800 hunted in ATM scam - 12 charged with larceny

[BlackCryptoKnight]

So the speculation that people could use any arbitrary PIN number to authenticate their debit card is not necesarily true then...

[seanbee20]

Yeah i do not buy into the PIN speculation:
my reason: say someone stole my credit card and managed to use another PIN to access my accounts, he would be able to draw funds but only if it exists in my account, and I would have to stand the lost if I did not report the card stolen or lost. The PIN is simply the initial authentication, it has nothing to do with the request and response codes sent to and from the ATM.

[CKnight]

[quote author=BlackCryptoKnight link=board=1;threadid=2746;start=0#msg26317 date=1073925640]
So the speculation that people could use any arbitrary PIN number to authenticate their debit card is not necesarily true then...
[/quote]

Unless the same problem existed with the validation of PINs. Even when the pin was incorrect, a 'success' code was sent.

[seanbee20]

Using the PIN does not send out a request code to the multilink terminal, the PIN is encoded on the card itself, therefore the ATM does not need to send a request to the TERMINAL to see whether it is valid or not - if the PIN verification error is true - it would have to be a problem with their ATM's.

When a customer takes out a debit or credit card - he is asked to PIN the card, the PIN is embossed onto the card on the magnetic trip, when you swipe your card, ATM reads the mag stripe and thus has your pin in memory therefore if on entering an invalid pin, it still authenticates as a success, it would be a fault of the ATM - i do not think that RBTT made any changes to their ATM's therefore i do not buy into that theory

[BlackCryptoKnight]

Thanks for the insight so far seanbee.

From what you've explained, it seems likely that whatever problems that occured, happened with the interface between RBTT's Multilink Terminal and the ATM (terminal sending wrong code to ATM), or between the Multilink Terminal and the Banking application (it's possible that the incorrect response for determining whether adequate funds were available were returned from the banking application itself).

Do you have any insight as to the kind of quality control that takes place when such systems are modified? How could situations like this be avoided in the future? (Open question).

[seanbee20]

Well honestly from a person within the Banking I.T. sector, i do believe this is a disgrace on RBTT I.T. department:

Firstly, I am hearing that the same problem occurred in Trinidad, am I to assume that the learning curve there is that slow - common learn from your experience.

Secondly, every major I.T. department has a team empowered to test all applications and modifications before implementing. How can you implement such a drastic change without proper testing.

The Development Cycle is usually:

1) Create new interface/application or make modifications to existing ones
2) Test the changes made thoroughly
3) Have someone else not involved in the development/amendment phase re-test the changes
4) Submit changes to UAT (User Acceptance Testing) department to have changes tested again and if successful - have changed implemented.

[Nastrodamus]

aahhh bwoy....ineffective change managment....

PMP anyone? ;D ;D ;D

I see what you are saying Seanbee....


Lets say then that the theory of the pin authentication problem were true...then what would be your reasoning behind that?

[seanbee20]

Bwoy, Jah know, mi cann really think of what could explain the PIN theory other than what I said earlier, their ATMs are faulty, which i cannot understand how that would suddenly occur

[BlackCryptoKnight]

The news reports said that withdrawals occured even from ATM's belonging to other banks. Hence it is unlikely that this was an ATM problem due to any changes made to the ATM's since RBTT would only have changed their ATM's if any at all.

[seanbee20]

I don't see how the PIN theory could hold up then, unless RBTT does their PIN verification away from the ATM (but that would not make any sense).

My Reasoning:

If you are designing a server side web-site which inserts data into a database, and you are validating the fields entered by the user - why use ASP to verify that the data entered is correct, why not use Javascript which remains on the client.

I hope you guys get my point - why go to the terminal to verify PIN, when the PIN is available on the client (The ATM), that would only lead to un-neccessary overhead of sending a request to the terminal and awaiting a response before letting a customer have access to his funds.