Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition
26
The term “access device” refers to a type of application or piece of hardware that is
created specifically to generate access credentials (passwords, credit card numbers,
long-distance telephone service access codes, PINs, and so on) for the purpose of unau-
thorized access. Specifically, it is defined broadly to mean:
…any card, plate, code, account number, electronic serial number,
mobile identification number, personal identification number, or other
telecommunications service, equipment, or instrument identifier, or other
means of account access that can be used, alone or in conjunction with another
access device, to obtain money, goods, services, or any other thing of value, or
that can be used to initiate a transfer of funds (other than a transfer originated
solely by paper instrument).
For example, phreakers (telephone system attackers) use a software tool to generate
a long list of telephone service codes so they can acquire free long-distance services and
sell these services to others. The telephone service codes that they generate would be
considered to be within the definition of an access device, since they are codes or elec-
tronic serial numbers that can be used, alone or in conjunction with another access
device, to obtain services. They would be counterfeit access devices to the extent that the
software tool generated false numbers that were counterfeit, fictitious, or forged. Fi-
nally, a crime would occur with each undertaking of the activities of producing, using,
or selling these codes, since the Access Device Statute is violated by whoever “know-
ingly and with intent to defraud, produces, uses, or traffics in one or more counterfeit
access devices.”
Another example of an activity that violates the Access Device Statute is the activity
of crackers, who use password dictionaries to generate thousands of possible passwords
that users may be using to protect their assets.
“Access device” also refers to the actual credential itself. If an attacker obtains a pass-
word, credit card number, or bank PIN, or if a thief steals a calling-card number, and this
value is used to access an account or obtain a product or service or to access a network
or a file server, it would be considered a violation of the Access Device Statute.
A common method that attackers use when trying to figure out what credit card
numbers merchants will accept is to use an automated tool that generates random sets
of potentially usable credit card values. Two tools (easily obtainable on the Internet)
that generate large volumes of credit card numbers are Credit Master and Credit Wiz-
ard. The attackers submit these generated values to retailers and others with the goal of
fraudulently obtaining services or goods. If the credit card value is accepted, the at-
tacker knows that this is a valid number, which they then continue to use (or sell for
use) until the activity is stopped through the standard fraud protection and notification
systems that are employed by credit card companies, retailers, and banks. Because this
attack type has worked so well in the past, many merchants now require users to enter
a unique card identifier when making online purchases. This identifier is the three-
digit number located on the back of the card that is unique to each physical credit card
(not just unique to the account). Guessing a 16-digit credit card number is challenging
enough, but factoring in another three-digit identifier makes the task much more dif-
ficult without having the card in hand.
