Since it's been something like 11 years since I've actively been involved in breaking this type of security, I don't think anything I say can be used against me. To be very clear — I have little interest in personally robbing banks or committing wire fraud at this point in my life. I do however have a great deal of interest in the security arrangements banks make to take care of my assets. So here are some comments from my afternoon at the bank.
My bank has just upgraded their computers to some new “paperless” (minus the thousands of brochures promoting it of course) system. As anyone who's spent much time in a bank can tell you, the more paperless a system is, the more scraps of paper are needed to write down account numbers to take from terminal to terminal. Because of this, the bank has set up an “accessory” terminal that all the tellers can use when they need to look up account details.
It's got an LCD screen which shows its results in nice, easy to read 24 point Arial which any monkey can write down from across the room. That's right Ezzat Si Kavali, not only do I know your name and account number and secret phrase, I also know your PIN number since you had to type it in a dozen times while saying it out loud*. Anyway, point is that these terminals should be facing the tellers and AWAY from the customers, not plainly visible to anyone in the bank.
For those of you who talked to me about this in RI, I present to you the following snippet:
Me: I have sort of an odd question.
Bank: OK, what is it?
Me: When someone puts stuff into their bank deposit box, do you search it?
Bank: No.
Me: Well what if they put in an icecream cone in and it dripped onto the stuff in the box below?
Bank: We just have to trust that our customers are honest and wouldn't do anything like that. One person who was mad at us put a fish in their box, that was terrible.
Me: Really? What did you do?
Bank: I don't know… it wasn't at this branch, but I heard it was terrible.
Me: Could they just search all the boxes?
Bank: I don't think so.
Me: Wow. Well, I hope no one puts a bomb in one of the boxes.
When I have more time I'll explain the whole thing (a truly “foolproof” way to hit a bank for about $4,000,000 and not get caught) here, unless I already did and am just forgetting doing so. Actually, who am I kidding? If I already explained it, it increases my chances of repeating the explanation if past trends hold true.
* Ezzat was having trouble because he remembered his PIN number by the “letters” (ie. 2=ABC, 3=DEF, etc.), which is problematic because Moneris (who my bank uses for its card hardware) uses a proprietary lettering scheme, so his PIN didn't match up like it should.
Post a Comment