Mixmaster wrote ...
Hacking the 9 digit account number and 4 digit PIN will be easier than attacking the OS directly. Either method though would certainly ring loud bells at Accutrade unless they are infected with headinbutt disease.
No. If, and this is a big if, the account numbers are issued sequentially, and I know a starting account number (A), then I try account A+1 with the PIN "1234". If it fails then 1 minutes later I try A+2 also with the PIN "1234" and so on. I'm trying 60 accounts/hour, 1440/day. It shouldn't trip up errors because most programmers only put error counters on each account and we only try each account once. By laws of probability 1 account in 10000 should have the PIN "1234" (reality will be different, people choose easy to remember PINs). Within 4 days I've tried over 5000 accounts and statistically have a greater than 50% chance that I've got an account number and PIN. -- Nicolas Hammond NJH Security Consulting, Inc. njh@njh.com 211 East Wesley Road 404 262 1633 Atlanta 404 812 1984 (Fax) GA 30305-3774