime/rob-atms-couple-sms-messages.html


Requires a WinXP ATM and physical access....

 ml> http://www.tomsguide.com/us/atm-hack-cardless,news-19701.html

Only works in USA

 ml> http://www.wired.com/2014/11/nashville/

One incidence in the USA

 ml>
https://nakedsecurity.sophos.com/2014/06/11/14-year-olds-find-manual-online-hack-an-atm-during-their-school-lunch-hour/


One incidence in Canada.

All of these involve convincing the ATMs to give people money to which they are
not entitled. No what so ever involves use of a previouslly read RFID card.

 DD>>>>>> As yet there is no reported evidence of this happening, in this
 DD>>>>>> country at least.

 ml>>>>> you depend on the news for too much... everyone already knows that
 ml>>>>> the news is jaded one way or the other and only report maybe half
 ml>>>>> of what they are aware of...

 DD>>>> If it is happening, someone is aware of it.

 ml>>> yup, at least the crooks... others may not even be aware of it
 ml> yet...

 DD>> Not the banks, nor the pepole losing the money from their accounts?

 ml> apparently not... according to you, they'd be crowing from the rooftops...

If it was common as you suggest then someone in my wider circle of associates
would have mentioned it.

The likelihood of it happening to me, in Australia, is not worth the worry.
Physically losing my card and having someone attempt to fraudulently withdraw
funds is somewhat more likely.

 ml>>> that's like the thing that was done many years back where someone
 ml>>> would get some sort of small cheap item sent to them and their CC
 ml>>> charged up to $20 for it... rarely did anyone ever bother to dispute
 ml>>> it because the charge amount was so small...

 DD>> I suspect if someone made multiple $100.00 hits on my account I would
 DD>> notice. YMMV

 ml> there's that reading comprehension problem again... where did i say $100
 ml> in the above paragraph?

That is the maximum RFID transaction value.
[...]

 DD>>>> I am of the opinion it is just a few numbers. Nothing about me
 DD>>>> personally at all.

 ml>>> it isn't about you at all... it is all about getting $$$ from you and
 ml>>> moving on fast enough that they aren't caught...

 DD>> Or noticed?

 ml> by the time you notice, they're already long gone...

No problems, the bank will give it back.

 DD>> I "might" be able - our users are not. This is NOT a public network.

 ml> never put anything past your users... they are smarter than you think ;)

That wouldn't be hard - I have a very low opinion of most of them.

-- 

regards
David

--- Mozilla/5.0 (Windows NT 6.3; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
 * Origin: Cleveland, Qld, Australia (3:640/305)