Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

This was covered at k5 also

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.

Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/0548

Re:How do banks secure ATM lines?

[SquadBoy]

They are some kind of leased line. We have customers that run on Frame, ISDN, and yes even dialup but mostly they go into some kind of Frame cloud. No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing. While this does not apply to what they are talking about in the article they mostly use 3DES for all the traffic that goes over the line. So an attacker could most likely wardial and find the dial backup lines and try to get in that way. But why bother with that when most places have dial in lines on their mainframes. Other than that if you had or could get access to the Frame cloud you could try. But at least the ones I work with are *very* hardened and most likely not worth the time /effort to break them remotly because it is hard to get cash over a line and breaking a ATM does not really get you into the mainframe. Far better and easier to try to break the mainframe mostly because there are far more ways to get to them and banks etc. do not pay nearly as much attention to security as you would think. This in spite of the fact that I yell at people all day long on the subject but I'm just one guy and they consider me paranoid. Gawd I hate people. Anyway hope the above answers your questions which could be summed up as I've never heard of anybody breaking them remotely and it would be *very* hard to do so.

ATMs are fallible in lots of ways

[osgeek]

With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.

I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.

The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.

An old vulnerability

[frovingslosh]

This seems the right time and place to relate a story about a 30 year old ATM bug I heard about:

A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.

He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.

The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.

The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.