Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

This was covered at k5 also

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.

Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/0548

They should just give up...

[Llywelyn]

"Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions..."

Now that it has been posted on /. there are probably thousands of geeks downloading it as we speak. I think we can safely say that it is "in the wild"

Re:How do banks secure ATM lines?

[SquadBoy]

They are some kind of leased line. We have customers that run on Frame, ISDN, and yes even dialup but mostly they go into some kind of Frame cloud. No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing. While this does not apply to what they are talking about in the article they mostly use 3DES for all the traffic that goes over the line. So an attacker could most likely wardial and find the dial backup lines and try to get in that way. But why bother with that when most places have dial in lines on their mainframes. Other than that if you had or could get access to the Frame cloud you could try. But at least the ones I work with are *very* hardened and most likely not worth the time /effort to break them remotly because it is hard to get cash over a line and breaking a ATM does not really get you into the mainframe. Far better and easier to try to break the mainframe mostly because there are far more ways to get to them and banks etc. do not pay nearly as much attention to security as you would think. This in spite of the fact that I yell at people all day long on the subject but I'm just one guy and they consider me paranoid. Gawd I hate people. Anyway hope the above answers your questions which could be summed up as I've never heard of anybody breaking them remotely and it would be *very* hard to do so.

ATMs are fallible in lots of ways

[osgeek]

With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.

I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.

The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.

Am I missing something?

[asscroft]

How the hell do you use a pin, if you don't have the card. I'm pretty sure the ATM doesn't let me type in my card number.

Sure I could make a card, if I had the right equipment and had the card for long enough to make it, but in that case I could just as easily use the card.

I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #, then I could steal 300.00 a day.

but if I owned a business why would I need to steal money?

Is there some easier way to use the pin #???

An old vulnerability

[frovingslosh]

This seems the right time and place to relate a story about a 30 year old ATM bug I heard about:

A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.

He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.

The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.

The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.

Not suprising

[j_kenpo]

This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.

One other thing I forgot

[PotatoHead]

In the last few years reports have been written about ways banks can increase revenue. In the early 90's the easiest way was to increase fees.

There are consultants that will analyze a banks customer transaction histories in order to recommend a fee structure that will retain the highest number of customers and generate the most revenue from fees while lowering costs.

They do this with the teller fee, minimum balance fee, account inactivity fee and the overdraft fee.

Recently the check cashing fee was added to both make money on both the check writer and the casher while discouraging face to face business at the bank which lowers costs.

The high growth of bank profits combined with growing negative public perception of the fees has recently sparked a few recommendations toward more reasonable structures that actually do help people and the bank without so much profit.

Try and find a couple of those. They get almost zero notice.

See how it works? Remember that the next time you read a shiny well produced brochure that 'assures' you that no other bank is working harder for you.