Slashdot Mirror
Citibank Tries to Hush ATM Crypto Vulnerability
palme999 writes "Citibank is trying to get a gag order for new
vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."
I love ATM fees. I can use a 'FREE' ATM and still am charged a fee from my own bank! With all this dough they are raking in, they should be COMPLETELY secure!!!
If at first you don't succeed... How does that go again? Ah, forget it.
I watched the atm(called a cash machine here in the UK) I was withdrawing from reboot.. was using os/2.. Im checking now to see if it actualy deducted from my account..
moo
We all want this to happen! Citi will fix it because it is in the best interest of their customers. Releasing the info would increase the risk of **YOUR** money stolen. Give them time, but follow up with them to ensure it is fixed.
Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.
8
Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/054
I've seen windows ATMs before (there's one near me that rugularly has a dhcp error dialog showing) but I recently went up to use one in one of the London stations. As I approached it crashed (Computers often do that to me.) It then went through the OS/2 boot-up sequence...
I am TheRaven on Soylent News
"Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions..."
/. there are probably thousands of geeks downloading it as we speak. I think we can safely say that it is "in the wild"
Now that it has been posted on
Integrate Keynote and LaTeX
They are some kind of leased line. We have customers that run on Frame, ISDN, and yes even dialup but mostly they go into some kind of Frame cloud. No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing. While this does not apply to what they are talking about in the article they mostly use 3DES for all the traffic that goes over the line. So an attacker could most likely wardial and find the dial backup lines and try to get in that way. But why bother with that when most places have dial in lines on their mainframes. Other than that if you had or could get access to the Frame cloud you could try. But at least the ones I work with are *very* hardened and most likely not worth the time /effort to break them remotly because it is hard to get cash over a line and breaking a ATM does not really get you into the mainframe. Far better and easier to try to break the mainframe mostly because there are far more ways to get to them and banks etc. do not pay nearly as much attention to security as you would think. This in spite of the fact that I yell at people all day long on the subject but I'm just one guy and they consider me paranoid. Gawd I hate people. Anyway hope the above answers your questions which could be summed up as I've never heard of anybody breaking them remotely and it would be *very* hard to do so.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.
I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.
The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.
Why are you letting these clowns ruin our country?
How the hell do you use a pin, if you don't have the card. I'm pretty sure the ATM doesn't let me type in my card number.
Sure I could make a card, if I had the right equipment and had the card for long enough to make it, but in that case I could just as easily use the card.
I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #, then I could steal 300.00 a day.
but if I owned a business why would I need to steal money?
Is there some easier way to use the pin #???
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
Yes they do, and that's how I got out of a bad charge on my account.
I went to the ATM and tried to make a withdrawal. The machine tried to give me the cash, but something went wrong mechanically, and the money never came out.
I disputed the charge, but since their systems said that I did make the withdrawal, they didn't want to give me my money back.
I told them I wanted to see the surveilance tape for my personal records. Well, they didn't let me see the tape, but I'm assuming they looked at it and saw that no money came out of the machine. A few days later, i had a credit for the withdrawal.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.
He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.
The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.
The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.
I'm an American. I love this country and the freedoms that we used to have.
From reading the article it would seem that the only people who could pull off something like this are "Bank Programmers," but there's a much bigger security hole that i can think of.
Here in Canada we have non-bank ATM machines proliferating across the countryside - it's basically a machine that performs an Interac (debit) transaction and spits out money. It runs over a telephone line, you can buy one for a few thousand dollars, and you plonk it down in the middle of a bar where people are too drunk to care that you're adding $2.00 to every transaction.
But who are the people making these machines? They have no certification that I'm aware of. I've seen at least a dozen varieties of these "mini-ATMs" from companies whose names I have never heard of. It seems to me that it would be very easy to build a few of these, rent them to bar owners or corner stores (also very common) and just log magnetic strips and PINs till the cows come home. What does the guy who owns the corner store know about security? He'll just be glad that he has an alternative in his store to offering debit himself, which costs him money on every transaction.
So anyway, if anybody has some plans or examples of how to build your own Interac-ATM please post them on the net ASAP and lets talk business.
In all matters of opinion, our adversaries are insane. -Oscar Wilde
I know a guy who's brother writes software for POS terminals that you use at gas pumps. He says if you choose the "debit card" payment option, your pin number is transmitted in plain text over the Internet.
http://www.askthevoid.com
Actually, I would be happier with a settlement that forced atm usage to be free.
The Kruger Dunning explains most post on
This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.
Alright I realize this is "different" but ... come on ... how much can we can complain about the secrecy of a 4 digit number. There's only 10,000 different combinations. What pisses me off is my bank uses the pin numbers for your online banking password and they use your frickin social security number as the username. You get 3 tries on every account. So how hard is that to automate a hack?
How many morons we got on this ship?
Nobody ever bothers to mention the fact that ATM machines are electromagnetically insecure. They aren't RF shielded worth doodle and any reasonably competent spook can capture all of the details of any transaction from across a parking lot. Find a bank with some outside ATMs, park a van with some affordable electronics a hundred or so feet away, spend a few hours capturing data, encode the magnetic strips on a few blank cards using different and still affordable electronics, write the PIN numbers on each card, wait a few days so that everybody forgets seeing your van, travel a few miles to another ATM, and then start withdrawing cash. Move to another ATM and repeat. A couple of hundred bucks 40 or 50 times a day for three or four days adds up to serious cash quickly and probably before anybody notices. Burn the cards and return to step one.
Yeah, I know that the DMCA is supposed to be about preventing illegal copying, but it gets stretched WAY beyond that sometimes. Maybe the banks would claim that the encrypted data in the ATM was copyrighted....
In the last few years reports have been written about ways banks can increase revenue. In the early 90's the easiest way was to increase fees.
There are consultants that will analyze a banks customer transaction histories in order to recommend a fee structure that will retain the highest number of customers and generate the most revenue from fees while lowering costs.
They do this with the teller fee, minimum balance fee, account inactivity fee and the overdraft fee.
Recently the check cashing fee was added to both make money on both the check writer and the casher while discouraging face to face business at the bank which lowers costs.
The high growth of bank profits combined with growing negative public perception of the fees has recently sparked a few recommendations toward more reasonable structures that actually do help people and the bank without so much profit.
Try and find a couple of those. They get almost zero notice.
See how it works? Remember that the next time you read a shiny well produced brochure that 'assures' you that no other bank is working harder for you.
Blogging because I can...