Reverse Engineering a Bank's Security Token

http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XUHKaFXQTz0/story01.htm

http://slashdot.feedsportal.com/c/35028/f/647410/s/357f0490/sc/4/l/0Lit0Bslashdot0Borg0Cstory0C140C0A10C0A40C1415210A0Creverse0Eengineering0Ea0Ebanks0Esecurity0Etoken0Dutm0Isource0Frss10B0Amainlinkanon0Gutm0Imedium0Ffeed/story01.htm

An anonymous reader writes "An engineer from Brazil has posted a technical walkthrough of how he was able to reverse engineer his bank's code-generating security token. He found a way to accurately generate his unlock codes with some custom code and an Arduino clone. (Don't worry: his method doesn't give him access to anybody else's codes.) 'Every exception thrown by this piece of code is obfuscated, as well as many of the strings used throughout the code. That is a major roadblock, since exception messages and strings in general are a great way of figuring out what the code is doing when reverse engineering something. Luckily, their developers decided to actually show useful text when a problem occurs and an exception gets thrown, so they wrapped those obfuscated strings with a.a, presumably a decryption routine that returns the original text. That routine is not too straightforward, but it is possible to get a high level understanding of what it is doing.'"

Read more of this story at Slashdot.